Network Share Mounting on 10.8

franton
Valued Contributor III

Hi all,

Simple issue turned nasty. I'm running JSS 8.71 on 10.8+ clients. The shares i'm working with are just standard Windows server based smb shares and we have AD logons in mandatory use. I've checked and we seem to have proper Kerberos tickets generated on the computer. The Apple AD plugin is mounting the user's home drive correctly.

What I want to do is just mount a network share on logon. Here's what i've tried so far:

Config Profiles. These work intermittently. They fail for some of the users on our test machines and work for other users on the same machines. They've been deployed to the two computers I have on my desk and have failed to install on either despite our JSS telling me that they're present.

MCX Settings: Based on mcx settings i've found posted on jamfnation elsewhere, (actual link escapes me right now) I can get the shares to mount on login with the current user's AD credentials. Trouble is this then breaks the automatic home drive mount through the AD plugin.

On to ..

Resource Kit Script: I've been fooling with this ... thing all day. I've finally managed to get it to create the user LaunchAgent correctly as it was applying permissions to the folder and files that OS X refused to like. I've substantially modified the code to fix a whole bunch of things I found that didn't work and now it creates the LaunchAgent correctly.

Sadly that's where it falls over. It does actually mount the drive but no share icon appears on any user's Desktop! I've a theory that it may be due to whatever user is executing the mount command but i'll work on that tomorrow.

I did get it to work momentarily without any modifications but it didn't pass the AD credentials through so each share immediately asked for a username and password on mount. Not good when I've multiple shares to deal with. (We're struggling to consolidate in the background but that's not my department so i've no control over that.)

Any suggestions as to what I should try next? Nothing I've tried so far has either been reliable or issue free.

1 ACCEPTED SOLUTION

frozenarse
Contributor II

Sorry. Since I only initially posted a few lines of the script I thought someone might have thought that it was something I added to the resource kit script.

It sounds like you are trying to accomplish the same thing I have working in my environment. Windows servers hosting shares. Users logging into macs with their domain credentials. Those windows shares getting mounted automatically and showing up on their desktops.

What happens if you take the code below (adding in your specific info...) create a script and then set it to be triggered at login?

#!/bin/bash

echo "$3 attempting to mount a share"

# Mount share
sudo -u $3 /usr/sbin/jamf mount -server FQDNofyourSERVER -share SHARENAME -type smb

View solution in original post

27 REPLIES 27

JPDyson
Valued Contributor

Mind posting your code?

frozenarse
Contributor II

Copied from here: https://jamfnation.jamfsoftware.com/discussion.html?id=7605

For our Mtn Lion clients we aren't using Launch agents anymore. Instead we are using Login triggered policies that run a script that uses the command: jamf mount -server SERVERNAME -share SHARENAME -type SMB

Then we have a logoff triggered policy that runs a script that dismounts that share by using the command: diskutil unmount /Volumes/SHARENAME

We are also using a custom config profile to set the finder preference that shows connected servers on the desktop.

franton
Valued Contributor III

JPDyson: Here you go. What i've changed is a kludgy mess, the rest isn't much different from JAMF's original script.

#!/bin/sh
# NAME
#   mountNetworkShare.sh -- Mount a network share.
#
# SYNOPSIS
#   sudo mountNetworkShare.sh
#   sudo mountNetworkShare.sh <mountPoint> <computerName> <loginUsername> <shareUsername>
#                               <authType> <password> <mountType> <share> <server>

# HARDCODED VALUES SET HERE
shareUsername="$3"    #The username of the user to be used to mount the share - leaving this to $3 will mount the share as the currently logged in user
authType="kerberos"   #Valid values are "kerberos" (default) or "password"
password=""           #Note this only needs to be set if authentication type is "password"
mountType="smb"       #The type of file share. Valid types are "afp", "smb", or "dfs".  DFS only supports the "kerberos" authentication method
server=""         #Server name
share=''          #The address of the share you are mounting - if left blank, the script will search for the "SMBHome" attribute in the user record
                        #Example Values:
                                #SMB Share: smb://server.company.com/share
                                #AFP Share: afp://server.company.com/share
                                #DFS Path: \server.company.comdfsroot	arget

echo "##############################`date`#################################"

