Mac OS X: 實用指令碼程式(bash scripts)系列-8

Mac OS X: 實用指令碼程式(bash scripts)系列-8


AD Binding的一個指令碼執行個體

Active Directory在現實企業管理中已經成為了現實的標準，Open Directory, Active Directory,或者eDirectory等都是基於Directory原理實現的，都有各自的實現和擴充，各有優勢。基於現實中PC機和AD服務在企業中應用的普及性，在企業中把Mac或者其它系統納入AD管理，也就是AD整合可以說在企業中的應用很普遍。實際中要考慮系統版本號碼的相容，自己企業AD的配置情況，管理特點，當然別忘了把客戶電腦先加入到AD中，設定相應的GPO和管理環境所需的管理組等。

 

下面的指令碼就是一個實際企業環境中把Mac系統納入到AD管理環境的實際例子.
謹和大家分享:

    

#-------------------------------------------------------------------------------------- # Check for Valid Corp Network IP Address CorpIP="" check=20 Limit=check X=0 while [ "$CorpIP" = "" ] do     echo "Checking valid IP detected...$check times."     CorpIP=$(ifconfig| grep "inet 10.")     X=$((X+1))     if [ $X -ge $limit ]; then        CorpIP="NO_ValidIP"        break     fi     check=$((check-1))     sleep 2 done echo "Detected IP: $CorpIP" if [ "$CorpIP" = "NO_ValidIP" ]; then     echo "Binding failed! Valid Corp Network not detected!"     osascript -e 'set volume 4'     say "Binding failed! Valid Corp IP Address not detected!"     exit 1 fi #-------------------------------------------------------------------------------------- # Host-specific parameters #-------------------------------------------------------------------------------------- computerid=`/usr/sbin/scutil --get LocalHostName` #-------------------------------------------------------------------------------------- # Standard Parameters used to Bind Workstation to AD #-------------------------------------------------------------------------------------- domain="Corp.com" udn="MacADIAdmin" password="Mac1nt0SH" ou="CN=Computers,DC=Corp,DC=com" #-------------------------------------------------------------------------------------- # Advanced Options for AD Plugin #-------------------------------------------------------------------------------------- alldomains="enable" localhome="disable" protocol="afp" mobile="disable" mobileconfirm="disable" useuncpath="enable" user_shell="/bin/bash" preferred="-nopreferred" admingroups="Corp/WSAdmins" searchPathLDAP=`cat /Library/Preferences/DirectoryService/SearchNodeConfig.plist | grep LDAPv3 | sed -e 's!string>!!g' -e 's!<//!!g' | tr -d '/t'` #-------------------------------------------------------------------------------------- # Synchronize Time with Corp Network Time Server #-------------------------------------------------------------------------------------- echo "Setting the Network Time Server to 10.0.1.1 ... Please Wait" "$1/Contents/Resources/systemsetup-tiger" -setusingnetworktime off >& /dev/null "$1/Contents/Resources/systemsetup-tiger" -setnetworktimeserver 10.0.1.1 >& /dev/null "$1/Contents/Resources/systemsetup-tiger" -setusingnetworktime on >& /dev/null echo "Restarting Network Time Service... Please Wait" SystemStarter -d restart "Network Time" >& /dev/null #-------------------------------------------------------------------------------------- # Attempt to force unbind the workstation #-------------------------------------------------------------------------------------- echo "Attempting a force unbind in case system is already bound to AD... Please Wait." dsconfigad -r -f -u baduser -p badpass >& /dev/null #-------------------------------------------------------------------------------------- # Disable Unused Protocols #-------------------------------------------------------------------------------------- echo "Disable all unused protocols (AppleTalk, BSD, SMB, SLP)... Please Wait." defaults write /Library/Preferences/DirectoryService/DirectoryService AppleTalk -string Inactive defaults write /Library/Preferences/DirectoryService/DirectoryService BSD -string Inactive defaults write /Library/Preferences/DirectoryService/DirectoryService SMB -string Inactive defaults write /Library/Preferences/DirectoryService/DirectoryService SLP -string Inactive plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist #-------------------------------------------------------------------------------------- # Activate the AD plugin #-------------------------------------------------------------------------------------- echo "Activating AD Plugin... Please Wait." defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active" plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist #-------------------------------------------------------------------------------------- # Bind to AD #-------------------------------------------------------------------------------------- echo "Binding system to AD as '$computerid'... Please Wait." bind_result=`dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou"` if [ "$bind_result" != "Computer was successfully Added to Active Directory." ]; then     echo "Binding failed! Check the Computer Name and ensure it has an account in Active Directory"     osascript -e 'set volume 4'     osascript -e 'say "I am sorry but Active Directory binding failed! Please check the computer name and ensure this system has an account in Active Directory." using "Vicki"'     exit 1 else     echo "$bind_result" fi   # Write value so workstation can be easily identified being bound to AD defaults write /Library/Preferences/com.apple.RemoteDesktop "Text4" 'Bound to AD - OSXServer - v2.0' #-------------------------------------------------------------------------------------- # Configure advanced AD plugin options #-------------------------------------------------------------------------------------- echo "Configuring Advanced AD Plugins... Please Wait." if [ "$admingroups" = "" ]; then     dsconfigad -nogroups else     dsconfigad -groups "$admingroups" fi dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol /     -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath /     -shell $user_shell $preferred #-------------------------------------------------------------------------------------- # Add the AD node to the search path # Delay a bit to give the Directory Service a chance to catch its breath #-------------------------------------------------------------------------------------- echo "Adding AD to Search Path... Please Wait." if [ "$searchPathLDAP" = "" ] || [ `echo $searchPathLDAP| grep 127.0.0.1` ] || [ `echo $searchPathLDAP| grep localhost` ]; then     echo "No existing LDAP path... Only writing AD. Please Wait."     defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"     defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3     plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist else     echo "LDAP path is /$searchPathLDAP... Writing AD as first search and LDAP second. Please Wait."     defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains" "/$searchPathLDAP"     defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3     plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist fi #-------------------------------------------------------------------------------------- # Restart DirectoryService (necessary to reload AD plugin activation settings) #-------------------------------------------------------------------------------------- echo "Restarting DirectoryService... Please Wait." sleep 2 killall DirectoryService >& /dev/null sleep 8 #-------------------------------------------------------------------------------------- # Disable autologin - If it's enabled #-------------------------------------------------------------------------------------- echo "Disabling autologin if enabled... Please Wait." defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser >& /dev/null srm /etc/kcpassword >& /dev/null #-------------------------------------------------------------------------------------- # Complete #-------------------------------------------------------------------------------------- echo "Done. AD Bind Successful." exit 0