Uncategorized

Navigating accountsd in OS X

The directory services options in OS X has quietly been going through some slow changes over the past couple of years. Many of the tools we use to manage accounts look similar on the outside but sometimes work a little differently under the hood. Account information is still stored in the /var/db/dslocal/nodes directory. Here, the local directory service pulls files from within directories recursively when accountsd loads. You can still create a second instance of the local directory service by copying the Default directory. For example, here we’ll copy the Default directory node to a directory node called NEW:

sudo cp -prnv /var/db/dslocal/nodes/Default /var/db/dslocal/nodes/NEW

If you killall accountsd then wait (this is slower than doing a killall of DirectoryService was), you’ll then see and be able to use this new directory node:

sudo killall accountsd

This is one way to go about forklifting large collections of accounts from one system to another. The dsmemberutil account can still be used to obtain certain information from accounts. For example, you can check group membership by feeding in a uid with the -u option (here using the uid of 509) and a gid with the -g (here a gid of 10) option:

dsmemberutil checkmembership -u 509 -g 10

Each account still has a uuid. This can be obtained with -u for a user or -g for a group (ids):

dsmemberutil getuuid -u 509

And, you can use dsmemberutil to flush the directory services cache resolver, using the flushcache verb:

dsmemberutil flushcache

The files that comprise accounts can also be viewed and changed manually. Here, we’re going to just look at an account called charles:

sudo defaults read /var/db/dslocal/nodes/Default/users/charles.plist

If we used a tool like defaults, plistbuddy or plutil to manually augment one of these accounts, we’d also need to kill accountsd as we did earlier.