useradds from command line
 

Ok I understand how to add users via the gui and I understand how to create user groups via netinfo manager
but how do I create users, assign passwords and put them into preexisting groups from the command line with user directories and necessary startup files etc.?

Darwin instructions
 

There are instructions for Darwin here:
http://darwinfo.org/faq.shtml#newusr

These do not create the user's home folder or any of the other associated files. I'm not sure if there is an automatic way to do that without creating a script for it.

There is however, in OS X, a /System/Library/UserTemplate/ directory with what looks like a template. Hopefully someone else will chip in with some more information. I'd like to know myself.

sssss

To create users and passwords use nicl (Netinfo command line Utility)

Study the man pages for nicl.

(Use with caution).

Cheers...

Phew... nicl is pretty stinky! If you *really* want to attempt this I think a better place to jump from would be "nidump". Try the following to get the idea:

% nidump passwd .

This prints out the contents of your current users from netinfo into the lovely old standard unix /etc/passwd format (without using a shadow file for the actual passwords, unfortunately! Note the lack of "sudo" in the above!). So you can see the vital statistics of your existing userbase, and can model your script to add extra lines of exactly this form. You'll have to organise something for the password string: not impossible, but you've got to use "crypt" on the password, together with a random salt string if you want to generate the sort of strings that you see in the dump given above. A bit messy. I could try and make up something if you really want, but no guarantees!

The reverse process should then be pretty easy: but then so *many* things are easy when you're just huffing and puffing about it rather than actually putting your machine on the line!! In essence, once you have your new user database in /etc/passwd format --let's say it's in "/Users/username/passing" --you should be able just use niload to throw it back into netinfo.

% sudo niload passwd . < /Users/username/passing

Of course you'll want to gnaw at your fingernails for a while before doing this on a production machine! And *definitely* do a backup of your netinfo database before even thinking about such a command. While the thought *isn't* as bad as the deed in this case, sometimes the thought comes, the backup isn't made, then the decision to "just try" the command comes all at once, and the poor old backup still hasn't been made. Unfortunately the fatal mistake certainly has been. Do I sound like a preacher yet? Or just a tormented former altar boy. (How sweeeeet...)

Best of luck in any case,
Paul

Just one more thing...
 

Of course after all that crud at the end of the previous post I neglected to add the other important aspect: you'll also have to do the analogous thing for the groups database. That is, dump it out (to a file probably makes more sense then to the terminal as in the previous message). Backup again (SHUT UP ABOUT BACKING UP ALREADY!) and then:

% nidump group . > grouplist

Then edit the grouplist to suit the new users and load it back on in...

% sudo niload group . < grouplist

Ain't this fun?

Cheers,
Paul

remote admin
 

What this discussion points out is how weak Macos X is for now in remote admin ability!. Apple has changed the permissions on the nidump command, I think you now have to be root to execute...

Nope: I test *most* things before posting! You certainly don't have to be root to do the nidump. ni*load* for sure, but not nidump. Just did it again to confirm.

Cheers,
Paul

ps I don't think it's inherently OSX's/Apple's fault that this might take a bit of setting up: it's just that it doesn't have the weight of accumulated utilities that other unix systems have up their sleeve. While it may look pretty damn easy to use "adduser" under freebsd, for example, I just had a look at that script. About 1400 lines of perl. Ouch. Maybe a significant fraction of that could be recycled for use in OSX (and a thought just struck me like an anvil: isn't there a utility --along the lines that we're discussing-- available in OSX Server? Anyone know for sure?), but the netinfo interaction would take a bit of doing. Enough that I'm certainly not going to be volunteering in a hurry.

pps I can't even *type* "OSX Server" without shuddering. But that was version 1.1 and 1.2 wasn't it. It's **got** to be better now. Really!

OS X Server---Why?
 

I still can't see the overwhelming argument for spending $1000 to get a server that offers only a few gui-based tools over what you get with basic MacOS X...but again maybe I'm missing something.

Who's arguing *for* OSX Server: certainly not me. Though I must admit that $1000 doesn't seem unreasonable. You're underselling the extras quite severely (think, eg, Macintosh Manager with unlimited clients, automatic service rebounding blah blah...). People evidently (??) pay $400 for Tenon's front end to apache. Or $500 for OfficeX for that matter. If you're a professional administrator with a largish domain the dollars are pretty trivial.

Regards,
Paul

my bad
 

pmccann
you're right, my bad, admin users can do nidump without root
now if I can only learn to type properly :D

I still believe, that if you study carefully 'nicl', and as pmccann says backup, backup again and you make sure you backup and you don't forget to backup every step of the way, then 'nicl' will be easier to create and add users and passwords to the Netinfo database.


Cheers...

adduser
 

There is an adduser script for Darwin out there. I don't think it should be all that hard to write one though.

