Help

Mount SMB share with kerberos

BOBW
Contributor II

Posted on ‎11-12-2015 03:35 PM

For some strange reason kerberos authentication for mounting SMB shares is not working, which I can live with. Although trying to mount a smb share is really getting to me....

So I have a script which when run through terminal works fine although it does prompt for password:

#!/bin/sh
mount_smbfs -o nobrowse //zfssa0/home_student/$USER /Users/$USER/Desktop/Home

pretty simple, don't need anything too fancy.
I have tried multiple scripts to get this working e.g https://github.com/amsysuk/public_scripts/blob/master/mount_SMBHome/mounthome.sh from @bentoms plus a few others and nothing seems to work

Tried creating a automator app hoping it would prompt for password but can only get it to run "with Administrator privileges"

I can mount the share using config profile but this will mount the root folder which we cannot have, thus the use of the no browse.

If I use my script above and authenticate it places a share on the users dekstop which is perfect.

Im no scripting wiz but can do bits and pieces.... i know how to copy paste....

Any ides?

0 Kudos
9 REPLIES 9

Look
Valued Contributor III

Posted on ‎11-12-2015 04:20 PM

Get the Finder to mount it no arguments or parameters needed just the path.
If your doing it from a bash / sh script it would look something like this, the $True_Path would be something like smb://server.domain.com/sharename

/usr/bin/osascript<<END
tell application "Finder"
mount volume "$True_Path"
end tell
END
0 Kudos

BOBW
Contributor II

Posted on ‎11-12-2015 07:00 PM

Thanks @Look but I have tried this to, it will only mount the root share. this has about 100 other shares inside, then a student will need to find their own folder about another 3000 students, so this won't really work. Hence why trying to do the no browse option.

0 Kudos

loceee
Contributor

Posted on ‎11-12-2015 07:18 PM

Is there anything useful here?

https://github.com/loceee/OSXCasperScripts/blob/master/cfgScripts/cfguserMountHome.sh

0 Kudos

Look
Valued Contributor III

Posted on ‎11-12-2015 10:14 PM

@c0up3 actually you can include a full path just as easily i.e. smb://server/share/folder/subfolder I do this already on our system using the user path supplied by AD which is about 3 folders down into the share.

0 Kudos

davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎11-13-2015 01:08 AM

Hi,

We use the osascript method most of the time now. Our SMBHome mount script will mount the value stored in the SMBHome attribute in the users AD record, but can be easily cut down to mount any path you like https://github.com/amsysuk/public_scripts/blob/master/mount_SMBHome/mounthome.sh

0 Kudos

sean
Valued Contributor

Posted on ‎11-13-2015 01:51 AM

Single Sign On is your friend. If you have SSO configured and OSX is giving a Kerberos TGT then you won't need to type a password. From here you could add this into the automounter. With the use of wildcards and substitution the automounter can do some of the work for you regarding usernames.

auto_master

Alternatively, can your file server share using NFS? This doesn't require password and instead uses unix permissions.

0 Kudos

BOBW
Contributor II

Posted on ‎11-15-2015 03:45 PM

Is anyone seeing the same issue where if I mount the student share it still mounts the root folder in the sidebar?

@loceee yes it works, but using oas script will mount and prompt for authentication which is perfect but will still show the root folder in the sidebar

@Look yep, I am putting in the full path using .sh and as but the shell script does not prompt for auth and the oas as above shows in sidebar incorrectly

@davidacland as above.... the script works great and prompts, but again the sidebar issue

@sean as mentioned originally SSO is not working as expected, only when the root folder is mounted will SSO work.

So a few things here
Is there a way to mount the share but remove the share from the sidebar? probably easier but is there a way I can also force setting to show mounted shares on desktop?

0 Kudos

Look
Valued Contributor III

Posted on ‎11-16-2015 03:25 PM

The Shared section of the OS X sidebar only shows the server level, that is just the weird way they did it!
You can hide them by unselecting "Connected Servers" in the sidebar preferences.
As far as I can tell the only real good ways to navigate to mounted shares are either through the Desktop or by selecting the option to show the computer itself in the sidebar, this then displays the shares themselves when selected.
There is a boolean value ShowMountedServersOnDesktop in ~/Library/Preferences/com.apple.finder.plist that controls if the mounted shares are visible on the desktop.

0 Kudos

BOBW
Contributor II

Posted on ‎11-16-2015 07:01 PM

SO, a step further, looks like that kerberos is working only during initial login...... if a student logs out then in 1 hour later logs back in, it creates a second kerberos ticket, then it breaks.....

So I found that by deleting the login keychain during logout it then works...... simple script to delete keychain during logout, which then re-creates during login

so this means the original script I had should work.

Yet to completely test, test, test. But initial run through looks promising. Now stuck with our first El Capitan machine and creating new NBI...

I will update when completely tested

0 Kudos