QAS DEBUG - User und Computer

QAS DEBUG - User und Computer Inhalt Computer Status vastool status Benutzer Login vastool list user <username> vastool nss getpwnam <username> vastool user checkaccess <username> kinit <username> su <username> Gruppen vastool list group <groupname> Policies mcxquery vgptool listgpc vgptool rsop vgptool apply Inhalt Mit diesen Tools lässt sich ein Mac, welcher via QAS an das AD gebunden ist auf seine Funktion hin testen. Ebenfalls kann festgestellt werden, ob Benutzer grundsätzlich "bekannt" sind und ob sie sich anmelden können sollen. Weiterhin lassen sich aktive Policies anzeigen und erneut Anwenden. Grundsätzlich: die Command-Line-Tools befinden sich unter /opt/quest/bin alle Befehle müssen als "root" ausgeführt werden (sudo -s) Computer Status vastool status urz-n-imac:~ master$ sudo -s cd /opt/quest/bin./vastool status Host: <urz-n-imac.urz.unibas.ch, OSX_17_4> Date: <Mo 3 Jun 2013 14:38:08 CEST> QAS: <4.0.3.164> Domain: <unibasel.ads.unibas.ch> Resultat: Domain wird korrekt ausgegeben Benutzer Login vastool list user <username> Existiert der Benutzer im AD?

/opt/quest/bin/vastool list user frobeniu UNIBASEL\frobeniu:VAS:45103:1182:Nico Frobenius:/Users/staff/urz/frobeniu:/bin/bash Reslutat: Benutzer bekannt vastool nss getpwnam <username> Besteht ein Konflikt mit einem lokalen Benutzer? /opt/quest/bin/vastool nss getpwnam frobeniu frobeniu:********:45103:1182:nico Frobenius:/Users/staff/urz/frobeniu:/bin/bash Resultat: kein Konflikt vastool user checkaccess <username> Besteht eine Login-Beschränkung?./vastool user checkaccess frobeniu WARNING: NSS lookup (getgrgid) for this user's primary group ID (1182) failed. This can prevent successful authentication on some platforms. ALLOWED [user=frobeniu] [service=login] Access Rule = [No Allow or Deny rules exist!] Resultat: Keine Allow oder Deny-Rules kinit <username> Kann der User ein Kerberos-Ticket bekommen? kinit frobeniu frobeniu@unibasel.ads.unibas.ch's Password: klist Credentials cache: API:0:2 Principal: frobeniu@unibasel.ads.unibas.ch Issued Expires Principal Jun 3 15:11:50 Jun 4 01:11:49 krbtgt/unibasel.ads.unibas.ch@unibasel.ads.unibas.ch Resultat: Kerberos-Ticket erhalten

su <username> "Werde Benutzer" whoami root su frobeniu bash-3.2$ whoami frobeniu bash-3.2$ exit exit Resultat: Switch zum Benutzer "frobeniu" erfolgreich Gruppen vastool list group <groupname> Mit diesem Befehl kann überprüft werden, ob ein Benutzer in einer bestimmten Gruppe ist: /opt/quest/bin/vastool list group urz-qas-adm UNIBASEL\urz-qas-adm:VAS:1838:bruelhar-adm,frobeniu-adm,gasserp-adm,horma00-a dm Policies mcxquery Um herauszufinden, welche Policies und MCX für User, Gruppen und die Maschine selbst auch beim OS ankommen und verwendet werden (built-in, funktioniert auch mit QAS) mcxquery [options] [-user recordname] [-group recordname] [-computer spec] https://developer.apple.com/library/mac/documentation/darwin/reference/manpages/man1/mcxquery.1.html vgptool listgpc Welche Policies wirken auf diesen Computer?

/opt/quest/bin/vgptool listgpc Domain/OU: DC=unibasel,DC=ads,DC=unibas,DC=ch Policy: Default Domain Policy Policy: UNIBASEL_rename_admin_and_guest Domain/OU: OU=Institutes,DC=unibasel,DC=ads,DC=unibas,DC=ch Policy: URZ-SetLogSizeAndOverwrite Domain/OU: OU=Computers,OU=URZ,OU=Institutes,DC=unibasel,DC=ads,DC=unibas,DC=ch Policy: URZ-SetLogSizeAndOverwrite Domain/OU: OU=Macs,OU=Computers,OU=URZ,OU=Institutes,DC=unibasel,DC=ads,DC=unibas,DC =ch Policy: URZ-QAS-Testpolicy Policy: URZ-QAS-Displayname Policy: URZ-QAS-PreventDSStore Policy: URZ-QAS-Loginwindow Policy: URZ-QAS-AppUpdates Domain/OU: OU=QASTest,OU=Macs,OU=Computers,OU=URZ,OU=Institutes,DC=unibasel,DC=ads,D C=unibas,DC=ch Policy: URZ-QAS-LocalHomePath vgptool rsop Inhalt / Konfiguration der Policies? Click here to expand... /opt/quest/bin/vgptool rsop Resultant Set of Policy MACHINE POLICY CallType: SYSTEM START Apply Date/Time: Mon Jun 3 14:16:49 2013 GPO: Default Domain Policy CSE: vgp_admext -- -- GPO: URZ-QAS-AppUpdates CSE: vgp_mac -- Policy Type: Mac Policy Settings Policy Type: Preference Manifest Policy - AdiumX [ SUAutomaticallyUpdate (Always) ] = false [ SUCheckAtStartup (Always) ] = false [ SUEnableAutomaticChecks (Always) ] = false

