Script to auto-mount Network Share using Kerberos Authentication on login - macOS 10.13.5

LukeMason
New Contributor III

Hey Guys, I'm trying to silently mount a network share on login without the user having to authenticate. Our computers are bound to AD and use mobile accounts (with all syncing disabled). I'm using a LaunchAgent which runs a script.

Here's what's happening:

Everything works reasonably well on the first login. It creates the account and when I reach the desktop I get a pop-up that says "you are attempting to connect to the server "server.name.com", and I click the blue "connect" button and the share mounts. Sweet! Here's a screenshot of this:

c583c58738e64b78b879eb30e50a5b4b

However, every login afterwards prompts for a password... Here's another screenshot:

6a2fa93c392e41f59cc63cbfffb6b912

So, I don't know why it's authenticating the first time and then not authenticating for all subseqent logins. Here is the script that I'm using:

#!/bin/bash

# this script was written to determine the currently logged in user and then determine
# the path to their network home folder
# it will then mount the home folder

## Get Current User
currentUser=$(stat -f %Su /dev/console)

## Determine path to network share
homeLoc=$( dscl . -read /Users/$currentUser SMBHome | cut -c 10- | sed 's.\./.g' )

## mount the share
/usr/bin/osascript -e "mount volume "smb:$homeLoc""

exit

I tried using mount -t smbfs as well, but it just silently fails to mount the share. When I run it in terminal (as the user) it prompts for a password...

I've also noticed that it prompts for a password when I try to connect via Finder (using the "connect to server" dialogue).

I tried using the "mountNetworkShare" script from the "resource kit" and does the same as when I use mount -t smbfs (it just silently fails).

I used the ticket viewer app to verify that the user has a kerberos ticket.

I'm wondering if this might be a 10.13 issue?

Any help or suggestions would be appreciated. I don't know what I'm doing wrong.

1 ACCEPTED SOLUTION

Look
Valued Contributor III

I am mounting using this (as part of a much longer script your welcome to see if you need).

sudo -u $Current_User osascript -e 'mount volume "'$True_Path'"'

$True_Path is in the form smb://user@server/share

It certainly seems to work pretty seamlessly, although on 10.13 or later you also have enable allow connections to unknown servers.

defaults write /Library/Preferences/com.apple.NetworkAuthorization AllowUnknownServers -bool YES

Otherwise new users will be prompted to approve any new servers.

View solution in original post

12 REPLIES 12

Just_Jack
Contributor

You might not want to go this route.
Have you looked into NoMAD?
If you have the Macs bound to AD the NoMAD menu would have a Network Home share.

LukeMason
New Contributor III

@JSilin - Thanks for responding.

We have done some research into NoMAD and we're strongly considering making the move. However, things here tend to move at the "speed of government", so it's hard to get the sign-off we need from the people who have the authority.

With the new school year just around the bend we're likely not going to make any major configuration changes until things settle down again (so a couple of months at least).

nstrauss
Contributor II

+1 to NoMAD - https://nomad.menu. Let NoMAD help you move away from AD/mobile accounts, mount your shares, run scripts, provide quick links to Self Service and your help desk, etc. Technically it's doing something similar to what you're already working towards.

Just_Jack
Contributor

You binding to AD in Jamf?
Settings > Computer Management > Directory Bindings
Under User Experience Then put a Check by "Use UNC path from Active Directory to derive network home location"
When the user login a Globe icon will be on the Dock that points to their network drive.

Look
Valued Contributor III

I am mounting using this (as part of a much longer script your welcome to see if you need).

sudo -u $Current_User osascript -e 'mount volume "'$True_Path'"'

$True_Path is in the form smb://user@server/share

It certainly seems to work pretty seamlessly, although on 10.13 or later you also have enable allow connections to unknown servers.

defaults write /Library/Preferences/com.apple.NetworkAuthorization AllowUnknownServers -bool YES

Otherwise new users will be prompted to approve any new servers.

