Question

OT: Problem with network volumes on the Dock and storing passwords

Forum|Forum|13 years ago
October 9, 2012
5 replies
27 views

+24

jarednichols
Valued Contributor

I haven't had much luck googling and with other resources so I figured I'd throw this here as there's a lot of smart dudes (and dudettes) here.

I've got a script that runs as part of a "User Configuration" policy that a tech runs to finish deployment of a Mac to an end-user. One of the scripts uses the issued Kerberos ticket from AD to mount 2 volumes. Here's the script:

#!/bin/sh

# Filename: mountShares.sh
# Purpose: Mount file shares automatically with Kerberos ticket
# Author: Jared F. Nichols

#Find the logged in user
user=`ls -la /dev/console | cut -d " " -f 4`

#Find their P drive server
server=`dscl . -read /Users/$user | grep SMBHome: | cut -d '' -f 3`

#Set this temp string because 'defaults' is literal and won't resolve variables
tmpStr='<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/Volumes/'$user'</string><key>_CFURLStringType</key><integer>0</integer></dict><key>showas</key><integer>2</integer></dict><key>tile-type</key><string>directory-tile</string></dict>'

#Mount the user's P drive
sudo -u $user jamf mount -server $server -share $user -type smb

#Write the P drive to the dock
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.dock persistent-others -array-add $tmpStr

#P drive dispensed with, let's do the U drive.

id=`id $user`

echo $id

case $id in
*EQPOD_LOGIN*)
    sudo -u $user jamf mount -server cifsbos01 -share eqshared -type smb
    sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.dock persistent-others -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/Volumes/eqshared</string><key>_CFURLStringType</key><integer>0</integer></dict><key>showas</key><integer>2</integer></dict><key>tile-type</key><string>directory-tile</string></dict>'
    ;;
*PGRShared*)
    sudo -u $user jamf mount -server cifsbos03 -share pgrshared -type smb
    sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.dock persistent-others -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/Volumes/pgrshared</string><key>_CFURLStringType</key><integer>0</integer></dict><key>showas</key><integer>2</integer></dict><key>tile-type</key><string>directory-tile</string></dict>'
    ;;
*730Hishared*)
    sudo -u $user jamf mount -server cifsbos02 -share hishared -type smb
    sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.dock persistent-others -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/Volumes/hishared</string><key>_CFURLStringType</key><integer>0</integer></dict><key>showas</key><integer>2</integer></dict><key>tile-type</key><string>directory-tile</string></dict>'
    ;;
*NLD_TsoLogon*)
    sudo -u $user jamf mount -server cifsbos03 -share tsoshared -type smb
    sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.dock persistent-others -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/Volumes/tsoshared</string><key>_CFURLStringType</key><integer>0</integer></dict><key>showas</key><integer>2</integer></dict><key>tile-type</key><string>directory-tile</string></dict>'
    ;;
*FIUsers*)
    sudo -u $user jamf mount -server fiprdfileinv -share shared -type smb
    sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.dock persistent-others -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/Volumes/shared</string><key>_CFURLStringType</key><integer>0</integer></dict><key>showas</key><integer>2</integer></dict><key>tile-type</key><string>directory-tile</string></dict>'
    ;;
esac


#Kick the Dock in the ass. Nothing else to see here, folks.
killall Dock

Basically, the "P drive" (yes, I know I've used Windows-parlayance here) is the user's personal network drive and the "U drive" is their workgroup's drive.

The script itself works great. It mounts the drives and adds them to the Dock. The issue comes when you login offline and don't get a Kerberos ticket. If you do this, you're prompted (as expected) for username and password. The issue is that no matter what you do, you can't get the OS to use stored credentials on the Keychain for this. You can select the "remember this" box, see the item added to the Keychain, but it's never used subsequently.

My first thought was that perhaps it's because I'm using the 'jamf' binary to do my mounting, so I'm going to try using mount instead, but then I've got to create mount points that stick around (I believe) and don't know how this will play if you have an existing mount point (e.g. I make /Volumes/a292330 manually) and then mount a volume when I've got a Kerberos ticket used.

Any ideas smart people?

EDIT: I should also add that if you manually mount the given volumes (Cmd-K) and store the password in the keychain and drag those to the Dock, it works as expected and uses the stored credentials. It's something to do with how I'm doing it, I think.

T

+21

tkimpton
Honored Contributor
Forum|Forum|13 years ago
October 9, 2012

Hi Jared

I went through this dilema many moons ago. I resorted to an applescripted application. I know .... Noooooooooo!

https://jamfnation.jamfsoftware.com/discussion.html?id=1849

I then added some network alias in /Application/Utilities/Network Drives/ packged them up and then used docutil to add them to the dock.

Like

J

+24

jarednichols
Author
Valued Contributor
Forum|Forum|13 years ago
October 10, 2012

I think I've got it sorted, but I ran into another issue. I ended up switching to mount_smbfs instead of the jamf binary. This allowed the proper storage of the password in the keychain and its use later.

However, I can't run this with a JAMF policy because the JAMF admin user is running the script and when I'm not using the jamf binary, the script does not have access to the Kerberos ticket of the user. It hangs at wanting a password. So, unless there's some other option, I'm just going to lay it down as a launchagent, fire it off, and then remove it so it runs as the user.

Like

S

+8

Snickasaurus
Contributor
Forum|Forum|13 years ago
October 11, 2012

Hope this doesn't sound silly because I've been up so late tonight reading but...
Would starting your script with something like

ping -c 2 some.internal.server.address

With some fancy 'if'ing thrown in to make it loop the ping command every few mins until it has a valid address then drop the script.
Or perhaps point it at a specific connection device like en0 or en1. Just throwing thoughts out there.
Perhaps not the 'if' command.
Sometimes I hop on my dirtbike with the top half of a chicken suit, adult diaper and eyepatch then ride around my neighborhood staring at people REAL hard.