Mac OS X: 实用脚本程序(bash scripts)系列-8 · 想当 Apple菜鸟不容易

# Mac OS X: 实用脚本程序(bash scripts)系列-8 # AD Binding的一个脚本实例 Active Directory在现实企业管理中已经成为了现实的标准，Open Directory, Active Directory,或者eDirectory等都是基于Directory原理实现的，都有各自的实现和扩展，各有优势。基于现实中PC机和AD服务在企业中应用的普及性，在企业中把Mac或者其它系统纳入AD管理，也就是AD集成可以说在企业中的应用很普遍。实际中要考虑系统版本号的兼容，自己企业AD的配置情况，管理特点，当然别忘了把客户计算机先加入到AD中，设置相应的GPO和管理环境所需的管理组等。下面的脚本就是一个实际企业环境中把Mac系统纳入到AD管理环境的实际例子. 谨和大家分享: <table id="x_6f" border="1" cellspacing="0" cellpadding="3" width="100%" bordercolor="#000000"><tbody><tr><td width="100%"> #-------------------------------------------------------------------------------------- # Check for Valid Corp Network IP Address CorpIP="" check=20 Limit=check X=0 while [ "$CorpIP" = "" ] do echo "Checking valid IP detected...$check times." CorpIP=$(ifconfig| grep "inet 10.") X=$((X+1)) if [ $X -ge $limit ]; then CorpIP="NO_ValidIP" break fi check=$((check-1)) sleep 2 done echo "Detected IP: $CorpIP" if [ "$CorpIP" = "NO_ValidIP" ]; then echo "Binding failed! Valid Corp Network not detected!" osascript -e 'set volume 4' say "Binding failed! Valid Corp IP Address not detected!" exit 1 fi #-------------------------------------------------------------------------------------- # Host-specific parameters #-------------------------------------------------------------------------------------- computerid=`/usr/sbin/scutil --get LocalHostName` #-------------------------------------------------------------------------------------- # Standard Parameters used to Bind Workstation to AD #-------------------------------------------------------------------------------------- domain="Corp.com" udn="MacADIAdmin" password="Mac1nt0SH" ou="CN=Computers,DC=Corp,DC=com" #-------------------------------------------------------------------------------------- # Advanced Options for AD Plugin #-------------------------------------------------------------------------------------- alldomains="enable" localhome="disable" protocol="afp" mobile="disable" mobileconfirm="disable" useuncpath="enable" user_shell="/bin/bash" preferred="-nopreferred" admingroups="Corp/WSAdmins" searchPathLDAP=`cat/Library/Preferences/DirectoryService/SearchNodeConfig.plist | grepLDAPv3 | sed -e 's!string>!!g' -e 's!<//!!g' | tr -d '/t'` #-------------------------------------------------------------------------------------- # Synchronize Time with Corp Network Time Server #-------------------------------------------------------------------------------------- echo "Setting the Network Time Server to 10.0.1.1 ... Please Wait" "$1/Contents/Resources/systemsetup-tiger" -setusingnetworktime off >& /dev/null "$1/Contents/Resources/systemsetup-tiger" -setnetworktimeserver 10.0.1.1 >& /dev/null "$1/Contents/Resources/systemsetup-tiger" -setusingnetworktime on >& /dev/null echo "Restarting Network Time Service... Please Wait" SystemStarter -d restart "Network Time" >& /dev/null #-------------------------------------------------------------------------------------- # Attempt to force unbind the workstation #-------------------------------------------------------------------------------------- echo "Attempting a force unbind in case system is already bound to AD... Please Wait." dsconfigad -r -f -u baduser -p badpass >& /dev/null #-------------------------------------------------------------------------------------- # Disable Unused Protocols #-------------------------------------------------------------------------------------- echo "Disable all unused protocols (AppleTalk, BSD, SMB, SLP)... Please Wait." defaults write /Library/Preferences/DirectoryService/DirectoryService AppleTalk -string Inactive defaults write /Library/Preferences/DirectoryService/DirectoryService BSD -string Inactive defaults write /Library/Preferences/DirectoryService/DirectoryService SMB -string Inactive defaults write /Library/Preferences/DirectoryService/DirectoryService SLP -string Inactive plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist #-------------------------------------------------------------------------------------- # Activate the AD plugin #-------------------------------------------------------------------------------------- echo "Activating AD Plugin... Please Wait." defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active" plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist #-------------------------------------------------------------------------------------- # Bind to AD #-------------------------------------------------------------------------------------- echo "Binding system to AD as '$computerid'... Please Wait." bind_result=`dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou"` if [ "$bind_result" != "Computer was successfully Added to Active Directory." ]; then echo "Binding failed! Check the Computer Name and ensure it has an account in Active Directory" osascript -e 'set volume 4' osascript -e 'say "I am sorry but Active Directory binding failed!Please check the computer name and ensure this system has an account inActive Directory." using "Vicki"' exit 1 else echo "$bind_result" fi # Write value so workstation can be easily identified being bound to AD defaults write /Library/Preferences/com.apple.RemoteDesktop "Text4" 'Bound to AD - OSXServer - v2.0' #-------------------------------------------------------------------------------------- # Configure advanced AD plugin options #-------------------------------------------------------------------------------------- echo "Configuring Advanced AD Plugins... Please Wait." if [ "$admingroups" = "" ]; then dsconfigad -nogroups else dsconfigad -groups "$admingroups" fi dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol / -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath / -shell $user_shell $preferred #-------------------------------------------------------------------------------------- # Add the AD node to the search path # Delay a bit to give the Directory Service a chance to catch its breath #-------------------------------------------------------------------------------------- echo "Adding AD to Search Path... Please Wait." if [ "$searchPathLDAP" = "" ] || [ `echo $searchPathLDAP| grep127.0.0.1` ] || [ `echo $searchPathLDAP| grep localhost` ]; then echo "No existing LDAP path... Only writing AD. Please Wait." defaults write/Library/Preferences/DirectoryService/SearchNodeConfig "Search NodeCustom Path Array" -array "/Active Directory/All Domains" defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3 plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist else echo "LDAP path is /$searchPathLDAP... Writing AD as first search and LDAP second. Please Wait." defaults write/Library/Preferences/DirectoryService/SearchNodeConfig "Search NodeCustom Path Array" -array "/Active Directory/All Domains""/$searchPathLDAP" defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3 plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist fi #-------------------------------------------------------------------------------------- # Restart DirectoryService (necessary to reload AD plugin activation settings) #-------------------------------------------------------------------------------------- echo "Restarting DirectoryService... Please Wait." sleep 2 killall DirectoryService >& /dev/null sleep 8 #-------------------------------------------------------------------------------------- # Disable autologin - If it's enabled #-------------------------------------------------------------------------------------- echo "Disabling autologin if enabled... Please Wait." defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser >& /dev/null srm /etc/kcpassword >& /dev/null #-------------------------------------------------------------------------------------- # Complete #-------------------------------------------------------------------------------------- echo "Done. AD Bind Successful." exit 0 </td> </tr></tbody></table>