Can I manage local users (NetInfo)?

By: Richard Glaser - Revised: 2006-06-06 devin

Yes, you can manage local users with radmind, but some feel it is too problematic & use scripting with the nidump command line utility as a post-radmind action.

Managing With Radmind
The local password chain of events are stored in 2 places:

    /private/var/db/netinfo/local.nidb
    /private/var/db/shadow/hash

The netinfo database contains a field for users who have shadowed passwords (you can see it by opening NetInfo Manager):

    /users/-name-/generateduid

The actual user passwords are located in

    /private/var/db/shadow/hash

The file that has the same name as the value in a user's generateduid field is the password for that user.

It is ok to manage either of these two things, but you have to make sure that they match up. It might be a good idea to keep the netinfo database and the password hash either in the same overload or in 2 separate overloads and have NOTHING else in them.

Once you learn how to not blow up the ni database, then you pretty much have no problems. You can specifically manage the ni database by including /private/var/db/netinfo in one overload, and NO others.

You can easily generate that overload with:

fsdiff -c sha1 -C -K /dev/null ./private/var/db/netinfo > admin_netinfo_type_of_computer.T

You can put each hash in its own overload. This is a great way to change passwords very easily.

fsdiff -c sha1 -C -K /dev/null /private/var/db/shadow/hash/24EC780A-1E20-11D9-AAB7-000D936BAC4C > admin_password_username.T

Hint: by managing the password hashes in its own overload, it makes it really easy to change all of your passwords on your computers.

Manage with Scripts
Here is a script that will use raw flat file copy of NetInfo that can be managed with radmind and compares it database and updates it if differences exist. This script can be modified to run after each radmind run.

#!/bin/sh
NILOC=/var/db/netinfo/local.nidump
TMPFILE=/tmp/nidump.$$

while getopts :n: foo ; do
case $foo in
n) FAKE=-n;;
esac
done
shift `expr $OPTIND - 1`

nidump -r / . > $TMPFILE
cmp $TMPFILE $NILOC > /dev/null
if [ $? -ne 0 ]; then
if [ "x$FAKE" != "x-n" ]; then
echo "Syncing NetInfo data..."
niload -d -r / . < /var/db/netinfo/local.nidump
else
echo "NetInfo data not in sync."
fi
fi

rm $TMPFILE