Jamf Nation Community

ianmb · ‎08-11-2014

I'd like our users to be able to mount the following home directory automatically via SMB after binding to AD:

smb://servername/share/<username>/osx

Their Windows home area is essentially:

smb://servername/share/<username>

Is there a way to do this using dsconfigad (with a view to putting this into a binding script)?

Has anyone done anything similar?

calumhunter · ‎08-11-2014

I'd say that you would want to do this on login, not after binding to AD.
Binding to AD is a once off thing and it applies to the machine at a system level.

If your users already have the servershare$username set in AD ie. Connect H: to servershare
There is an option to in directory utility or dsconfigad if your scripting " Use UNC path from Active Directory to derive network home location " if you enable this it should mount the users network share at login.

Look · ‎08-11-2014

You pretty much want to create a LaunchAgent that runs a script that finds and mounts the share for you.

If the Home drive is specified in AD you should be able to get it and convert the slashes to OSX format with...
dscl "/Active Directory/YOURDOMAIN/All Domains" -read /Users/YOURUSER | grep SMBHome: | cut -c 10- | sed "s/\///g"

You will need to create a directory somewhere within the Users profile (to prevent other users from seeing it) and then pass the above variable to the Mount command along the lines....

mount -t smbfs $THEPATHFROMABOVE /THEFOLDERYOUMADEEARLIER

Make sense?

bentoms · ‎08-11-2014

I have done what @calumhunter JSS pointed out & it's the easiest way.

BUT if there is an issue mounting the folder via that method, it stops login.

Which is why we do similar to what @Look mentions, & I have a write up here if it helps: http://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/

michaelhusar · ‎08-12-2014

I use the Casper feature "Computer Managements/Directory Bindings" and "User Experience" which manipulates "Use UNC..." what @calmhunter pointed out.
You can check the settings with dsconfig -show
(...)
Advanced Options - User Experience Create mobile account at login = Disabled Require confirmation = Disabled Force home to startup disk = Disabled Mount home as sharepoint = Enabled Use Windows UNC path for home = Enabled Network protocol to be used = smb Default user Shell = /bin/bash
(...)
I also enabled "Mount home as share point" - no GUI for that- therefore I "Run Unix Command"
dsconfigad -sharepoint enable

Look · ‎08-12-2014

This is now a little out of date, I have a vastly improved version that much better deals with multiple users on one machine, let me know if anyone is interested.

Here is something I have been working on... Take what you want if it's useful, it probably contains most of the commands etc... you might need to achieve what you are doing.
It's a work in progress and not quite complete...
Forgive the all manner of probable errors I have made and there are bound to be implications of doing it this way that I have not thought of, but it does work, well at least in our environment.
It is intended to be run from a LaunchAgent (as it needs to be run as the user logging in) but can be run manually or packaged as an app using something like Platypus It reads a file with lines of the format:
sharename,AD-GRoup,sharetype(normally smbfs),path-to-share
For Example:
Software,desktop-techs,smbfs,//softwareserver.bobsdomain.bob.com/software
It also directly attempts to mount the home share it gets from AD and then attempts to mount anything it finds in the config file.
It needs the domain information filled in at the top, this often seems to be in capitals.
For Example:
BOBSDOMAIN.BOB.COM
BOBSDOMAIN
The mounted shares have to be inside the users profile to prevent other users seeing them, I have put them in the Library folder to tidy things up, although I am not entirely happy with this as they can be hard to locate when attempting to save to them, I am thinking to create an easy to access link of something, but have not quite decided.
Anyway here it is...

#############################

#Cobbled together from bits of the internet by Sam Look 2014
#Intended to be run from a LaunchAgent
#Reads ShareFile and mounts the shares listed, also attempts to mount AD home drive
#Currently configured for Kerberos enabled environments, you may need to remove the argument on the if statement if it does not appear to work

#Global Variables
LongDomain=BOBSDOMAIN.BOB.COM
ShortDomain=BOBSDOMAIN

ShareFile="/Library/Scripts/ShareMounts/ShareList.txt"
#Text file containing one share per line Share-Name,ADGroup-To-Check,File-Type,Share-Path
#Path can contain %USERNAME% which will substitute

#Functions start

MountShare(){
#Mounts the requested share if it doesn't already exist, variables are: Name, Type, Path
RunCount=0
Limit=3
while [[ -z "mount | grep /$1 " ]] && [[ $RunCount -lt $Limit ]] ; do
let RunCount=$RunCount+1
echo "Attempt $RunCount to mount $1"
mkdir ~/Library/ShareMounts/$1 2> /dev/null
mount -t $2 $3 ~/Library/ShareMounts/$1
if [[ -z "mount | grep /$1 " ]] ; then
sleep 5
fi
done
if [[ -z "mount | grep /$1 " ]]; then
echo "$1 mount FAILURE"
else
echo "$1 mount SUCCESS"
fi
}

#Functions end

#Main start

TheUser=id -un
Ugroup=dscacheutil -q user -a name $TheUser |grep gid:
ADgroup=dscacheutil -q group -a name "Domain Users"|grep gid:

#Proceed if there is a network user and a valid Kerberos ticket
if [[ "$Ugroup" == "$ADgroup" ]] && [[ "klist | grep -c "krbtgt/$LongDomain@$LongDomain"" -gt "0" ]] ; then ADHome=dscl "/Active Directory/$ShortDomain/All Domains" -read /Users/$TheUser | grep SMBHome: | cut -c 10- | sed 's/\///g' ADGroups=dscl "/Active Directory/$ShortDomain/All Domains" -read /Users/$TheUser | awk '/dsAttrTypeNative:memberOf:/,/dsAttrTypeNative:msExchArchiveDatabaseLink:/ { print }' mkdir ~/Library/ShareMounts 2> /dev/null echo " "

#Make shares visible on desktop
if [[ 'defaults read com.apple.finder ShowMountedServersOnDesktop' != "1" ]]; then
defaults write com.apple.finder ShowMountedServersOnDesktop -bool true
fi

#Mount nwhome share if [[ $ADHome != "" ]]; then echo "Mounting $TheUser home drive" MountShare "echo $TheUser" "smbfs" "echo $ADHome" else echo "$TheUser mount NO ATTEMPT" fi echo " "

#Mount additional shares listed in ShareFile exec 4<$ShareFile while read -u4 ShareLine ; do if [[ "echo $ShareLine | grep -c #" -gt "0" ]]; then echo $ShareLine elif [[ $ADGroups =~ "echo $ShareLine | cut -f2 -d","" ]]; then ShareLine=echo "$ShareLine" | sed "s/%USERNAME%/$TheUser/g" echo $ShareLine MountShare "echo $ShareLine | cut -f1 -d","" "echo $ShareLine | cut -f3 -d","" "echo $ShareLine | cut -f4 -d","" else echo $ShareLine echo "echo $ShareLine | cut -f1 -d"," mount NO ATTEMPT" fi echo " " done
else echo "Invalid user or Kerberos"
fi

#Main end

#############################

ianmb · ‎10-23-2014

Thanks for the info. How would this work with network homes though?

I've tried a login script or two but the 'Use UNC path...' option seems to trump everything - I.e. smb://server/share/username gets mounted under /home/username on my desktops.

Without that option enabled the user gets dropped into /var/empty and then cannot write anything.

Jamf Nation Community

Network Homes