# CHECK TO SEE IF A VALUE WERE PASSED IN FOR PARAMETERS $3 THROUGH $9 AND, IF SO, ASSIGN THEM
echo "CHECK TO SEE IF A VALUE WERE PASSED IN FOR PARAMETERS $3 THROUGH $8 AND, IF SO, ASSIGN THEM"
echo "`date` CHECK TO SEE IF A VALUE WERE PASSED IN FOR PARAMETERS $3 THROUGH $8 AND, IF SO, ASSIGN THEM"

if [ "$4" != "" ] && [ "$shareUsername" == "" ]; then
    shareUsername=$4
fi

if [ "$5" != "" ] && [ "$authType" == "" ];then
    authType=$5
fi

if [ "$6" != "" ] && [ "$password" == "" ]; then
    password=$6
fi

if [ "$7" != "" ] && [ "$mountType" == "" ]; then
    mountType=$7
fi

if [ "$8" != "" ] && [ "$share" == "" ];then
    share=$8
fi

if [ "$9" != "" ] && [ "$server" == "" ];then
    server=$9
fi

echo "`date` Running script"
####################################################################################################
# 
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################
loginUsername="$3"
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'`

if [ "$loginUsername" == "" ]; then
    echo "Error:  This script must be run at the login trigger.  Please correct the trigger that is being used to run the policy."
    exit 1
fi

if [ "$server" == "" ]; then
    echo "Error:  The parameter 'server' is blank.  Please specify the server address you would like to use."
    exit 1
fi

if [ "$authType" == "" ]; then
    echo "Error:  The parameter 'authType' is blank.  Please specify the auth type you would ike to use.  Valid values are 'password' or 'kerberos'"
    exit 1
fi

if [ "$mountType" == "" ]; then
    echo "Error:  The parameter 'mountType' is blank.  Please specify the mount type you would ike to use.  Valid values are 'afp', 'smb', or 'dfs'"
    exit 1
fi

if [ "$mountType" == "dfs" ] && [ "$authType" == "password" ]; then
    echo "Error:  The DFS mount type only supports kerberos authentication."
    exit 1
fi

if [ "$mountType" == "dfs" ] && [ "$share" != "" ]; then
    #Convert the characters in the share over to the proper format
    share="\\$share"
fi

if [ "$share" == "" ] && [ "$mountType" != "afp" ]; then
    #If the share parameter is blank, try to read the SMBHome attribute (home directory) from the LDAP server
    echo "Attempting to read SMBHome attribute from user record since the 'share' parameter is blank..."
    share=`/usr/bin/dscl /Search read /Users/$loginUsername SMBHome | head -1 | awk '{print $2}'`
    #If the share is still blank, report an error.
    if [ "$share" == "" ]; then
        echo "Error:  Could not obtain a share from dscl.  Please specify the path to the share you would like to mount."
        exit 1
    else
        if [ "$mountType" == "dfs" ]; then
            #Convert the characters in the share over to the proper format
            share="\\$share"
        elif [ "$mountType" == "smb" ]; then
            #Convert the characters in the share over to the proper format
            share="\\$share"
            share=`echo $share | sed 's:\:/:g'`
            share="smb:$server$share"
        fi
        echo "Share determined to be: $share."
    fi
fi

#Determine a volume name based on the share
volumeName=`echo "$share" | sed 's:\: :g' | sed 's:/: :g' | awk '{print $(NF-0)}'`
echo "Volume name will be created as $volumeName..."
if [ -d "/Volumes/$volumeName" ]; then
    result=`ls -A /Volumes/$volumeName`
    if [ "$result" == "" ]; then
        echo "Removing Empty Directory: /Volumes/$volumeName..."
        rmdir "/Volumes/$volumeName"
    else
        echo "Error: Directory /Volumes/$volumeName is not empty."
        exit 1
    fi
fi


if [ "$authType" == "kerberos" ]; then
    ##MOUNT A SHARE WITH KERBEROS AUTHENTICATION
    echo "Attempting to mount $mountType $share using $loginUsername's kerberos ticket..."

