I'm trying to mount some authenticated shares, but am having a helluva time. We have a NAS that we want to mount when the user logs in. These are shared student machines, and we have the mobile home directories set to expire on logout to keep the machine's clean. The students store anything they need to save in their network home directory, but we have a few classes that require additional storage, so those classes also mount a NAS.
I've been able to get drives to mount using mount_smbfs, jamf mount, applescript, and configuration profiles, but have so far had limited success mounting them when trying to use kerberos authentication. The following works when specifying a username/password manually:
jamf mount -server $serverAddress -share $shareName -type $shareType -workgroup ADDOMAIN -username $userName -password $userPassword mount_smbfs 'smb://ADDOMAIN;user:password@server/share' /Volumes/share osascript -e 'mount volume "smb://server/share"'
Which would be fine for a single user, but this is for hundreds of users. What I would like to achieve is a command where I can specify a server/share, and it will use kerberos/the credentials of the user logging in or the user already logged in to mount the share.
My current solution is a configuration profile, but the users are prompted for their password to the server/share when they first log in (the same password they just entered).
Any help would be much appreciated!
If you are using the commands without the username and password and it is still not working then the Kerberos is not working correctly, I doubt it's the commands that are at fault.
Run klist from terminal on one of the test machines when logged in as a user and make sure you have an entry like.
If this is present then locally Kerberos is probably working, so look at the NAS end and see whether there is something there likely to prevent authentication.
Running klist does give me the entry like you mentioned. If I try to connect to the server from Finder, though, I do still get prompted for a password.
So maybe that's where I should have started...if I log in as one user, create a kerberos identity for another user, and then try to mount that user's network home folder, it mounts no problem and doesn't ask for credentials. When I try to mount the NAS, though, it asks for credentials. The NAS is integrated with AD, so my understanding was that kerberos logins would work with it since students authenticate with their AD credentials. Trying to verify if the NAS supports kerberos or not...
Check to make sure your domain suffix matches one of the service principals in the server's keytab file. For example, if the Mac is mycomputer.subdomain.company.com and the server is server.company.com, the Mac won't use kerberos.
Adding a service principal is different based on the OS. Let me know if you are using Isilon and I'll give you the commands.
So the weirdest thing happened...I didn't know the NAS had a DNS name at first, but found out it did and wanted to make it more user-friendly for the students instead of having to find it by IP. It looks like it now mounts without asking for a password...go figure...gonna have to do some more testing. I'm mounting it with a configuration profile btw.
Thanks for your help!