[ SUIncludeProfile (Always) ] = false Policy Type: Preference Manifest Policy - Adobe Acrobat Pro [ 11/AVGeneral/CheckForUpdatesModeAtStartup (Always) ] = 0 [ 11/FeatureLockdown/bUpdater (Always) ] = false Policy Type: Preference Manifest Policy - AdobeUpdateManager [ Disable.Update (Always) ] = true Policy Type: Preference Manifest Policy - Adobe Reader [ 11/AVGeneral/CheckForUpdatesModeAtStartup (Always) ] = 0 [ 11/FeatureLockdown/bUpdater (Always) ] = false Policy Type: Preference Manifest Policy - itapmobile [ SUEnableAutomaticChecks (Always) ] = false [ SUHasLaunchedBefore (Always) ] = true Policy Type: Preference Manifest Policy - Microsoft Office Auto Update [ Update Method (Once) ] = Manual Policy Type: Preference Manifest Policy - Flip4Mac Settings [ Update Check Interval (Once) ] = 9999 Policy Type: Preference Manifest Policy - VLC [ SUEnableAutomaticChecks (Always) ] = false [ SUHasLaunchedBefore (Always) ] = true -- GPO: URZ-QAS-Loginwindow CSE: vgp_mac -- Policy Type: Mac Policy Settings Policy Type: Macintosh Login Options Policy Settings [ Manage Mode: ] = Always [ Show password hint when needed and available ] = True [ Enable automatic login ] = False [ Enable console login ] = False [ Enable fast user switching ] = True [ Minutes until auto logout ] = 0 [ Local administrators may refresh or disable management ] = True [ Set computer name to record name ] = False [ Enable external accounts ] = True [ Enable guest account ] = False [ Minutes Before Login Window Screensaver Activates ] = 0 [ Login Window Screensaver Module Path ] = Policy Type: Macintosh Login Window Policy Settings [ Manage Mode: ] = Always [ Heading ] = DSStatus [ Message ] = Universitätsrechenzentrum Basel [ Name and password text fields ] = True [ Show local users ] = False [ Show mobile accounts ] = False [ Show computers administrators ] = False [ Show network users ] = False [ Show Others... ] = True

[ Show restart button ] = True [ Show Shut Down button ] = True -- GPO: URZ-QAS-PreventDSStore CSE: vgp_mac -- Policy Type: Mac Policy Settings Policy Type: Preference Manifest Policy - Apple Desktop Services [ Avoid creating.ds_store files on network shares (Always) ] = true -- GPO: URZ-QAS-Displayname CSE: vgp_vasext -- Policy Type: VAS Configuration (vas.conf) vas_macos:realname-attr = gecos -- GPO: URZ-QAS-Testpolicy CSE: vgp_mac -- Policy Type: Mac Policy Settings Policy Type: Preference Manifest Policy - Apple Dockfixup [ Add Application/dictionary/path (Once) ] = /Applications/Safari.app -- vgptool apply Policies erneut vom AD abrufen und anwenden Click here to expand... /opt/quest/bin/vgptool apply Group Policy Apply - CallType: REFRESH Updating VGP From Policy ------------------------ [vgp_vgpext.dylib]