    #CREATE A LAUNCH AGENT TO MOUNT THE DRIVES
    /usr/bin/su -l "$loginUsername" -c "/usr/bin/defaults write ~/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName Label -string com.jamfsoftware.mapdrive.$volumeName"
    if [ "$mountType" == "smb" ] || [ "$mountType" == "dfs" ]; then
        if [ "$mountType" == "dfs" ]; then
            #Lookup SMB referral for DFS Share
            #Convert share into format acceptable for smbclient
            share=`echo $share | sed 's:\:/:g'`
            #Lookup the DFS SMB referral
            echo " Looking up SMB referral for DFS Share: $share..."
            share=`/usr/bin/smbclient $share -k -c showconnect | tail -1`
            echo " Share name referral found to be: $share."
            #Convert referral over to format acceptable for SMB mounting
            share="smb:$share"
        fi
        if [[ "$OS" < "10.6" ]]; then
            #Convert share over to proper format
            share=`echo $share | sed 's#smb://##g'`
            #Write out a launch agent
            /usr/bin/su -l $loginUsername -c "/usr/bin/defaults write ~/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName ProgramArguments -array /bin/sh -c "/bin/mkdir /Volumes/$volumeName; /sbin/mount_smbfs //$loginUsername@$share /Volumes/$volumeName""
        else
            #Apple bug in 10.6 prevents us from using mount_smbfs... if that bug gets fixed, we will revert to it
            #Reverted

            #Write out a launch agent
            echo "Writing out launch agent to /Users/$loginUsername/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName.plist"
            /usr/bin/su -l "$loginUsername" -c "/usr/bin/defaults write ~/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName ProgramArguments -array /bin/sh -c replaceMe"

            #Convert share over to proper format
            share=`echo $share | sed 's#smb://##g'`

            #Modify plist permissions so we can do things with the contents
            /bin/sbin/chown "$loginUsername":staff "/Users/$loginUsername/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName.plist"
            /bin/chmod 644 "/Users/$loginUsername/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName.plist"

            #Make mount folder or the command will fail
            /usr/bin/su -l "$loginUsername" -c "/bin/mkdir -p /Volumes/$share"

            #Write in the proper mount command to the plist.  Using sed because defaults write doesn't like quotes or double quotes.
            /usr/bin/su -l "$loginUsername" -c "/usr/bin/plutil -convert xml1 ~/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName.plist"
#           /usr/bin/sed "s:replaceMe:/usr/bin/osascript -e 'mount volume ("smb://$share")':g" "/Users/$loginUsername/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName.plist" > "/private/tmp/com.jamfsoftware.mapdrive.$volumeName.plist.tmp"
            /usr/bin/sed "s:replaceMe:/sbin/mount -t smbfs //$server/$share /Volumes/$share:g" "/Users/$loginUsername/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName.plist" > "/private/tmp/com.jamfsoftware.mapdrive.$volumeName.plist.tmp"
            /bin/mv "/private/tmp/com.jamfsoftware.mapdrive.$volumeName.plist.tmp" "/Users/$loginUsername/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName.plist"

            #Set the folder permissions to normal or launchd won't like it
            /usr/sbin/chown root:wheel "/Users/$loginUsername/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName.plist"
            /bin/chmod 700 "/Users/$loginUsername/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName.plist"
        fi
    else
        #Mount Over AFP Using Kerberos

        #Convert share over to proper format
        share=`echo $share | sed 's#afp://##g'`

        #WRITE OUT LAUNCH AGENT TO MOUNT THE DRIVES
        /usr/bin/su -l "$loginUsername" -c "/usr/bin/defaults write ~/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName ProgramArguments -array /bin/sh -c "/bin/mkdir /Volumes/$volumeName ; /sbin/mount_afp -N 'afp://;AUTH=Client%20Krb%20v2@"$share"' /Volumes/$volumeName""
    fi
    /usr/bin/su -l "$loginUsername" -c "/usr/bin/defaults write ~/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName RunAtLoad -bool true"

    #LOAD THE LAUNCH AGENT
    if /usr/bin/su -l "$loginUsername" -c "/bin/launchctl list | grep com.jamfsoftware.mapdrive.$volumeName"
    then
        echo "Unloading com.jamfsoftware.mapdrive.$volumeName..."
        /usr/bin/su -l "$loginUsername" -c "/bin/launchctl unload ~/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName.plist"
    fi
    echo "Loading com.jamfsoftware.mapdrive.$volumeName..."
    /usr/bin/su -l "$loginUsername" -c "/bin/launchctl load ~/Library/LaunchAgents/com.jamfsoftware.mapdrive.$volumeName.plist"
else
    ##MOUNT A SHARE WITH PASSWORD AUTHENTICATION
    if [ "$password" == "" ]; then
        echo "It appears that you are attempting to mount a sharepoint using password authentication, but the password parameter is blank.  Please enter a password for the 'password' parameter of this script."
        exit 1
    fi
    echo "Attempting to mount $mountType://$serverAddress/$share using a password..."
    serverAddress=`echo "$share" | sed 's:/: :g' | awk '{print $2}'`
    share=`echo "$share" | sed 's:/: :g' | awk '{print $3}'`
    /usr/bin/su "$loginUsername" -c "/usr/sbin/jamf mount -server "$serverAddress" -share "$share" -type "$mountType" -username "$shareUsername" -password "$password""
fi

exit 0

It's the kerberos section i've been working on. I'll worry about our forthcoming DFS shares when we have them.

