[Casper] JSS user reporting user as admin dscl says no?

Miles Leacy miles.leacy at themacadmin.com
Wed Dec 10 13:41:41 PST 2008 

That is interesting.  I'd contact JAMF support and ask about it.  Let me
know what they say.
My guess is that whatever method is used to gather the local account info
via Recon either has a bug or is running into a bug in the Mac OS.

----------
Miles A. Leacy IV

 Certified System Administrator 10.4
 Certified Technical Coordinator 10.5
 Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com




On Wed, Dec 10, 2008 at 4:36 PM, Mark Hughes <mahughe at kckps.org> wrote:

> Mark Hughes, Apple Technician
> TIS Department, KCKPS USD500
> Cell 913-449-7791
> mahughe at kckps.org
> >>> "Miles Leacy" <miles.leacy at themacadmin.com> 12/10/08 3:31 PM >>>
> Under Leopard (10.5.5), if you have a network account, and check the box
> in
> System Preferences to make it an admin account, the account becomes a
> member
> of the admin group (80) on the local machine.
>
> If you run "dscl . read /Groups/admin" on a the same computer, the
> shortname
> of your network account should appear in the "GroupMembership" line of
> dscl's output.
>
> I'm not sure I'm understanding the "double entries" part.  Can you send
> a
> screenshot of the output you're referring to?
>
> ----------
> Miles A. Leacy IV
>
>  Certified System Administrator 10.4
>  Certified Technical Coordinator 10.5
>  Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com
>
>
>
>
> On Wed, Dec 10, 2008 at 4:15 PM, Thomas Larkin <tlarki at kckps.org> wrote:
>
> >  That is what I thought but wasn't 100% on it.  Everyone is part of
> staff
> > (20) but this is reading it off the directory LDAP.  So, if a user
> goes into
> > System Preferences, and checks the box that says allow this user to
> > administer this computer on their mobile account, will it add the
> admin
> > group, or will it list the user under /Groups/admin on the machine
> locally?
> >
> >  As far as I can tell it doesn't do either.  When I invoke the dscl
> > command it lists no one under the /Groups/admin on that machine
> locally.
> >  When I run the id command on a user it pulls up their info from LDAP,
> not
> > the local machine.
> >
> >  I guess is what I am trying to get to the bottom of is, how do I tell
> if
> > a user has checked the box to flag them as an administrator for just
> that
> > machine in System Preferences?  Perhaps that is why I am getting the
> double
> > entries in the JSS inventory?
> >
> >  Thoughts?
> >
> >  Thanks again for reading and helping with this,
> >
> >  Tom
> >
> > >>> "Miles Leacy" <miles.leacy at themacadmin.com> 12/10/08 3:06 PM >>>
> >
> > I don't know if I'm misunderstanding your message, but it sounds like
> > you're saying that membership in admin (80) is inherited by membership
> in
> > staff (20).
> >
> >
> >   I don't believe that's the case.  All accounts are members of staff
> by
> > default.  Only admin users are members of admin.  An account can be a
> member
> > of staff but not be a member of admin.
> >
> >
> >   The output is showing you the following:
> >
> > uid=<the account's user ID> gid=<the account's "primary group ID", as
> seen
> > in Workgroup Manager, Groups tab> # What follows is a list of all of
> the
> > groups that the account in question belongs to, including the "primary
> > group".  This is why you see "staff" appear twice in the command's
> > output.  The first instance lets you know what the account's "primary
> group"
> > is, and it appears again when listing all groups that the account is a
> > member of.
> >
> >
> >   My apologies if I misunderstood your message.
> >
> >
> > ----------
> > Miles A. Leacy IV
> >
> >  Certified System Administrator 10.4
> >  Certified Technical Coordinator 10.5
> >  Certified Trainer
> > Certified Casper Administrator
> > ----------
> > voice: 1-347-277-7321
> > miles.leacy at themacadmin.com
> > www.themacadmin.com
> >
> >
> >
> >
> >   2008/12/10 Ryan Harter
> >
> > <rharter at uwsp.edu>
> >
> >
> >   _lpadmin is the CUPS account that correlates to the lpadmin command
> you
> >> find in the terminal.  I can't tell you why this account is showing
> up
> >> twice, but since it is a member for the staff group that should make
> it
> >> admin.  Our local amdinistrator account is uid=501(adm) gid=20(staff)
> ...
> >>
> >>
> >>   AFAIK the user is not directly a member of the admin group, but
> staff
> >> is, so it's like embedded groups.
> >>
> >> *
> >> Ryan Harter*
> >>
> >> UW - Stevens Point
> >>
> >> Workstation Developer
> >>
> >> 715.346.2716
> >>
> >>  Ryan.Harter at uwsp.edu
> >>
> >>
> >>
> >>   On Dec 10, 2008, at 2:08 PM, Thomas Larkin wrote:
> >>
> >>
> >>
> >>   everyone,
> >>
> >>
> >>   So a user has a true flag unde>>   User in the JSS shows this:
> >>
> >> Username
> >>
> >> Real Name
> >>
> >> UID
> >>
> >> Home Directory
> >>
> >> Home Directory Size
> >>
> >> Admin
> >>
> >> File Vault Enabled
> >>
> >> Mia Green 22221 /Users/11miagre 5.28 GB true false
> >>
> >> 11miagre Mia Green 22221 /Users/11miagre 5.28 GB false false
> >>
> >> student KCK Student 505 /Local/Users/student N/A false false
> >>
> >>
> >>   For some reason it shows the user name twice and on the top one it
> says
> >> True False, the First True being the admin flag
> >>
> >>
> >>   Now, when I ssh into said client machine and do some digging I find
> >> this:
> >>
> >>
> >>    id 11miagre
> >>
> >> uid=22221(11miagre) gid=20(staff)
> >>
>
> groups=20(staff),98(_lpadmin),101(com.apple.sharepoint.group.1),104(com.apple.sharepoint.group.2),1042(allstudents),1053(washington_2011)
> >>
> >>
> >>   GID 98 shows as _lpadmin what the heck is that?  Google says it
> >> configures the print system, so I must assume it is a daemon from the
> OS?
> >>
> >>
> >>   Anyone else see this stuff?  Also dscl does not list this user
> under
> >> /Groups/admin either
> >>
> >>
> >>   Thanks
> >>
> >>
> >> ___________________________
> >> Thomas Larkin
> >> TIS Department
> >> KCKPS USD500
> >> tlarki at kckps.org
> >> blackberry:  913-449-7589
> >> office:  913-627-0351
> >>
> >>
> >>
> >>
> >>
> >>    <ATT00001.txt>
> >>
> >>
> >>
> >> _______________________________________________
> >> Casper mailing list
> >> Casper at list.jamfsoftware.com
> >> http://list.jamfsoftware.com/mailman/listinfo/casper
> >>
> >>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20081210/d7f013ce/attachment-0001.html

More information about the Casper mailing list