Jamf Nation Community

Permalink · ‎03-27-2018

Hi,

I have a script that mounts an SMB DFS Share and copies some files from the mount to a local directory on the Mac. This script works fine when executed by logged in domain user.

What I'd like to achieve now is to add the script to a policy and execute at startup (before a user is logged in). This now fails because the share is unable to be mounted.

Is it possible to use the AD Computer account to mount the share rather than specifying credentials of a specific domain user? If not, does anyone have any better suggestions for copying files from the network, locally to the mac on an on-going basis. I don't want to use packaged PKGs or DMGs as the users updating the files on the network do not have the necessary skills to create and update packages.

Thanks,
Ryan

eagleone · ‎03-27-2018

What type of files are you copying and why?

Trying to see if there is another way to do what you are trying to do.

Permalink · ‎03-27-2018

Hi.

In our Windows estate we use a share of images for our screensaver - this acts as advertising and news and the images are added to the share by our marketing department.

I've already pretty much worked out that I can't reference the SMB share from the macOS High Sierra photo screensaver and can only add a local directory in the screensaver settings plist.

My intention would be to copy the images at startup from the SMB share to a local directory and at login use a script to set the user's screensaver to reference the local screensaver directory. I wanted to copy the images at startup to reduce network load and prevent repeatedly copying the same images as users log on and off the macs in our classrooms throughout the day. At least doing it at startup would only copy the images once a day (or whenever the mac is manually rebooted).

I'd love to find a way of keeping the images on the SMB share and just use these live by the screensaver, but I've given up on this unless someone has a working example?

Thanks.

BOBW · ‎03-27-2018

Hi @rypowell88 We are currently doing the same thing, I am running this script from the local machine at login using a launchAgent. We need to pull screensavers from multiple folders, then using the default screensaver path to point to this folder. I find it works great until someone is offsite.... I made this three years ago and could possibly do with some tweaking to make sure it doesn't delete the SS if there is no connection to our network.

#!/bin/bash

##created by David Coupe

#### set variable for text doc



rm -R /usr/local/Management/saver

#### create temp folder
mkdir -p /tmp/saver/

#### mount share in temp folder 
mount -t smbfs -o nobrowse //USER:PASS@SERVER/PATH/ /tmp/saver

#### create Apps folder if it does not exist
if [ ! -e "/usr/local/Management/saver/" ];then
    mkdir -p "/usr/local/Management/saver/"

else


#### copy files to local drive
cp -R /private/tmp/saver/ /usr/local/Management/saver/
        chmod 777 /usr/local/Management/saver/*



fi
#### unmount share
    umount -f /tmp/saver

#### delete share
    rm -rf /tmp/saver
    rm -Rf /usr/local/Management/saver/Thumbs.db

    #### create temp folder
mkdir -p /tmp/saver2/
mkdir -p /tmp/saver3/

#### mount share in temp folder 
mount -t smbfs -o nobrowse //USER:PASS@SERVER/PATH/ /tmp/saver /tmp/saver2
mount -t smbfs -o nobrowse //USER:PASS@SERVER/PATH/ /tmp/saver /tmp/saver3


#### create Apps folder if it does not exist
if [ ! -e "/usr/local/Management/saver/" ];then
    mkdir -p "/usr/local/Management/saver/"

else


#### copy files to local drive
cp -R /private/tmp/saver2/ /usr/local/Management/saver/
cp -R /private/tmp/saver3/ /usr/local/Management/saver/
        chmod 777 /usr/local/Management/saver/*



fi
#### unmount share
    umount -f /tmp/saver2

#### delete share
    rm -rf /tmp/saver2

    rm -Rf /usr/local/Management/saver/Thumbs.db

Swift · ‎03-28-2018

If you really need to do the copy before anyone logs in, you can get the machine username and password like this:

#!/bin/bash

# Get Computer AD trust account - i.e. yourcomputername$
ADTrustAccount="$(dsconfigad 2>/dev/null -show | grep "Computer Account" | sed "s|([^=]*)=[ ]*([^ ]*$)|2|")"

if test -n "${ADTrustAccount}"
then
  # Get flat AD domain - i.e. YOURDOMAIN
  ADDomainNameFlat=$(echo "show com.apple.opendirectoryd.ActiveDirectory" | scutil | grep "DomainNameFlat" | cut -d":" -f 2- | sed "s|^[ ]*||;s|[ ]*$||")

  # Get Computer AD trust account password
  ADTrustPassword=$(security find-generic-password -w -s "/Active Directory/${ADDomainNameFlat}" /Library/Keychains/System.keychain)

  echo "MachineUSER: ${ADTrustAccount}"
  echo "MachinePASS: ${ADTrustPassword}"
fi

Use the results in a mount command in your script.
The share will need to be readable by everyone.

If you are mounting at startup, you may need to wait for the network to come up.
If you get the flat domain name like the script above, you may need to wait for the scutil variables to populate.
After you dismount, you may need to destroy any kerberos tickets created by the mount (I'm not sure)

joshuasee · ‎03-28-2018

Here is my take on how to grab the AD computer account credentials:

#!/bin/bash
adname=$(dsconfigad -show | sed -n s/Computer.Account.*.=.//p)
adpass=$(security find-generic-password -a "${adname}" -w /Library/Keychains/System.keychain)

Whether or not they'll actually mount the share you want is another matter.

Also note that curl can pull files off smb shares without needing to mount them:

adpath=$(dscl localhost -list "Active Directory");
curl -u "${adpath}${adname}:${adpass}" smb://server.example.com/sharename/file -p /path/to/somewhere/file;

Permalink · ‎03-29-2018

Hi everyone.

Thanks for your responses and suggestions. I have some development time today so will do some testing of the various suggestions and see how it goes.

I'll post back later on with results of my testing.

Much appreciated.
Ryan

Jamf Nation Community

Mount SMB share using AD Computer Credentials (not user) before Login