|
|
这是一篇很好的简单叙述Leopard的核心的一个重大变化,它彻底放弃使用NetInfo数据库的方法来管理用户用户组和资源,而是采用更为好管理、直观明了的XML方式,在给出一个具体例子后,也给出了相应命令行的改变。
其实,在OS X Tiger 10.4中,原来有两个应用程序一个叫NetInfo,一个是Directory Access一个主要用于管理本地用户的,另一个用来设置绑定网络Directory服务的,这次的Directory Utility是把这两个的功能合并了。
还有其他的一些相关文章和具体命令使用的文章,相继贴过来,以备查用。
用户要注意的是,虽然从本文介绍的来说Leopard绑定AD要比Tiger容易了很多,但是其实依然还有好多问题目前还有待解决,用户很可能需要作一些workaround的工作。
注:其中的图片和两行代码显示是我加入的。
by John C. Welch, MacCentral
While the general Mac user community is ooh-ing and ahh-ing over
Mac OS X 10.5
features like Time Machine, or opining about the new Dock, Stacks, et
al, those of us who support Mac users are deep into learning about one
of the biggest below-the-hood changes to happen in any version of Mac
OS X: The end of Netinfo.
<!-- Tile/JSP: templates.article._default.productbox.jsp -->
Related Software Articles
When I say “end,” I mean it in the
most “end-ish” sense. In Mac OS X 10.5, Netinfo is gone. Not
“deprecated,” not “hidden away for only the most advanced users.” It’s
gone. Deleted. It does not exist. No more Netinfo database, no more
Netinfo Utilities such as nicl, no more Netinfo Manager. The entire structure for
managing local users, groups, and other such things has been completely
replaced by local Directory Services, and the Netinfo Database is now a
series of XML files living in /var/db/dslocal/.
Netinfo is—well,
was
—a directory service used for user and computer management. Originally
created for NeXTStep, Netinfo was able to
manage not only individual
machines, but entire networks. Its biggest problem was that the rest of
the world turned to LDAP for doing the same thing.
Why is the end of Netinfo such an important change? Because
when it came to managing local users and groups—that is users you
created on your Mac, or network accounts that were mapped to local
accounts (a.k.a. mobile accounts)—Netinfo handled all that. When you
created a new user in System Preferences, that was all just a nicer
interface into Netinfo. When you enabled sharing on your Mac, managing
access to shares was handled by Netinfo. Now, it’s all done by
Directory Services.
This may seem like a sudden change to some,
but the truth is, Apple’s been actively easing Netinfo out of the
picture since Mac OS X 10.2. Starting with that release, and continuing
into Mac OS X 10.4, Netinfo was reduced from the primary mechanism for
managing not just local users and groups, but entire network
directories, ala Microsoft’s Active Directory
or
Novell’s eDirectory, to being only used for local user management. With Mac OS X 10.5, that easing out is complete.
So
what does this mean? Well to the average user—whatever that means
anymore—not much. The things you used to manage users, file sharing,
and so forth are all still there—they just talk to different plumbing.
