Mac OS X: 實用腳本程序(bash scripts)系列-8 · 想當 Apple菜鳥不容易

# Mac OS X: 實用腳本程序(bash scripts)系列-8 # AD Binding的一個腳本實例 Active Directory在現實企業管理中已經成為了現實的標準，Open Directory, Active Directory,或者eDirectory等都是基于Directory原理實現的，都有各自的實現和擴展，各有優勢。基于現實中PC機和AD服務在企業中應用的普及性，在企業中把Mac或者其它系統納入AD管理，也就是AD集成可以說在企業中的應用很普遍。實際中要考慮系統版本號的兼容，自己企業AD的配置情況，管理特點，當然別忘了把客戶計算機先加入到AD中，設置相應的GPO和管理環境所需的管理組等。 ? 下面的腳本就是一個實際企業環境中把Mac系統納入到AD管理環境的實際例子. 謹和大家分享: <table id="x_6f" border="1" cellspacing="0" cellpadding="3" width="100%" bordercolor="#000000"><tbody><tr><td width="100%"> #-------------------------------------------------------------------------------------- # Check for Valid Corp Network IP Address CorpIP="" check=20 Limit=check X=0 while [ "$CorpIP" = "" ] do ??? echo "Checking valid IP detected...$check times." ??? CorpIP=$(ifconfig| grep "inet 10.") ??? X=$((X+1)) ??? if [ $X -ge $limit ]; then ?????? CorpIP="NO_ValidIP" ?????? break ??? fi ??? check=$((check-1)) ??? sleep 2 done echo "Detected IP: $CorpIP" if [ "$CorpIP" = "NO_ValidIP" ]; then ??? echo "Binding failed! Valid Corp Network not detected!" ??? osascript -e 'set volume 4' ??? say "Binding failed! Valid Corp IP Address not detected!" ??? exit 1 fi #-------------------------------------------------------------------------------------- # Host-specific parameters #-------------------------------------------------------------------------------------- computerid=`/usr/sbin/scutil --get LocalHostName` #-------------------------------------------------------------------------------------- # Standard Parameters used to Bind Workstation to AD #-------------------------------------------------------------------------------------- domain="Corp.com" udn="MacADIAdmin" password="Mac1nt0SH" ou="CN=Computers,DC=Corp,DC=com" #-------------------------------------------------------------------------------------- # Advanced Options for AD Plugin #-------------------------------------------------------------------------------------- alldomains="enable" localhome="disable" protocol="afp" mobile="disable" mobileconfirm="disable" useuncpath="enable" user_shell="/bin/bash" preferred="-nopreferred" admingroups="Corp/WSAdmins" searchPathLDAP=`cat/Library/Preferences/DirectoryService/SearchNodeConfig.plist | grepLDAPv3 | sed -e 's!string>!!g' -e 's!<//!!g' | tr -d '/t'` #-------------------------------------------------------------------------------------- # Synchronize Time with Corp Network Time Server #-------------------------------------------------------------------------------------- echo "Setting the Network Time Server to 10.0.1.1 ... Please Wait" "$1/Contents/Resources/systemsetup-tiger" -setusingnetworktime off >& /dev/null "$1/Contents/Resources/systemsetup-tiger" -setnetworktimeserver 10.0.1.1 >& /dev/null "$1/Contents/Resources/systemsetup-tiger" -setusingnetworktime on >& /dev/null echo "Restarting Network Time Service... Please Wait" SystemStarter -d restart "Network Time" >& /dev/null #-------------------------------------------------------------------------------------- # Attempt to force unbind the workstation #-------------------------------------------------------------------------------------- echo "Attempting a force unbind in case system is already bound to AD... Please Wait." dsconfigad -r -f -u baduser -p badpass >& /dev/null #-------------------------------------------------------------------------------------- # Disable Unused Protocols #-------------------------------------------------------------------------------------- echo "Disable all unused protocols (AppleTalk, BSD, SMB, SLP)... Please Wait." defaults write /Library/Preferences/DirectoryService/DirectoryService AppleTalk -string Inactive defaults write /Library/Preferences/DirectoryService/DirectoryService BSD -string Inactive defaults write /Library/Preferences/DirectoryService/DirectoryService SMB -string Inactive defaults write /Library/Preferences/DirectoryService/DirectoryService SLP -string Inactive plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist #-------------------------------------------------------------------------------------- # Activate the AD plugin #-------------------------------------------------------------------------------------- echo "Activating AD Plugin... Please Wait." defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active" plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist #-------------------------------------------------------------------------------------- # Bind to AD #-------------------------------------------------------------------------------------- echo "Binding system to AD as '$computerid'... Please Wait." bind_result=`dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou"` if [ "$bind_result" != "Computer was successfully Added to Active Directory." ]; then ??? echo "Binding failed! Check the Computer Name and ensure it has an account in Active Directory" ??? osascript -e 'set volume 4' ?? ?osascript -e 'say "I am sorry but Active Directory binding failed!Please check the computer name and ensure this system has an account inActive Directory." using "Vicki"' ??? exit 1 else ??? echo "$bind_result" fi?# Write value so workstation can be easily identified being bound to AD defaults write /Library/Preferences/com.apple.RemoteDesktop "Text4" 'Bound to AD - OSXServer - v2.0' #-------------------------------------------------------------------------------------- # Configure advanced AD plugin options #-------------------------------------------------------------------------------------- echo "Configuring Advanced AD Plugins... Please Wait." if [ "$admingroups" = "" ]; then ??? dsconfigad -nogroups else ??? dsconfigad -groups "$admingroups" fi dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol / ??? -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath / ??? -shell $user_shell $preferred #-------------------------------------------------------------------------------------- # Add the AD node to the search path # Delay a bit to give the Directory Service a chance to catch its breath #-------------------------------------------------------------------------------------- echo "Adding AD to Search Path... Please Wait." if [ "$searchPathLDAP" = "" ] || [ `echo $searchPathLDAP| grep127.0.0.1` ] || [ `echo $searchPathLDAP| grep localhost` ]; then ??? echo "No existing LDAP path... Only writing AD. Please Wait." ??? defaults write/Library/Preferences/DirectoryService/SearchNodeConfig "Search NodeCustom Path Array" -array "/Active Directory/All Domains" ??? defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3 ??? plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist else ??? echo "LDAP path is /$searchPathLDAP... Writing AD as first search and LDAP second. Please Wait." ??? defaults write/Library/Preferences/DirectoryService/SearchNodeConfig "Search NodeCustom Path Array" -array "/Active Directory/All Domains""/$searchPathLDAP" ??? defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3 ??? plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist fi #-------------------------------------------------------------------------------------- # Restart DirectoryService (necessary to reload AD plugin activation settings) #-------------------------------------------------------------------------------------- echo "Restarting DirectoryService... Please Wait." sleep 2 killall DirectoryService >& /dev/null sleep 8 #-------------------------------------------------------------------------------------- # Disable autologin - If it's enabled #-------------------------------------------------------------------------------------- echo "Disabling autologin if enabled... Please Wait." defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser >& /dev/null srm /etc/kcpassword >& /dev/null #-------------------------------------------------------------------------------------- # Complete #-------------------------------------------------------------------------------------- echo "Done. AD Bind Successful." exit 0 </td>?? ? </tr></tbody></table>