franton
Valued Contributor III

frozenarse : Sadly I can't make that pass existing kerberos details through. It'll ask the users to authenticate, avoid this is the goal of the exercise.

frozenarse
Contributor II

I wonder if that is due to the script running as root....

Here is a portion of the script that is triggered at logon.

The policy passes along the $4 value.

So $3 ends up being the user logging on with their domain credentials and $4 is the share name that is hanging off of the DFS root.

#!/bin/bash

echo "$3 attempting to mount $4"


# Mount Deptshares

if [ "$4" == "deptshares" ]
    then
        echo "Mounting Deptshares..."
        sudo -u $3 /usr/sbin/jamf mount -server ourdfsroot.domain.edu -share deptshares$ -type smb
fi

franton
Valued Contributor III

We're currently using the smb and kerberos options, not dfs ...

frozenarse
Contributor II

Just to be clear, the script I posted above isn't part of the resource kit. If I remember correctly that thing makes use of LaunchAgents.

Can you mount the share by using the finder "Connect to server" and typing in "smb://FQDNServer/Share"?

franton
Valued Contributor III

Yes ... not sure where you're going with this ...

The shares works, as they are present on the Windows computers. It's mounting them with the logged in user's AD credentials is the tricky bit.

calum_carey
Contributor

cant you just have the user mount the share when they want? by using the connect to server box? you could add favourites in there by modifiying the com.apple.sidebarlists plist.

or what about putting the shares in the users log in items. id rather finder take care of mounting and unmounting shares and passing the auth credentials.

frozenarse
Contributor II

Sorry. Since I only initially posted a few lines of the script I thought someone might have thought that it was something I added to the resource kit script.

It sounds like you are trying to accomplish the same thing I have working in my environment. Windows servers hosting shares. Users logging into macs with their domain credentials. Those windows shares getting mounted automatically and showing up on their desktops.

What happens if you take the code below (adding in your specific info...) create a script and then set it to be triggered at login?

#!/bin/bash

echo "$3 attempting to mount a share"

# Mount share
sudo -u $3 /usr/sbin/jamf mount -server FQDNofyourSERVER -share SHARENAME -type smb

donmontalvo
Esteemed Contributor III

We just point users to Apple's KB:

http://support.apple.com/kb/HT4011

Mounting shares on Mac is not like mapping drives on PC. Finder has to work to keep the shares mounted.

Why not give the users Dock icons instead, so the shares are only connected when the user invokes?

--
https://donmontalvo.com

franton
Valued Contributor III

frozenarse: That's brilliant. That worked from my command line testing. Now i'll be able to ditch this launchagent stuff for something a little more practical.

donmontalvo: I keep saying that exact point till i'm blue in the face. Sadly it's become policy here that we don't customise dock icons. I may suggest otherwise when we've got our dfs shares in place.

bentoms
Release Candidate Programs Tester

This is what we do.

VCCPHelpdesk
New Contributor

This problem would have been soooo much easier if casper admin wasnt such a douch.. I want my system to be as simple as possible which means less potential problems,

I created a script in the AppleScript Editor where I used following code:

tell application "Finder" try mount volume "smb://server/folder" end try
end tell

then exported as an application (.app). The app runs locally fine and mounts the drive with no problem.

So my idea was to push this application through JSS to departments with relevant network drives to run on every login,

But casper admin wont have it, when I try to add the application it says "casper admin does not support .app files, unless they are for OS X"

Can someone please tell me how that makes any sense at all, the .app is MADE in OS X and is ONLY for OS X yet this message appears. That is just ridiculous and a huge flaw in my book, and I guess the work around would be to push out the application through ARD first and then push a script that runs this application through JSS policy, but that kind of defeat the purpouse of having an all singing all dancing JSS system..

