Leon Chung

Creating User Records with dscl

I was decomissioning an Xserve from serving MCX (I was turning off Open Directory) to keep it from serving some transitional MCX. Long story short, I deleted the OD. However, the Xserve was still running a print server for Linux boxes and now,
root was gone! Could not sudo or su to root. It kept giving me Unknown user.

It turns out, root was really gone.
The Xserve was running 10.6 server. I was still able to log in as a regular user, but the Linux admin using this server for the printers could not function without sudo (I didn't ask what he needed it for, maybe just needed full lpadmin?)

Anyway, I needed it up and there wasn't a backup (because why would there be in a production environment? /sigh)

I would like to thank frogor again for his guidance.

We attempted some troubleshooting in Single User Mode by booting with Command + s held down.

root was working in Single User Mode, so that was a relief. However, if you try to call it; it just can't be found. We decided to check with dscl to see what it would return if we query for root.

If you try to run dscl . -list /Users, it will not work because your Mac won't understand the current node and it doesn't have the alias for /Users. Also, you can't read it without mounting your system. Do this:
fsck -fy - File System Check
mount -uw / - Mount /

Load your directory, and it will tell you that you can only mess with the localonly node.
launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist

In order to list /Users, you need to append the full path /Local/Default. At one point, I thought all users were gone, but I was just using the wrong path.
dscl localonly -list /Local/Default/Users

root was really gone, but root was still in the admin and staff groups dscl localonly -read /Local/Default/Groups/staff and a line still existed for root in /etc/passwd. I attempted to re-create root hoping that only the user record was gone, there are several ways to do this. You can use dscl to create the record, MagerValp's CreateUserPkg.app, or restore a .plist from a known good equal version OS. The last 2 requires Target Disk Mode as you won't be able to authenticate to make changes in regular user mode. gneagle found this link to help out with Target Disk Mode for your Xserve: Xserve User Guide On Page 14, it even tells you how to start TDM without a keyboard.

At this point, frogor had a copy of the /private/var/db/dslocal/nodes/Default/users/root.plist from a 10.6 machine, I had a 10.8 laptop with all the records that root has in dscl. The 10.6 record seem to have less things (the plist is attached on the bottom of this page).

Anyway, on to the commands:

dscl localonly -create /Local/Default/Users/root
dscl localonly -create /Local/Default/Users/root UniqueID 0
dscl localonly -create /Local/Default/Users/root PrimaryGroupID 0
dscl localonly -create /Local/Default/Users/root RealName "System Administrator"
dscl localonly -create /Local/Default/Users/root RecordName root "BUILTIN\Local System"
dscl localonly -create /Local/Default/Users/root AppleMetaNodeLocation /Local/Default
dscl localonly -create /Local/Default/Users/root GeneratedUID FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
dscl localonly -create /Local/Default/Users/root NFSHomeDirectory /var/root
dscl localonly -create /Local/Default/Users/root UserShell /bin/sh
dscl localonly -create /Local/Default/Users/root SMBSID S-1-5-18

The root user record is now recreated.
We attmpted reboot into our normal environment and tested that sudo is working and sudo -s was also working. I was very lucky that the rest of the records were intact, but this gave me a whole new insight on using dscl and reading users/groups records on the system.

Here is the root.plist



<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>dsAttrTypeStandard:AppleMetaNodeLocation</key>
    <array>
        <string>/Local/Default</string>
    </array>
    <key>dsAttrTypeStandard:AuthenticationAuthority</key>
    <array>
        <string>;DisabledUser;;ShadowHash;</string>
    </array>
    <key>dsAttrTypeStandard:GeneratedUID</key>
    <array>
        <string>FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000</string>
    </array>
    <key>dsAttrTypeStandard:NFSHomeDirectory</key>
    <array>
        <string>/var/root</string>
    </array>
    <key>dsAttrTypeStandard:Password</key>
    <array>
        <string>********</string>
    </array>
    <key>dsAttrTypeStandard:PrimaryGroupID</key>
    <array>
        <string>0</string>
    </array>
    <key>dsAttrTypeStandard:RealName</key>
    <array>
        <string>System Administrator</string>
    </array>
    <key>dsAttrTypeStandard:RecordName</key>
    <array>
        <string>root</string>
    </array>
    <key>dsAttrTypeStandard:RecordType</key>
    <array>
        <string>dsRecTypeStandard:Users</string>
    </array>
    <key>dsAttrTypeStandard:SMBSID</key>
    <array>
        <string>S-1-5-18</string>
    </array>
    <key>dsAttrTypeStandard:UniqueID</key>
    <array>
        <string>0</string>
    </array>
    <key>dsAttrTypeStandard:UserShell</key>
    <array>
        <string>/bin/sh</string>
    </array>
</dict>
</plist>
dscl root xserve Snow Leopard Snow Leopard Server single user mode