Active Directory在现实企业管理中已经成为了现实的标准,Open Directory, Active Directory,或者eDirectory等都是基于Directory原理实现的,都有各自的实现和扩展,各有优势。基于现实中PC机和AD服务在企业中应用的普及性,在企业中把Mac或者其它系统纳入AD管理,也就是AD集成可以说在企业中的应用很普遍。实际中要考虑系统版本号的兼容,自己企业AD的配置情况,管理特点,当然别忘了把客户计算机先加入到AD中,设置相应的GPO和管理环境所需的管理组等。
下面的脚本就是一个实际企业环境中把Mac系统纳入到AD管理环境的实际例子. 谨和大家分享:
#--------------------------------------------------------------------------------------
# Check for Valid Corp Network IP Address
CorpIP=""
check=20
Limit=check
X=0
while [ "$CorpIP" = "" ]
do
echo "Checking valid IP detected...$check times."
CorpIP=$(ifconfig| grep "inet 10.")
X=$((X+1))
if [ $X -ge $limit ]; then
CorpIP="NO_ValidIP"
break
fi
check=$((check-1))
sleep 2
done
echo "Detected IP: $CorpIP"
if [ "$CorpIP" = "NO_ValidIP" ]; then
echo "Binding failed! Valid Corp Network not detected!"
osascript -e "set volume 4"
say "Binding failed! Valid Corp IP Address not detected!"
exit 1
fi
#--------------------------------------------------------------------------------------
# Host-specific parameters
#--------------------------------------------------------------------------------------
computerid=`/usr/sbin/scutil --get LocalHostName`
#--------------------------------------------------------------------------------------
# Standard Parameters used to Bind Workstation to AD
#--------------------------------------------------------------------------------------
domain="Corp.com"
udn="MacADIAdmin"
password="Mac1nt0SH"
ou="CN=Computers,DC=Corp,DC=com"
#--------------------------------------------------------------------------------------
# Advanced Options for AD Plugin
#--------------------------------------------------------------------------------------
alldomains="enable"
localhome="disable"
protocol="afp"
mobile="disable"
mobileconfirm="disable"
useuncpath="enable"
user_shell="/bin/bash"
preferred="-nopreferred"
admingroups="Corp/WSAdmins"
searchPathLDAP=`cat/Library/Preferences/DirectoryService/SearchNodeConfig.plist | grepLDAPv3 | sed -e "s!string>!!g" -e "s!<//!!g" | tr -d "/t"`
#--------------------------------------------------------------------------------------
# Synchronize Time with Corp Network Time Server
#--------------------------------------------------------------------------------------
echo "Setting the Network Time Server to 10.0.1.1 ... Please Wait"
"$1/Contents/Resources/systemsetup-tiger" -setusingnetworktime off >& /dev/null
"$1/Contents/Resources/systemsetup-tiger" -setnetworktimeserver 10.0.1.1 >& /dev/null
"$1/Contents/Resources/systemsetup-tiger" -setusingnetworktime on >& /dev/null
echo "Restarting Network Time Service... Please Wait"
SystemStarter -d restart "Network Time" >& /dev/null
#--------------------------------------------------------------------------------------
# Attempt to force unbind the workstation
#--------------------------------------------------------------------------------------
echo "Attempting a force unbind in case system is already bound to AD... Please Wait."
dsconfigad -r -f -u baduser -p badpass >& /dev/null
#--------------------------------------------------------------------------------------
# Disable Unused Protocols
#--------------------------------------------------------------------------------------
echo "Disable all unused protocols (AppleTalk, BSD, SMB, SLP)... Please Wait."
defaults write /Library/Preferences/DirectoryService/DirectoryService AppleTalk -string Inactive
defaults write /Library/Preferences/DirectoryService/DirectoryService BSD -string Inactive
defaults write /Library/Preferences/DirectoryService/DirectoryService SMB -string Inactive
defaults write /Library/Preferences/DirectoryService/DirectoryService SLP -string Inactive
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#--------------------------------------------------------------------------------------
# Activate the AD plugin
#--------------------------------------------------------------------------------------
echo "Activating AD Plugin... Please Wait."
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#--------------------------------------------------------------------------------------
# Bind to AD
#--------------------------------------------------------------------------------------
echo "Binding system to AD as "$computerid"... Please Wait."
bind_result=`dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou"`
if [ "$bind_result" != "Computer was successfully Added to Active Directory." ]; then
echo "Binding failed! Check the Computer Name and ensure it has an account in Active Directory"
osascript -e "set volume 4"
osascript -e "say "I am sorry but Active Directory binding failed!Please check the computer name and ensure this system has an account inActive Directory." using "Vicki""
exit 1
else
echo "$bind_result"
fi # Write value so workstation can be easily identified being bound to AD
defaults write /Library/Preferences/com.apple.RemoteDesktop "Text4" "Bound to AD - OSXServer - v2.0"
#--------------------------------------------------------------------------------------
# Configure advanced AD plugin options
#--------------------------------------------------------------------------------------
echo "Configuring Advanced AD Plugins... Please Wait."
if [ "$admingroups" = "" ]; then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol /
-mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath /
-shell $user_shell $preferred
#--------------------------------------------------------------------------------------
# Add the AD node to the search path
# Delay a bit to give the Directory Service a chance to catch its breath
#--------------------------------------------------------------------------------------
echo "Adding AD to Search Path... Please Wait."
if [ "$searchPathLDAP" = "" ] || [ `echo $searchPathLDAP| grep127.0.0.1` ] || [ `echo $searchPathLDAP| grep localhost` ]; then
echo "No existing LDAP path... Only writing AD. Please Wait."
defaults write/Library/Preferences/DirectoryService/SearchNodeConfig "Search NodeCustom Path Array" -array "/Active Directory/All Domains"
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
else
echo "LDAP path is /$searchPathLDAP... Writing AD as first search and LDAP second. Please Wait."
defaults write/Library/Preferences/DirectoryService/SearchNodeConfig "Search NodeCustom Path Array" -array "/Active Directory/All Domains""/$searchPathLDAP"
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
fi
#--------------------------------------------------------------------------------------
# Restart DirectoryService (necessary to reload AD plugin activation settings)
#--------------------------------------------------------------------------------------
echo "Restarting DirectoryService... Please Wait."
sleep 2
killall DirectoryService >& /dev/null
sleep 8
#--------------------------------------------------------------------------------------
# Disable autologin - If it"s enabled
#--------------------------------------------------------------------------------------
echo "Disabling autologin if enabled... Please Wait."
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser >& /dev/null
srm /etc/kcpassword >& /dev/null
#--------------------------------------------------------------------------------------
# Complete
#--------------------------------------------------------------------------------------
echo "Done. AD Bind Successful."
exit 0 |