Posted on 01-23-2020 05:47 PM
I'm trying to run a Bourne shell script via JAMF Pro policy that:
1. Gathers a bunch of data.
2. Detects the console user.
3. Creates a mount point (e.g. /tmp/foo).
mount_smbfs -N to mount a network share with the console user's Kerberos credentials, i.e. without prompting the user for a password.
5. Copies the data (from step 1) to the network share.
6. Unmounts the network share.
The problem is that Step 4 (mounting the network share) fails from within the JAMF Pro policy. Neither
su - user,
sudo -u user, nor
launchctl asuser works — none of these can access the console user's Kerberos credentials (i.e.
klist -l reports no Kerberos tickets), and the mount fails.
All of the above works fine if I run the script from the Terminal window. But the Kerberos tickets remain inaccessible, and therefore the mount fails miserably, when invoked either from an ssh session or via a JAMF Pro policy.
Any ideas on how this can be done? Any alternatives?
Background: The script isn't user specific. It can run as root or even the nobody user. The only need for the console user's session is to mount the network share with the user's Kerberos tickets. Our security people said the script must not prompt the user for a password, and must not hardcode credentials in the script, and frowned on passing parameters (whether encrypted or not) from JAMF Pro to endpoint.
Posted on 01-24-2020 01:19 AM
If your not trying to hide it from the user you could use osascript to tell the system / finder to mount it on their behalf.
sudo -u $Current_User osascript -e 'mount volume "'$True_Path'"'
This certainly worked for us for AD Home directories.
I imagine there is an unmount option as well, there might even be a no UI option to.
One thing it does do nicely like this is create and cleanup mount points etc... automatically.
Posted on 01-24-2020 01:31 AM
I would be pretty scared if a "nobody" could access my kerberos token. Why do you need this as a policy? When do you want to execute? Shall it be user triggered (Self-Service) or automatic?
Posted on 01-24-2020 06:11 AM
So I hit an issue with kerberos tickets in a shell script a while back... This code can confirm a kerberos ticket:
user_uid=`id -u $user_name` # Change auth_user to use python to call the klist command as the shell just wasn't working. auth_user=$(python - <<EOF import subprocess import os try: subprocess.check_call(['launchctl', 'asuser', str($user_uid), 'klist', '-s']) print "$user_name@ED.AC.UK " except subprocess.CalledProcessError: print "False " EOF )