Also, I tried the script from resource kit but it doesnt work, it loads the script once on the machine but says the network drive is not available, the next time you try run the script (through login poilicy) nothing happens at all.

donmontalvo
Esteemed Contributor III

Composer.

--
https://donmontalvo.com

frozenarse
Contributor II

In my opinion running a script in a login policy is cleaner (probably due to all the Casper Admin douching...) than using applescript to create an App that gets deployed to clients and triggered with a policy at that point. One main advantage is that any future changes in your script would need to be re-packaged and re-deployed to your clients vs just changing the script on the distribution point.

But if that is how you want to do it here is how I (and i'm assuming Don) would proceed:
1. Take your app and place it in the directory you want it to reside. Let's just say /Applications.
2. Fire up Casper Composer and drag your app onto the left pane of composer.
3. Make sure your permissions are the way you want them
4. Click the Create DMG button in composer.
5. Upload that DMG to Casper Admin so you can deploy it to your clients.

donmontalvo
Esteemed Contributor III

@frozenarse I agree, using the jamf command via login policy would be the smartest way to manage this.

Example of a problem with deploying an AppleScript...requires getting the item injected in to each users' Login Items list (something we try never to do). And now you're having to manage an *.app instead of a policy. Just seems sloppy and difficult to manage.

--
https://donmontalvo.com

bentoms
Release Candidate Programs Tester

Hi all,

I've been deploying an app for this for a few years now to great affect.

http://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/

When creating after creating the app bundle, we edit the info.plist file with the version number.

That way when it's updated we create a smart group to install the newer copy.

It's launched at login via a LaunchAgent, which means it's able to use the logging in users Kerberos credentials.

We also add it to the dock, so when connecting via VPN it can be double clicked. The user then enters their credentials & then the drives map.

Works really well for us. :)

Maybe the link will help @VCCPHelpdesk get this working for them too.

cstout
Contributor III
Contributor III

@bentoms: I'm very interested in using your script but I'm unsure why when I paste it into AppleScript Editor the entire script shows as purple text. When I attempt to save it it tells me there's a syntax error.

I haven't begun customizing it to my environment and I'm curious what the problem might be. Any ideas? This will be the first AppleScript application used in my environment. Everything else is configuration profiles and bash scripts.

msnowdon
Contributor

@frozenarse

I have using the script you mentioned to mount network shares through a policy in the JSS.
"#!/bin/bash

echo "$3 attempting to mount a share"

Mount share

sudo -u $3 /usr/sbin/jamf mount -server FQDNofyourSERVER -share SHARENAME -type smb"

Now that I have upgraded to 9.7 it states completed in the policy logs and shows up in the /volumes folder but no longer mounts to the desktop or shows up in the Finder's sidebar.

Any ideas?

Thanks

Mark

chriscollins
Valued Contributor

@msnowdon you need to add the -visible flag to the command.

ryanvega
New Contributor

sorry to drag up an old topic but we have this script working in our environment running el capitan, however it won't work on wireless connections. I even put in a delay in the script to allow for time for the wireless to connect. If i hardwire the system to the network works everytime. Over wifi does not work, even if i put the script as a self service item it still won't work on wireless. Ideas?

ryanvega
New Contributor

i have a feeling its because of a mobile account that its using logging into the mac .. just throwing it out there as i just thought about it

bentoms
Release Candidate Programs Tester

@ryanvega FWIW, this is still working for me.

Can you share your method?

Do the drives map manually when on wireless?

Sachin_Parmar
Contributor

depends on how deep the folder and the AD Permissions on the SMB share is, we used to use the following, modify it make the script a run only and put it in the user's login items:

#!/bin/sh
try
    do shell script "mkdir /Volumes/DRIVELETTER"

end try

try
    do shell script "mount -t smbfs //firstname.lastname:*userspassword*@serveraddress/folder$ /Volumes/DRIVELETTER"

end try

This will need amending every time a user's password changes but find that it works quite well

ryanvega
New Contributor

@bentoms we took the script put in our fqdn of the server and put it in a policy that runs at login and set as ongoing. We also have a delay in the script of 60 seconds to allow wireless to connect on the laptop.

As a test we also have it in self service, but running that on a laptop on wireless does not work either. As soon as i plug in the laptop to wired connection itll work no problem.

Yes on the laptop over wireless i can go to connect to server and manually map the drive.

ryanvega
New Contributor

I'll start my own thread guys. :)