I don't understand why you would want to go through all the trouble (and risk) of a nidump-niload unless you need to add a Lot of users that are already listed in a text file. Can someone explain? It seems like by the time you dumped, edited, and loaded, you could have typed each separate command for a couple of users. With the adduser script it should be even less painless.

Why all the dumping?

Some exercises with nicl :

--------------------------------------
Backup netinfo database:
Just run the command 'sudo gnutar czf netinfo_backup.tgz /var/db/netinfo/local.nidb' , that will back it up into a file called netinfo_backup.tgz.
( If you want to experiment with NetInfo without the chance of messing anything up, you can call it without the "sudo" part --)

sudo nicl .
> Password:
> / >
> / > ls
> 1 users
> 7 groups
> 27 machines
> 31 networks
> 33 protocols
> 48 rpcs
> 77 services
> 141 aliases
> 150 mounts
> 151 printers
> 152 localconfig
> 159 config
> 181 afpuser_aliases
> / > ls aliases
> 142 administrator
> 143 postmaster
> 144 MAILER-DAEMON
> 145 MAILER-AGENT
> 146 nobody
> 147 dumper
> 148 manager
> 149 operator
> 156 root
> 157 daniel
> 178 postfix
> / > cd aliases
> /aliases > cat dumper
> name: dumper
> members: root
> /aliases > pwd
> /aliases
> /aliases >

To change things, such as the name of the mysql user there are a couple of commands you should know. delete (or just rm) removes things. Be careful with it!
create creates things. This is very powerful. Not only can it create "file" or "directories" ("files" and "directories" are actually the same thing), but it can also create properties. Observe:

sudo nicl .
> Password:
> / > create test
> / > cd test
> /test > ls
> /test > create foo
> /test > ls
> 186 foo
> /test > read foo
> name: foo
> /test > create foo message "Hello, I am a property"
> /test > read foo
> name: foo
> message: Hello, I am a property
> /test > ls
> 186 foo
> /test > create bar thingy mabob
> /test > ls
> 186 foo
> 187 bar
> /test > read bar
> name: bar
> thingy: mabob
> /test > cd bar
> /test/bar > create hello/goodbye
> /test/bar > ls
> 187 hello
> /test/bar > ls hello
> 188 goodbye
> /test/bar > cd ..
> /test > create foo message "Call me foobar"
> /test > read foo
> name: foo
> message: Call me foobar
> /test > create foo name foobar
> /test > ls
> 186 foobar
> 187 bar
> /test > read foo
> read: Invalid Path
> /test > read foobar
> name: foobar
> message: Call me foobar
> /test > delete bar
> /test > ls
> 186 foobar
> /test > cd ..
> / > rm test
> / > quit
> Goodbye

If you want to experiment (a good idea!) you should do this:
sudo nicl .
> Password:
> / > create test
> / > cd test

As long as you don't cd outside of /test, or do things like rm /users, you're free to mess around.

If you want for example to rename the mysql user, just do:

sudo nicl .
> Password:
> / > cd users
> /users > read mysql
> change: 0
> class:
> expire: 0
> gid: 251
> home: /
> name: mysql
> passwd: *
> realname: MySQL Database Server
> shell: /dev/null
> uid: 251
> _writers_passwd: mysql
> /users > create mysql name mysql_de_fink
> /users > ls
> 2 nobody
> 3 root
> 4 daemon
> 5 unknown
> 6 www
> 154 daniel
> 165 news
> 166 mysql_de_fink
> 167 pgsql
> 171 games
> 172 canna
> 177 postfix
> /users > quit
> Goodbye

Of course, when you ls in /users, the listing may be different. Also, the read and ls commands don't actually change anything, so they aren't necessary. That's it, you've changed the name of the mysql user!

Now, to remove the mysql user you could do this:

sudo nicl .
> Password:
> / > cd users
> /users > rm mysql
> /users > quit
> Goodbye
-----------------------------------------

Cheers...

Sorry for the long post above...

After a backup, if you want to see as plaintext, how netinfo keeps track of things, you can also run:

nidump -r / / > netinfo.dump.

I've never tried this, but it seems reasonable to think, as pmccann says, that one could dump out a known Good netinfo file and in the event of an emergency reinsert with niload.

(niload, nidump, and niutil are quite good and they have man pages to check them out)

Cheers...

backup netinfodb from netinfo mgr GUI app
 

aha! that's some great stuff, paul, sao. thanks a lot. just goes to show some real world examples are huge benefit along side a casual glance at the ungodly man pages.

so, the other day, tooling around in netinfo mgr, i wanted to Save Backup... and i get the "can't find nibindd process" error.

alright, so, i want that process running, dag nabbit! don't i ?

i read some of the startup scripts and discovered that startup will load nibindd if NETINFOSERVER=-YES- in /etc/hostconfig

danged if that didn't do it. i can now backup netinfodb from the netinfo mgr gui app.

the nibindd process hasn't accrued any notable cpu cycles, so i think it's a good thing to have running. anybody know any vulnerabilities with running that process?

keep it coming. this is great stuff.