There are some new features in those areas in Mac OS X 10.5, such as
the “Advanced Options” in Accounts in System Preferences that allow you
to configure a user’s home directory, login shell, add/remove login
aliases, and so forth; you used to have to go to Netinfo Manager for
these. There’s also the new ability to share any folder on your hard
drive, but that could have been done with Netinfo too. The real changes
here are in other areas
The most obvious change for most is the
death of the Netinfo database. With Mac OS X 10.5, all the Netinfo
database information are in a series of plist files in /var/db/dslocal/
under nodes/Default/. Within there, you see a set of directories:
bash-3.2# ls -l Default/
total 0
drwx------ 10 root wheel 340 Oct 11 19:30 aliases
drwx------ 2 root wheel 68 Nov 3 10:15 computers
drwx------ 10 root wheel 340 Nov 13 14:56 config
drwx------ 72 root wheel 2448 Nov 13 08:49 groups
drwx------ 4 root wheel 136 Oct 11 19:30 machines
drwx------ 3 root wheel 102 Oct 11 19:30 networks
drwx------ 44 root wheel 1496 Nov 13 14:11 users
bash-3.2# pwd
/private/var/db/dslocal/nodes/Default
Note: the above two lines is added by Tony Liu, Nov 18, 2008
Within
each of these is a set of plist files where the data for that directory
is kept, so in users/, there’s one plist per user, in groups/, one
plist per group, and so on. Looking at the entry for the “staff’ group
in staff.plist, (staff is the default group for all local users you
create in Mac OS X), we see the following:
- bash-3.2#catstaff.plist
<?xmlversion="1.0"encoding="UTF-8"?>
<!DOCTYPEplistPUBLIC"-//Apple//DTDPLIST1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plistversion="1.0">
- <dict>
- <key>generateduid</key>
- <array>
<string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014</string>
- </array>
- <key>gid</key>
- <array>
<string>20</string>
- </array>
- <key>name</key>
- <array>
<string>staff</string>
- </array>
- <key>passwd</key>
- <array>
<string>*</string>
- </array>
- <key>realname</key>
- <array>
<string>Users</string>
- </array>
- <key>smb_sid</key>
- <array>
<string>S-1-5-32-545</string>
- </array>
- <key>users</key>
- <array>
<string>root</string>
<string>tempadmin</string>
<string>jwelch</string>
- </array>
- </dict>
- </plist>
It’s pretty easy to decipher. You have a UUID, or
Universally Unique Identifier, a unique number that identifies the
group outside of conventional Unix group IDs. You have the GID (or
Group ID), the Unix group identifier number, the name of the group, the
password for the group, (in this case, there isn't one), the realname
(or the more human friendly name), a sid number used for windows file
sharing, and then a list of users in this group, including my own,
jwelch. If you go looking through all the other plists, they all look
like this, more or less.
But so what? Why does anyone care about
this stuff? Well, for one, these are all text xml files. You can view
or edit them in anything that can handle text files, from Apple’s own
Text Edit and Property List Editor, to BBEdit, to Emacs or vi. You
don’t need a special database
application to view or work with these
files. This makes them more easily maintainable and fixable. It also
makes it easier for network administrators to manage local-only
accounts on their network. The XML structure of these files makes it
easier to integrate the data they contain into various kinds of user
management tools, since almost everything out there, commercial and
home-built can handle XML data.
Network administrators trying to
manage Mac laptops on directories also benefit from the elimination of
Netinfo. Prior to Mac OS X 10.5, binding a laptop to a directory was a
painful process. Because of the way directory services worked in Mac OS
X 10.4 and earlier, if your laptop was bound, or attached to a
directory service, and you had to boot up or log in when you couldn’t
see the network that directory service was on, you were in a world of
pain, and would probably never actually log in, or get anything done.
There were a few workarounds, but it was all very wonky, due to how
Netinfo and its associated processes—in particular, lookupd—worked.
With Mac OS X 10.5, all that is fixed, and now you can have a laptop
bound to a directory, and it just works.
For those of you
wondering what command line utilities you use, now that all the ni*
utilities and lookupd are gone, it’s pretty simple. For general needs,
you use dscl. If you want to see what group a user or another group are a member of, or check user/group UUIDs, you use
dsmemberutil. To edit, create, manipulate, or delete groups, you use
dseditgroup. To work with various Directory Service caches, including LDAP and DNS, you use
dscacheutil. Finally, to enable root, you use
dsenableroot.
The
removal of Netinfo from Mac OS X is a major change from both the
operational and historical perspectives. But in end, I think it’s one
that was long in coming, and it will make Mac OS X much nicer to deal
with from the administrator point of view—something that will aid Apple
as it continues to establish a greater presence in the business world.
[
John C. Welch is a Unix/Open Systems Administrator for Kansas City Life Insurance and a long-time Mac IT pundit.
] |
|
QQ群⑧:
窥视卡
雷达卡
发表于 2016-5-16 12:16:47
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