Mounting Network Shares At login

bentoms
Honored Contributor III
Honored Contributor III

Hi guys,

So 3 weeks into my new environment & i'm starting to do some prep work for when we get Casper (soon it looks like).

Previously, i've used OD to map users drives at login & in general this has worked well.

In this environment, it looks like there are multiple users in the same department with different access. With other departments having access to some of their drives only.

As such, creating OD groups with nested AD groups will probably be problematic.

Also, the win2k8 servers do not seem to be kerberised.

So.... does caspers MCX have a similar option to mount drives at users login using their credentials?

And... any documentation on enabling SSO on win2k8 servers would be greatly appreciated!

19 REPLIES 19

jarednichols
Honored Contributor

So I take it these servers are just Workgroup machines, not part of a domain or anything…

J

--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

bentoms
Honored Contributor III
Honored Contributor III

They are domain members.

Yet I'm prompted for username & pass when connecting.

My mac is domain member too.

Regards,

Ben.

jarednichols
Honored Contributor

Are you connecting with the domain FQDN or just a short name? Depending on how DNS is set up (we're running both Bind and AD…asinine) you may need to fully qualify your AD domain name (e.g. Myserver.domain.local)

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

bentoms
Honored Contributor III
Honored Contributor III

Fully qualified.

Regards,

Ben.

jarednichols
Honored Contributor

K. By nature of AD, I believe the server should be kerberized and when you log in with an AD account a Kerberos ticket should be generated. Using Ticket Viewer, can you see if one's being made? If not, that would explain why you're prompted for creds.

Thanks
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

talkingmoose
Honored Contributor II

I could be wrong but I don't think Windows domain servers could *not* be
On 4/12/11 7:05 AM, "Ben Toms" <bentoms at btopenworld.com> wrote:
kerberized. At least they should be kerberized by default.

Which protocol are you using? AFP or SMB? If AFP then they must have
something like ExtremeZ-IP installed since Windows 2008 doesn't natively
have any AFP or Macintosh services support.

Are the Macs themselves bound to Active Directory? Are your users logging
into their Macs using AD credentials?

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

bentoms
Honored Contributor III
Honored Contributor III

Cheers jared. Thought that too.

Ticket; btoms at PENTLAND.COM

Is there at login & I can regenerate it.

Regards,

Ben.

jarednichols
Honored Contributor

We've verified that you can hit the server with a windows box and it behaves as advertised? (no login needed, e.g. Passes creds along)

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

jonscott
New Contributor

Time difference between client and DC? That can always cause trouble.
Though you’d probably not be getting as far as you are if the skew was too large – not sure about that, though…

Jon

jarednichols
Honored Contributor

If he can log in, skew isn't the problem. If skew's that bad he wouldn't be able to log in.

Ben, something's definitely wonky. I take it klist doesn't show any tickets either…

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

bentoms
Honored Contributor III
Honored Contributor III

reboot & it's working.. weird!

i've been using the mountnetwork.sh from resource kit & think i've been misinterperating when it's been asking for password (i.e. it was asking for it to create launch items etc.. not for share credentials)..

i was running from good ol' text wrangler too :)

thanks all.. at least i know it look good :)

now to mangle to script to mount drives based ad group membership..

a bit thank you to all

bentoms
Honored Contributor III
Honored Contributor III

Ok.. so after much playing about.. it seems DHCP here can be slow to give IP's.. hence being asked for username/pass @ times.. i'll have a chat with the nw lads about that soon.

for now my script looks like the below, & has some 20 odd shares mapping.. not sure if anyone can give me any input into a possibly quicker way (i.e. would case be better then if?).

#!/bin/sh

## Get Username of currently logged in user
loginUsername=/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'

## Get Group memberships of currently logged in user
ADGroups=id -Gn "$loginUsername"

###### If user is in myadsecuritygroup, mount drive myshare$
if [[ "$ADGroups" =~ "mydomainmyadsecuritygroup" ]]; then
/usr/bin/osascript -e 'mount volume ("smb://myserver.fqdn/myshare$")'
fi

jarednichols
Honored Contributor

Properly working DHCP?

</snark>
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Not applicable

grep might even be faster, but the real slowdown is more likely in the id command, as it must look up a bunch of group names in AD. It would be best to limit this as much as possible; perhaps you can merge the various mounts into one script? Then you'd only have to use id once. I should also point out that has a special meaning to sh, even in double quotes.

Actually, I'm not sure a shell script would be right for this at all, considering the amount of text manipulation needed. I wonder how it would look in Python...

#!/usr/bin/python

import os, stat, subprocess

groups = { 'mydomainmyadsecuritygroup': 'smb://myserver.fqdn/myshare$', 'mydomainmyotheradsecuritygroup': 'smb://myserver.fqdn/myothershare$',
}

userid = os.stat('/dev/console')[stat.ST_UID]
adgroups = subprocess.Popen( ['/usr/bin/id', str(userid)], stdout = subprocess.PIPE,
).communicate()[0]
for group, share in groups.items(): if ('(%s)' % group) in adgroups: subprocess.check_call(['/usr/bin/osascript', '-e', 'mount volume "%s"' % share])

Be careful not to include any double quotes in the shares. Backslashes could be a problem as well, but they are always a problem.

Does osascript run as the right user for this? Without testing, I'm not sure if this would work the way you'd expect; it may mount it as root in some cases.

bentoms
Honored Contributor III
Honored Contributor III

Thanks.

I was running one id with multiple if statements.

Looks like drives are mapping as the user as when I've no kerb ticket I'm prompted for username/pass.

Not really used python, but it seems like it's the new bash! Better have a ganders.

Regards,

Ben.

tlarkin
Honored Contributor

You can also look at dseditgroup and dscl to look up nested groups with
in directory services, ie ad groups. I have good luck with these being
generally pretty fast. Though nice python script! However, you
forgot to make a Monty Python reference....

bentoms
Honored Contributor III
Honored Contributor III

I looked at dscl but for ad it gives the groups SIDs & not the name :(

I'll see if dsedit does any different.

Regards,

Ben.

tlarkin
Honored Contributor

What is the group name of the AD users in OD? Are there any accounts
on these machines locally, or are they all network AD accounts? I
don't have AD currently at my job so I don't have a solid way to test
this. Perhaps someone with AD can chime in.

bentoms
Honored Contributor III
Honored Contributor III

Thanks Douglas.

But I'd rather query what groups the user is part of than to check the groups for the user.

The script does seem to be working, so my mac infrastructure without OD has started!

Regards,

Ben.