Mervtormel,

You did it!...the Save Backup stuff in Netinfo was not working in all the computers I tried.

NETINFOSERVER=-YES- in /etc/hostconfig sounds good to me, unfortunately I don't know about the nibindd process and vulnerabilities.

Maybe you put the process in intensive care for a few days and let us know.

What's great, is that if there are no side effects, now we can back up from the Netinfo gui app.

Let's test this thing.

Cheers...

On loading and dumping
 

Sao, thanks for the usage: as mT mentioned, it's a whole lot nicer to see a few scripts in action instead of ploughing through the dry dusty ground of the nicl man page. I must admit that I'll probably stick to cli backup of the nidb; that way I can chuck it into cron. Maybe we should get a script that could run via cron and rotate through a number of nidb backups? Still nice to know how to make it available from the GUI of course: definitely interesting to hear that you can make your machine a server that serves nothing and thus gain some additional functionality!

sssss wondered
Quite simply, you might have an enormous number of users to add to your database: typing even a couple of commands per user becomes something of a plectrum in the rectum (or strum in the bum) if you've got 2500 such entries to add. Of course you're *not* going to get 2500 users connecting to a single macosx system. But you might want to make a lab of 30 osx machines available to any 30 of a potential 2500 students at any given time. And you might be able to get a list of information about students who are enrolled in any of the subjects in the area under your control. And you might want to write a relatively simple perl script to turn that information into a passwd file suitable for uploading.

So you write/run the script, and then you might (if you were silly) do the "upload" on each available machine (using ssh --programatically-- of course). Why silly? because there'd be no easy way of communicating password changes (etc) made on one machine to all of the other machines that a given user could choose to log in from. So what would you do instead? You might use your noggin and set up a netinfo domain (makes more sense in this sort of situation), and have each of the machines in the lab served via the user database in the parent server.

It's only really in this sort of set-up that the whole netinfo hierarchy begins to make sense. See Apple's osx server page for a link to a pdf that describes some of this sort of thing in excruciating detail. It's called something like "Understanding Using Netinfo".

A third option would be to set up an LDAP server and use that to authenticate your users: unfortunately osx can only use version 2 as the authentication agent, meaning passwords go flying around in the clear, so if the server is "elsewhere" this could well be an unreasonable security risk. There are doubtless other ways as well (kerberos, Active Directory...)

Note: while I haven't done this sort of thing for osx, I've been involved in pretty much these exact machinations on SunOS/Solaris boxes. And believe me, you *don't* want to be adding 2500 users via Solaris's "admintool", even if it is fun for one or two!

Cheers,
Paul

ok then....
 

sssss was kind enough to point out the Darwin info faq page in a response above: http://darwinfo.org/faq.shtml#newusr

It gives the best explaination I've seen to these somewhat arcane NetInfo commands.

I may be faced with a one-time gang import of 3000 users into a macos x box.
I'd like to write an interactive useradd script to be able to add single users, username, real name, uid, gid, password, and the darwininfo page gives the individual pieces I'd need to have in this script.

questions:
1. Does anyone have experience with the command to add uid? Is there a way to just have the system pick the next available uid?
2. Is anyone aware of the command to back up the NetInfo database? I've trolled the man pages to no avail.
3. Is there a preexisting script that will do all this NetInfo diddling plus add the home directories?

Paul, thanks for your most excellent post. indeed, it may be fun to use a GUI for a few items, but it becomes tedious, nay, downright awful for entering many items.

this is the stuff that will garner support for OSX entry into medium to large user sites.
it would be good to have a regular rotation of nidb backups, plus the GUI backup just before you trash the db in NetInfo Mgr, plus a command line alias to create a dated backup just before you unleash your nicl fiddlings.

in other words, you'll always want to be able to drop right back to what was working right before you stick your fingers in the db and make a crater.

perhaps, what is needed is a package of scripts and commands to manage the nidb save_your_ass scenario

needed:

1. regular rotating nidb backup/cleanup script for cron
2. alias to create signed/dated nidb backup before issuing nicl commands
3. restore command set

is 'sudo /usr/bin/tar czf tarball.tgz /var/db/netinfo/local.nidb' the correct way to backup the nidb?

the backups should be easily identifiable from one another. that is, accept the default for the GUI backup, and you get local.nibak...

in /var/db/netinfo/

GUI backup name = local.nibak

cron backup name = yyyymmdd_hhmm_local.nibak.tgz

alias backup name = yyyymmdd_hhmm_local.nibak_$USER.tgz


the restore command should rename local.nidb before rolling a backup in.

suggestions?

macubergeek,

I know you can find netinfo expertise by scanning the NeXT newsgroups.

I wish I would know more about nicl -x500 flag. Anybody knows?

Cheers...