[Casper] Kerberos destory script?
Ryan Harter
rharter at uwsp.edu
Tue Apr 14 07:58:52 PDT 2009
More changed is 10.5: apparently su no longer has the -c option (run
command). You could use sudo -u $3 command
That will run command as the user provided by $3.
Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu
On Apr 14, 2009, at 9:12 AM, NATHANIEL.LINDLEY at spps.org wrote:
>
> My problem is that the tickets do get destroyed on 10.4 and not on
> 10.5, which is the way that apple wants it to work apparently.
>
>
>
> Re: [Casper] Kerberos destory script?
>
> Criss Myers to: Kathie Iorizzo, casper-bounces, NATHANIEL.LINDLEY
> 04/14/2009 08:52 AM
>
> Sent by: casper-bounces at list.jamfsoftware.com
> Cc: Andy Hakala, "casper at list.jamfsoftware.com List"
>
>
>
>
>
>
>
> why are your tickets not destroyed when you logout
>
> ive never had this problem, when a user logs out their ticket goes
>
>
> Criss Myers
> Senior Customer Support Analyst (Mac Services)
> Apple Certified Technical Coordinator v10.5
> LIS Business Support Team
> Library 301
> University of Central Lancashire
> Preston PR1 2HE
> Ex 5054
> 01772 895054
>
> >>> On Tue, Apr 14, 2009 at 2:52 PM, in message <6B322872-83F8-4F4F-BD81-D485A854578F at latinschool.org
> >, Kathie Iorizzo <kiorizzo at latinschool.org> wrote:
> We have a policy set to advance on all managed machines and it's
> simply
> kdestroy -a
>
> ___________
> Kathie Iorizzo
> Lower School Technician
> The Latin School of Chicago
> kiorizzo at latinschool.org
> 312.582.6136
>
>
>
>
>
> On Apr 14, 2009, at 8:42 AM, NATHANIEL.LINDLEY at spps.org wrote:
>
>
> sorry, that I'm not responding more timely, other duties.
>
> I tried the suggestion
> "su $3 -c "kdestroy -a"
> didn't work and the error said. unknown argument, I think. I
> shouldn't need to have root enabled on the client to tell the script
> to run as the user. .
> I'll keep trying it.
>
> I like using the logout action as a policy so that it is easy to
> remove from the computers remotely rather than further modifying the
> machine.
> -Nathaniel
>
>
>
> Re: [Casper] Kerberos destory script?
>
>
>
> Ryan Harter to: Kathie Iorizzo
> 04/13/2009 09:08 PM
>
>
>
> Sent by: casper-bounces at list.jamfsoftware.com
> Cc: Andy Hakala, "casper at list.jamfsoftware.com List"
>
>
>
>
>
>
>
>
> I think I should clarify the difference between login policies
> within Casper and loginhooks.
>
> A loginhook (and a logouthook) has nothing to do with Casper. These
> are built in features of Mac OS X whereby you can add a setting to a
> plist that points to a script and, depending on whether its a login
> or logout hook, that script will be run as root at the given time,
> regardless of which user is logging in or out.
>
> Casper utilizes this feature to allow login triggers on scripts.
> There is a script at /etc/scripts/loginhook.sh that contains:
>
> #!/bin/sh
>
> ## Log the event to the JSS
> /usr/sbin/jamf log -action login -username $1
>
> ## Check for policies on the JSS
> /usr/sbin/jamf policy -action login -username $1
>
> You can see that this script merely logs the login and then looks
> for policies triggered by "login".
>
> You can have as many login policies as you want, but the plist that
> controls the loginhook only allows one entry. If you change the
> loginhook setting then Casper will no longer be able to trigger
> policies on login. The best thing to do if you want to run
> something at login is just make a policy triggered by login.
>
> Hope it helps.
>
> Ryan Harter
> UW - Stevens Point
> Workstation Developer
> 715.346.2716
> Ryan.Harter at uwsp.edu
>
> On Apr 13, 2009, at 8:37 PM, Kathie Iorizzo wrote:
>
> Just so I understand.. you can only have one policy set to trigger
> on log in and one to log out? The rest need to be startup or
> shutdown or the other one's?
> ___________
> Kathie Iorizzo
> Lower School Technician
> The Latin School of Chicago
> kiorizzo at latinschool.org
> 312.582.6136
>
>
>
>
>
> On Apr 13, 2009, at 4:15 PM, Ryan Harter wrote:
>
> One thing to remember is that loginhooks are run as root, so you
> would need to add the "su $currentUser -c "kdestroy -a"". While
> adding this to the hooks would probably work, it would be pretty
> similar to how Casper's loginhooks already fire it off, but you
> would lose that centralized aspect that Casper brings to the table.
> Running this as a policy triggered by login or logout is really the
> best solution IMHO.
>
> As long as you add the su it should be a fairly simple matter.
