Posted on 04-12-2011 05:05 AM
Hi guys,
So 3 weeks into my new environment & i'm starting to do some prep work for when we get Casper (soon it looks like).
Previously, i've used OD to map users drives at login & in general this has worked well.
In this environment, it looks like there are multiple users in the same department with different access. With other departments having access to some of their drives only.
As such, creating OD groups with nested AD groups will probably be problematic.
Also, the win2k8 servers do not seem to be kerberised.
So.... does caspers MCX have a similar option to mount drives at users login using their credentials?
And... any documentation on enabling SSO on win2k8 servers would be greatly appreciated!
Posted on 04-12-2011 05:45 AM
So I take it these servers are just Workgroup machines, not part of a domain or anything…
J
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Posted on 04-12-2011 05:53 AM
They are domain members.
Yet I'm prompted for username & pass when connecting.
My mac is domain member too.
Regards,
Ben.
Posted on 04-12-2011 06:03 AM
Are you connecting with the domain FQDN or just a short name? Depending on how DNS is set up (we're running both Bind and AD…asinine) you may need to fully qualify your AD domain name (e.g. Myserver.domain.local)
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Posted on 04-12-2011 06:08 AM
Fully qualified.
Regards,
Ben.
Posted on 04-12-2011 06:10 AM
K. By nature of AD, I believe the server should be kerberized and when you log in with an AD account a Kerberos ticket should be generated. Using Ticket Viewer, can you see if one's being made? If not, that would explain why you're prompted for creds.
Thanks
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Posted on 04-12-2011 06:15 AM
I could be wrong but I don't think Windows domain servers could *not* be
On 4/12/11 7:05 AM, "Ben Toms" <bentoms at btopenworld.com> wrote:
kerberized. At least they should be kerberized by default.
Which protocol are you using? AFP or SMB? If AFP then they must have
something like ExtremeZ-IP installed since Windows 2008 doesn't natively
have any AFP or Macintosh services support.
Are the Macs themselves bound to Active Directory? Are your users logging
into their Macs using AD credentials?
--
William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492
Posted on 04-12-2011 06:15 AM
Cheers jared. Thought that too.
Ticket; btoms at PENTLAND.COM
Is there at login & I can regenerate it.
Regards,
Ben.
Posted on 04-12-2011 06:28 AM
We've verified that you can hit the server with a windows box and it behaves as advertised? (no login needed, e.g. Passes creds along)
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Posted on 04-12-2011 06:29 AM
Time difference between client and DC? That can always cause trouble.
Though you’d probably not be getting as far as you are if the skew was too large – not sure about that, though…
Jon
Posted on 04-12-2011 06:41 AM
If he can log in, skew isn't the problem. If skew's that bad he wouldn't be able to log in.
Ben, something's definitely wonky. I take it klist doesn't show any tickets either…
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Posted on 04-12-2011 07:03 AM
reboot & it's working.. weird!
i've been using the mountnetwork.sh from resource kit & think i've been misinterperating when it's been asking for password (i.e. it was asking for it to create launch items etc.. not for share credentials)..
i was running from good ol' text wrangler too :)
thanks all.. at least i know it look good :)
now to mangle to script to mount drives based ad group membership..
a bit thank you to all
Posted on 04-19-2011 02:57 AM
Ok.. so after much playing about.. it seems DHCP here can be slow to give IP's.. hence being asked for username/pass @ times.. i'll have a chat with the nw lads about that soon.
for now my script looks like the below, & has some 20 odd shares mapping.. not sure if anyone can give me any input into a possibly quicker way (i.e. would case be better then if?).
#!/bin/sh
## Get Username of currently logged in user
loginUsername=/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'
## Get Group memberships of currently logged in user
ADGroups=id -Gn "$loginUsername"
###### If user is in myadsecuritygroup, mount drive myshare$
if [[ "$ADGroups" =~ "mydomainmyadsecuritygroup" ]]; then
/usr/bin/osascript -e 'mount volume ("smb://myserver.fqdn/myshare$")'
fi
Posted on 04-19-2011 05:05 AM
Properly working DHCP?
</snark>
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Posted on 04-19-2011 07:00 AM
grep might even be faster, but the real slowdown is more likely in the id command, as it must look up a bunch of group names in AD. It would be best to limit this as much as possible; perhaps you can merge the various mounts into one script? Then you'd only have to use id once. I should also point out that has a special meaning to sh, even in double quotes.
Actually, I'm not sure a shell script would be right for this at all, considering the amount of text manipulation needed. I wonder how it would look in Python...
#!/usr/bin/python
import os, stat, subprocess
groups = {
'mydomainmyadsecuritygroup': 'smb://myserver.fqdn/myshare$',
'mydomainmyotheradsecuritygroup': 'smb://myserver.fqdn/myothershare$',
}
userid = os.stat('/dev/console')[stat.ST_UID]
adgroups = subprocess.Popen(
['/usr/bin/id', str(userid)],
stdout = subprocess.PIPE,
).communicate()[0]
for group, share in groups.items():
if ('(%s)' % group) in adgroups:
subprocess.check_call(['/usr/bin/osascript', '-e', 'mount volume "%s"' % share])
Be careful not to include any double quotes in the shares. Backslashes could be a problem as well, but they are always a problem.
Does osascript run as the right user for this? Without testing, I'm not sure if this would work the way you'd expect; it may mount it as root in some cases.
Posted on 04-19-2011 07:04 AM
Thanks.
I was running one id with multiple if statements.
Looks like drives are mapping as the user as when I've no kerb ticket I'm prompted for username/pass.
Not really used python, but it seems like it's the new bash! Better have a ganders.
Regards,
Ben.
Posted on 04-19-2011 07:04 AM
You can also look at dseditgroup and dscl to look up nested groups with
in directory services, ie ad groups. I have good luck with these being
generally pretty fast. Though nice python script! However, you
forgot to make a Monty Python reference....
Posted on 04-19-2011 07:06 AM
I looked at dscl but for ad it gives the groups SIDs & not the name :(
I'll see if dsedit does any different.
Regards,
Ben.
Posted on 04-19-2011 07:12 AM
What is the group name of the AD users in OD? Are there any accounts
on these machines locally, or are they all network AD accounts? I
don't have AD currently at my job so I don't have a solid way to test
this. Perhaps someone with AD can chime in.
Posted on 04-19-2011 11:59 AM
Thanks Douglas.
But I'd rather query what groups the user is part of than to check the groups for the user.
The script does seem to be working, so my mac infrastructure without OD has started!
Regards,
Ben.