Adding Mac OS X Users Remotely

Posted on in System Administration

Important commands: ditto nicl nidump passwd

If you're like me, you might be occasionally called upon to remotely manage a few Mac OS X systems. The environment I'm working in only allows SSH access to these systems, so everything must be done from the command line.

Unlike Linux and most other UNIXes I've worked with (Solaris and HP-UX mainly), OS X does not use passwd or shadow files to store user information. Instead everything is kept in the NetInfo system configuration database. For old system hacks, this is going to seem seriously painful (trust me, I feel for you), but it's really no problem for old dogs to learn new tricks.

I want to keep all the commands in one place, so let's talk about what we're going to do before we do it. First of all, we'll need to tell our NetInfo-related commands which database to work on. In this case, we're just working on the local database, so a single '.' is all we need to signify that.

Next, for anyone that is familiar with Berkeley databases, the concept of paths, keys, and values will make perfect sense. In the NetInfo database each user is a path made of several key/value pairs. The two top level paths we're interested in our users and groups.

Using nicl we're going to go through the process of creating a user and assigning the various attributes that should be familiar to any UNIX administrator. We'll first need to get the next valid UID, and a nifty use of nidump can handle that for us. Don't forget that the last number is the highest UID in use; you need to add 1 to that number to get your next usable UID.

Now, let's create a new user called 'slap'. We'll need to create a home directory for the new user by copying the template directory. Finally, we'll add the new user to the admin group so that he can run the system. I'll include as much output as possible (which unfortunately, isn't much).

# nidump passwd . | awk -F: '{ print $3 }' | sort -n 
<snip> 
501 
502 
# nicl . -create /users/slap 
# nicl . -create /users/slap uid 503 
# nicl . -create /groups/slap 
# nicl . -create /groups/slap gid 503 
# nicl . -create /groups/slap passwd \* 
# nicl . -create /users/slap realname "Slaptijack" 
# nicl . -create /users/slap passwd "" 
# nicl . -create /users/slap gid 503 
# nicl . -create /users/slap shell "/bin/bash" 
# nicl . -create /users/slap home "/Users/slap" 
# nicl . -create /users/slap _writers_passwd slap 
# passwd slap 
# ditto /System/Library/User\ Template/English.lproj/ /Users/slap 
# chown -R slap:slap /Users/slap 
# nicl . -append /groups/admin users slap`{.block}

Until you set the new user's password via the passwd command, the NetInfo database will not have some of the required keys necessary for login.

And finally, you're done! The new user should be able to log in via SSH and execute commands as root via sudo.

Slaptijack's Koding Kraken