Could not mount distribution point - move afp to smb

jmercier
Contributor II

hi,

mac os server 10.14.6
Jamf Pro 10.15.1

we had to move all our data from old SAN to new one. This has been done and working.

We updated to mojave our server with the Jamf pro 10.15.1

We wanted to use now SMB be cause of the new APFS machine we are getting with our new DEP process in place.

here what's happening

  • i CAN mount the share manually with SMB credentials
  • i CAN user Jamf Admin and the share CAN be mounted no problem

  • Jamf Remote : error could not mount distribution point

  • Self service : error could not mount distribution point
  • policy with login ; error could not mount distribution point

any help ? i tried many things...

1 ACCEPTED SOLUTION

jmercier
Contributor II

@crbeck

your a damn rock star... thanks... that seems to be working...

ill keep you all posted within 1 hour

View solution in original post

14 REPLIES 14

sdagley
Esteemed Contributor II

@jmercier Any chance you have an ! in the password for your SMB share? An !, and possibly other 'special' characters, is a problem for some parts of Jamf Pro to handle in a DP password.

jmercier
Contributor II

Hi @sdagley not at all simple password

tried an AD account, tried server local account, tried admin local JSS account

crbeck
Contributor

You should have two sets of credentials. One with read/write permissions and one with read only permissions. It seems your read/write account is working fine since Jamf Admin works and you're probably using that to mount it manually.

You have an issue with your read only account since that's what your Macs will use with Self Service and automated or Jamf Remote policies.

So first make sure you have a read only account configured both in SMB and in Jamf and then manually try mounting the SMB share with the read only account.

jmercier
Contributor II

Hi all...

here are more info

my distribution point in JSS is configured with :

server : tried with IP and Name
SMB protocol
share name : CasperShare
Port 139
workgroup : empty

RW and R account, tried the same with AD account, tried server local account, tried admin local JSS account

sdagley
Esteemed Contributor II

@jmercier @crbeck may be on to something. Jamf Admin will be using your Read/Write account credentials, and any policy being run by the Jamf binary will be using your ReadOnly account. Make sure you have verified the credentials for that account.

jmercier
Contributor II

@crbeck

your a damn rock star... thanks... that seems to be working...

ill keep you all posted within 1 hour

sdagley
Esteemed Contributor II

@jmercier I would strongly recommend you consider enabling http/https content delivery for your distribution point if possible. It should be much more performant than an SMB share as there is no need to mount/unmount the file system when doing http/https downloads. You also get the benefit of resumable downloads.

crbeck
Contributor

@jmercier I second @sdagley's previous comment. Setup SMB so you can use it to upload packages and get your updated infrastructure in place, but work on getting HTTPS content delivery setup too. I setup a basic NGINX server on top of samba on a few CentOS Linux boxes, HTTPS downloads on my Macs are far faster and more reliable than SMB.

RobertHammen
Valued Contributor II

Keep in mind that if you plan on using SMB distribution points on macOS Catalina clients, you're going to need to whitelist that server, else DP mounting will fail.

Yet another reason to move to https distribution points (especially if your JSS is Internet-facing... a lot of ISP's and public networks block SMB over the Internet by default. https, not so much ;-)

jmercier
Contributor II

thanks to all... all fixed...

starting next week to setup http DP

ooshnoo
Valued Contributor

@RobertHammen Can you expand on what you meant with regards to whitelisting the server?

ammonsc
Contributor II

@RobertHammen

a lot of ISP's and public networks block SMB over the Internet by default

Because no one should ever open SMB up over the internet!

JeyT
New Contributor III

Was reading about this and in the process of setting up my own on prep Jamf server and have question about the read and read/write accounts for the SMB share. I am assuming these two accounts need to be on my client macs as well? Is this is how they are able to get packages and have them installed. I am a little new to Jamf and just trying to figure out where these accounts need to be and how they rely on each other for permissions to the DP. The documentation said to have the two accounts with the appropriate access to the share and it seems like that's just on the server? Again just trying to understand better.

Thank You

jtaveras
New Contributor III

@RobertHammen what do you mean and can you post some links?
"Keep in mind that if you plan on using SMB distribution points on macOS Catalina clients, you're going to need to whitelist that server, else DP mounting will fail."