>
> Ryan Harter
> UW - Stevens Point
> Workstation Developer
> 715.346.2716
> Ryan.Harter at uwsp.edu
>
> On Apr 13, 2009, at 3:26 PM, Andy Hakala wrote:
>
> I did not realize that Casper made use of the Login/Logout hook…I
> thought that the JAMF agent was looking at system events and using
> that. I did see however that the current logout hook is a script
> called ‘logouthook.sh’ and it is located in ‘/private/etc/
> scripts/’. It would seem to me that you could add the line to clear
> the ‘kdestory –a’ line to this script.
>
> I will post this to the list as well…sorry for the confusion.
>
> Andy
>
> From: Ryan Harter [mailto:rharter at uwsp.edu]
> Sent: Monday, April 13, 2009 2:34 PM
> To: Andy Hakala
> Cc: casper at list.jamfsoftware.com
> Subject: Re: [Casper] Kerberos destory script?
>
> I could be wrong about this, but doesn't Casper use login and logout
> hooks to fire off scripts at login or out? Since you can only have
> one of each hook, that means that if you replace Casper's hooks with
> this, you would no longer be able to fire off policies at login/out.
>
> That may work for you, but would be unacceptable for me.
>
> Ryan Harter
> UW - Stevens Point
> Workstation Developer
> 715.346.2716
> Ryan.Harter at uwsp.edu
>
> On Apr 13, 2009, at 11:10 AM, Andy Hakala wrote:
>
>
> Have you tried setting this script as a login or logout hook? So
> rather than having Casper execute a policy it is just something that
> OS X will do every time someone logs into or out of the machine.
>
> Here is an Apple KB article on how to do this... http://support.apple.com/kb/HT2420
> . This particular article is about making a Login Hook, but you
> should be able to change the command text 'LoginHook' to
> 'LogoutHook' if it is something that you want to happen on logout
> instead.
>
> Andy Hakala
> Technology Support
> Hopkins High School
> Hopkins, MN
>
> -----Original Message-----
> From: casper-bounces at list.jamfsoftware.com [mailto:casper-bounces at list.jamfsoftware.com
> ] On Behalf Of casper-request at list.jamfsoftware.com
> Sent: Saturday, April 11, 2009 2:01 PM
> To: casper at list.jamfsoftware.com
> Subject: Casper Digest, Vol 28, Issue 11
>
> Send Casper mailing list submissions to
> casper at list.jamfsoftware.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://list.jamfsoftware.com/mailman/listinfo/casper
> or, via email, send a message with subject or body 'help' to
> casper-request at list.jamfsoftware.com
>
> You can reach the person managing the list at
> casper-owner at list.jamfsoftware.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Casper digest..."
>
>
> Today's Topics:
>
> 1. Kerberos destory script? (NATHANIEL.LINDLEY at spps.org)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 10 Apr 2009 15:56:21 -0500
> From: NATHANIEL.LINDLEY at spps.org
> Subject: [Casper] Kerberos destory script?
> To: "Casper Listserv" <CASPER at LIST.JAMFSOFTWARE.COM>
> Message-ID:
> <OFA45E2E0A.011F6D0B-ON86257594.00722BBD-86257594.0073D219 at spps.org
> >
> Content-Type: text/plain; charset="us-ascii"
>
> Little help on scripting please.
>
> I'm trying to get a logout script that will destroy the Kerberos
> ticket
> cache at logout. I can make it work in Terminal but when pushed with
> Casper Remote or a policy it does nothing.
>
> This is all I have:
>
> #!/bin/sh
> ##################################
> # Destroy the Kerberos ticket of current user.
> # Nathaniel Lindley for SPPS, April 10, 2009
> ##################################
>
> kdestroy -a
>
>
> What else do I need? Strange thing is that this is the default
> behavior
> in 10.4 (to destroy kerberos ticket at logout) but not in 10.5, by
> design
> according to Apple. The problem is that at one school, students login
> with a "student" generic local account and then connect to a server
> using
> their AD credentials from 10.5 client. Then student logs out, and
> another
> student logs in, trys to Connect to Server and is already logged in
> as the
> previous student whose ticket is retained for 10 hours.
>
> Thanks for the help,
> -Nathaniel
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090410/85ae39d9/attachment.htm
>
> ------------------------------
>
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com
> http://list.jamfsoftware.com/mailman/listinfo/casper
>
>
> End of Casper Digest, Vol 28, Issue 11
> **************************************
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com
> http://list.jamfsoftware.com/mailman/listinfo/casper
>
>
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com
> http://list.jamfsoftware.com/mailman/listinfo/casper
>
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com
> http://list.jamfsoftware.com/mailman/listinfo/casper
>
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com
> http://list.jamfsoftware.com/mailman/listinfo/casper
>
> <ATT00001.txt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090414/65936938/attachment.html
More information about the Casper
mailing list