Accumulating Settings from GPOs ------------------------------- GPO: Default Domain Policy CSE: vgp_admext.dylib GUID: 35378EAC-683F-11D2-A89A-00C04FBBCFA2 PTYPE: 53D6AB1D-2488-11D1-A28C-00C04FB94F17 GPO: Default Domain Policy CSE: vgp_admext.dylib GUID: 35378EAC-683F-11D2-A89A-00C04FBBCFA2 PTYPE: D02B1F72-3407-48AE-BA88-E8213C6761F1 GPO: Default Domain Policy CSE: vgp_scecli.dylib GUID: 827D319E-6EAC-11D2-A4EA-00C04F79F83A PTYPE: 803E14A0-B4FB-11D0-A0D0-00A0C90F574B [info] WINDOWS HOST ACCESS CONTROL IS CURRENTLY TURNED OFF GPO: UNIBASEL_rename_admin_and_guest CSE: vgp_scecli.dylib GUID: 827D319E-6EAC-11D2-A4EA-00C04F79F83A PTYPE: 803E14A0-B4FB-11D0-A0D0-00A0C90F574B [info] WINDOWS HOST ACCESS CONTROL IS CURRENTLY TURNED OFF GPO: URZ-SetLogSizeAndOverwrite CSE: vgp_scecli.dylib GUID: 827D319E-6EAC-11D2-A4EA-00C04F79F83A PTYPE: 803E14A0-B4FB-11D0-A0D0-00A0C90F574B [info] WINDOWS HOST ACCESS CONTROL IS CURRENTLY TURNED OFF GPO: URZ-SetLogSizeAndOverwrite CSE: vgp_scecli.dylib GUID: 827D319E-6EAC-11D2-A4EA-00C04F79F83A PTYPE: 803E14A0-B4FB-11D0-A0D0-00A0C90F574B [info] WINDOWS HOST ACCESS CONTROL IS CURRENTLY TURNED OFF GPO: URZ-QAS-Testpolicy CSE: vgp_mac.dylib GUID: 02413888-E6B8-475D-A79B-AE11CE6BFC0D PTYPE: 2650E9F3-2413-4BD5-8447-53EA59472084 output to append: MAC Preference Manifest (Apple Dockfixup) - Machine Settings GPO: URZ-QAS-Displayname CSE: vgp_vasext.dylib GUID: 7F152858-C452-435C-84A0-61933CFAD02A PTYPE: 2998AC61-CF18-4A41-A7AE-A9FE969CCBD4 GPO: URZ-QAS-PreventDSStore CSE: vgp_mac.dylib GUID: 02413888-E6B8-475D-A79B-AE11CE6BFC0D PTYPE: 2650E9F3-2413-4BD5-8447-53EA59472084 output to append: MAC Preference Manifest (Apple Desktop Services) - Machine Settings GPO: URZ-QAS-Loginwindow CSE: vgp_mac.dylib GUID: 02413888-E6B8-475D-A79B-AE11CE6BFC0D PTYPE: 2650E9F3-2413-4BD5-8447-53EA59472084 output to append: MAC Login Policy - Machine Settings GPO: URZ-QAS-AppUpdates CSE: vgp_mac.dylib GUID: 02413888-E6B8-475D-A79B-AE11CE6BFC0D PTYPE: 2650E9F3-2413-4BD5-8447-53EA59472084 output to append: MAC Preference Manifest (AdiumX) - Machine Settings output to append: MAC Preference Manifest (Adobe Acrobat Pro) - Machine Settings output to append: MAC Preference Manifest (AdobeUpdateManager) - Machine Settings output to append: MAC Preference Manifest (Adobe Reader) - Machine Settings output to append: MAC Preference Manifest (itapmobile) - Machine Settings output to append: MAC Preference Manifest (Microsoft Office Auto Update) - Machine Settings output to append: MAC Preference Manifest (Flip4Mac Settings) - Machine Settings output to append: MAC Preference Manifest (VLC) - Machine Settings GPO: URZ-QAS-LocalHomePath CSE: vgp_vasext.dylib GUID: 7F152858-C452-435C-84A0-61933CFAD02A PTYPE: 2998AC61-CF18-4A41-A7AE-A9FE969CCBD4 Applying Settings Changes ------------------------- [vgp_licext.dylib] [vgp_vasext.dylib] Modifying vas.conf Settings vas_macos:realname-attr = gecos Setting override(s) in /etc/opt/quest/vas/user-override UNIBASEL\Domain Users = UNIBASEL\Domain Users:::::/Users/root: ^[[B^[[A[vgp_scecli.dylib] [vgp_mac.dylib] MAC Preference Manifest (Apple Dockfixup) - Machine Settings MAC Preference Manifest (Apple Desktop Services) - Machine Settings MAC Login Policy - Machine Settings MAC Preference Manifest (AdiumX) - Machine Settings MAC Preference Manifest (Adobe Acrobat Pro) - Machine Settings MAC Preference Manifest (Adobe Reader) - Machine Settings MAC Preference Manifest (AdobeUpdateManager) - Machine Settings MAC Preference Manifest (Flip4Mac Settings) - Machine Settings MAC Preference Manifest (Microsoft Office Auto Update) - Machine Settings MAC Preference Manifest (VLC) - Machine Settings MAC Preference Manifest (itapmobile) - Machine Settings [vgp_sudoext.dylib] [vgp_dfc.dylib] [vgp_unixext.dylib] [vgp_sshcfg.dylib] [vgp_samba.dylib] [vgp_defender.dylib] [vgp_qpm4u.dylib] [vgp_admext.dylib] CSE: Xlator directory (/opt/quest/libexec/vgp/xlators/machine) must be owned by root with 700 permissions