[Casper] Kerberos destory script?

Ryan Harter rharter at uwsp.edu
Mon Apr 13 18:52:19 PDT 2009 

I think I should clarify the difference between login policies within  
Casper and loginhooks.

A loginhook (and a logouthook) has nothing to do with Casper.  These  
are built in features of Mac OS X whereby you can add a setting to a  
plist that points to a script and, depending on whether its a login or  
logout hook, that script will be run as root at the given time,  
regardless of which user is logging in or out.

Casper utilizes this feature to allow login triggers on scripts.   
There is a script at /etc/scripts/loginhook.sh that contains:

#!/bin/sh

## Log the event to the JSS
/usr/sbin/jamf log -action login -username $1

## Check for policies on the JSS
/usr/sbin/jamf policy -action login -username $1

You can see that this script merely logs the login and then looks for  
policies triggered by "login".

You can have as many login policies as you want, but the plist that  
controls the loginhook only allows one entry.  If you change the  
loginhook setting then Casper will no longer be able to trigger  
policies on login.  The best thing to do if you want to run something  
at login is just make a policy triggered by login.

Hope it helps.

Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu

On Apr 13, 2009, at 8:37 PM, Kathie Iorizzo wrote:

> Just so I understand.. you can only have one policy set to trigger  
> on log in and one to log out? The rest need to be startup or  
> shutdown or the other one's?
> ___________
> Kathie Iorizzo
> Lower School Technician
> The Latin School of Chicago
> kiorizzo at latinschool.org
> 312.582.6136
>
>
>
>
>
> On Apr 13, 2009, at 4:15 PM, Ryan Harter wrote:
>
>> One thing to remember is that loginhooks are run as root, so you  
>> would need to add the "su $currentUser -c "kdestroy -a"".  While  
>> adding this to the hooks would probably work, it would be pretty  
>> similar to how Casper's loginhooks already fire it off, but you  
>> would lose that centralized aspect that Casper brings to the  
>> table.  Running this as a policy triggered by login or logout is  
>> really the best solution IMHO.
>>
>> As long as you add the su it should be a fairly simple matter.
>>
>> Ryan Harter
>> UW - Stevens Point
>> Workstation Developer
>> 715.346.2716
>> Ryan.Harter at uwsp.edu
>>
>> On Apr 13, 2009, at 3:26 PM, Andy Hakala wrote:
>>
>>> I did not realize that Casper made use of the Login/Logout hook…I  
>>> thought that the JAMF agent was looking at system events and using  
>>> that. I did see however that the current logout hook is a script  
>>> called ‘logouthook.sh’  and it is located in ‘/private/etc/ 
>>> scripts/’. It would seem to me that you could add the line to  
>>> clear the ‘kdestory –a’ line to this script.
>>>
>>> I will post this to the list as well…sorry for the confusion.
>>>
>>> Andy
>>>
>>> From: Ryan Harter [mailto:rharter at uwsp.edu]
>>> Sent: Monday, April 13, 2009 2:34 PM
>>> To: Andy Hakala
>>> Cc: casper at list.jamfsoftware.com
>>> Subject: Re: [Casper] Kerberos destory script?
>>>
>>> I could be wrong about this, but doesn't Casper use login and  
>>> logout hooks to fire off scripts at login or out?  Since you can  
>>> only have one of each hook, that means that if you replace  
>>> Casper's hooks with this, you would no longer be able to fire off  
>>> policies at login/out.
>>>
>>> That may work for you, but would be unacceptable for me.
>>>
>>> Ryan Harter
>>> UW - Stevens Point
>>> Workstation Developer
>>> 715.346.2716
>>> Ryan.Harter at uwsp.edu
>>>
>>> On Apr 13, 2009, at 11:10 AM, Andy Hakala wrote:
>>>
>>>
>>> Have you tried setting this script as a login or logout hook? So  
>>> rather than having Casper execute a policy it is just something  
>>> that OS X will do every time someone logs into or out of the  
>>> machine.
>>>
>>> Here is an Apple KB article on how to do this... http://support.apple.com/kb/HT2420 
>>> . This particular article is about making a Login Hook, but you  
>>> should be able to change the command text 'LoginHook' to  
>>> 'LogoutHook' if it is something that you want to happen on logout  
>>> instead.
>>>
>>> Andy Hakala
>>> Technology Support
>>> Hopkins High School
>>> Hopkins, MN
>>>
>>> -----Original Message-----
>>> From: casper-bounces at list.jamfsoftware.com [mailto:casper-bounces at list.jamfsoftware.com 
>>> ] On Behalf Of casper-request at list.jamfsoftware.com
>>> Sent: Saturday, April 11, 2009 2:01 PM
>>> To: casper at list.jamfsoftware.com
>>> Subject: Casper Digest, Vol 28, Issue 11
>>>
>>> Send Casper mailing list submissions to
>>>             casper at list.jamfsoftware.com
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>             http://list.jamfsoftware.com/mailman/listinfo/casper
>>> or, via email, send a message with subject or body 'help' to
>>>             casper-request at list.jamfsoftware.com
>>>
>>> You can reach the person managing the list at
>>>             casper-owner at list.jamfsoftware.com
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Casper digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>>   1. Kerberos destory script? (NATHANIEL.LINDLEY at spps.org)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Fri, 10 Apr 2009 15:56:21 -0500
>>> From: NATHANIEL.LINDLEY at spps.org
>>> Subject: [Casper] Kerberos destory script?
>>> To: "Casper Listserv" <CASPER at LIST.JAMFSOFTWARE.COM>
>>> Message-ID:
>>>             <OFA45E2E0A.011F6D0B-ON86257594.00722BBD-86257594.0073D219 at spps.org 
>>> >
>>> Content-Type: text/plain; charset="us-ascii"
>>>
>>> Little help on scripting please.
>>>
>>> I'm trying to get a logout script that will destroy the Kerberos  
>>> ticket
>>> cache at logout.  I can make it work in Terminal but when pushed  
>>> with
>>> Casper Remote or a policy it does nothing.
>>>
>>> This is all I have:
>>>
>>> #!/bin/sh
>>> ##################################
>>> # Destroy the Kerberos ticket of current user.
>>> # Nathaniel Lindley for SPPS, April 10, 2009
>>> ##################################
>>>
>>> kdestroy -a
>>>
>>>
>>> What else do I need?   Strange thing is that this is the default  
>>> behavior
>>> in 10.4 (to destroy kerberos ticket at logout) but not in 10.5, by  
>>> design
>>> according to Apple.  The problem is that at one school, students  
>>> login
>>> with a "student" generic local account and then connect to a  
>>> server using
>>> their AD credentials from 10.5 client.  Then student logs out, and  
>>> another
>>> student logs in, trys to Connect to Server and is already logged  
>>> in as the
>>> previous student whose ticket is retained for 10 hours.
>>>
>>> Thanks for the help,
>>> -Nathaniel
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090410/85ae39d9/attachment.htm
>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> Casper mailing list
>>> Casper at list.jamfsoftware.com
>>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>>
>>>
>>> End of Casper Digest, Vol 28, Issue 11
>>> **************************************
>>> _______________________________________________
>>> Casper mailing list
>>> Casper at list.jamfsoftware.com
>>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>>
>>
>> _______________________________________________
>> Casper mailing list
>> Casper at list.jamfsoftware.com
>> http://list.jamfsoftware.com/mailman/listinfo/casper
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090413/04e9b432/attachment.htm

More information about the Casper mailing list