LukeMason
New Contributor III

@JSilin - We were using the "Use UNC path from Active Directory to derive network home location" option initially, but noticed that it blocks the user from logging in if there's anything wrong with the network file server. We had a few users who couldn't login because of minor permission issues, which was what prompted us to disable that option and see if we could use a script instead.

@Look - I didn't know about the allow unknown servers key, so I'll give that a try.

Thank you both for replying. I really appreciate the feedback.

LukeMason
New Contributor III

So, still no love.

Setting the AllowUnknownServers key stopped the first pop-up (with the blue "connect" button) from appearing, and the share just mounted silently (which is awesome), but it still prompts me for a password on every login afterwards...

LukeMason
New Contributor III

So, it turns out that part of the problem was the test user that I was using.

I decided to try some testing with a production user, and things work much better now. I think this issue is solved.

Thanks everyone for the help.

Aguiness
New Contributor III

Something i have noticed some schools use the switches to push DHCP, depending on the make model etc they are unable to push out the search domain this is crucial to the mac finding the home folder at login also any shares too.
you can push this out in a script this is something to look out for as it is overlooked in the windows world

supson
New Contributor III

@Look , do you have the entire script you use? We have the Directory Binding set correctly, but the Globe and mounted SMBHome do not always mount, would love to see your entire script?

Look
Valued Contributor III

@supson sure.
This is intended to be run as a login or Self Service policy from JAMF for AD bound machines, Control over shares is intended to be done using the scoping in JAMF, as such it clearly doesn't do much when JAMF isn't available.
Accepts shares in the form smb://server/share as a JAMF script parameter.
Defaults to SMBHome if no share is specified.
User readiness is determined by waiting for "CoreServicesUIAgent" this has changed occasionally over the years as Apple changes things so if the script starts failing, either add a hard delay or change the process it is waiting for.

#!/bin/bash
#2018 Version Samuel Look
#All care no responsibility
#Mounts the requested share if it doesn't already exist if left blank it will attempt to mount AD SMBhome
#Accepts shares in the form smb://server/share
#Intended to be run as a Login policy from Casper on AD bound machines only and has only been tested in this context.

##### Start seperate process #####
(

##### SUBROUTINES #####

Share_Path_Valid() {
if [[ -z "$Share_Path" ]]; then
sleep 10
Machine_Domain=$(dscl /Active Directory/ -read . SubNodes | awk '{print $2}')
Share_Path="$(dscl "/Active Directory/$Machine_Domain/All Domains" -read /Users/$Current_User SMBHome | awk '/SMBHome:/ && !/No such key:/' | sed -e 's/SMBHome: /smb:/g' -e 's/\///g')"
fi
if [[ "$Share_Path" ]]; then
logger "Sharemount:$Share_Name Path check PASS $Share_Path"
return 0
else
logger "Sharemount:$Share_Name Path check FAIL"
return 1
fi
}

#####

User_Ready() {
Loop_End=$((SECONDS + 60))
while [[ -z "$(ps -c -u $Current_User | awk /CoreServicesUIAgent/)" ]] && [[ $SECONDS -lt $Loop_End ]]; do
sleep 3
done
if [[ "$(ps -c -u $Current_User | awk /Finder/)" ]]; then
logger "Sharemount:$Share_Name User check PASS"
return 0
else
logger "Sharemount:$Share_Name User check WAIT"
sleep 60
    if [[ "$(ps -c -u $Current_User | awk /Finder/)" ]]; then
    return 0
    else
    logger "Sharemount:$Share_Name User check FAIL"
    return 1
    fi
fi
}

#####

Not_Mounted() {
if [[ -z "$(mount | awk '/'$Current_User'/ && //'$Share_Name' /')" ]]; then
logger "Sharemount:$Share_Name Mount check PASS $Share_Name"
return 0
else
logger "Sharemount:$Share_Name Mount check FAIL already mounted"
return 1
fi
}

#####

Mount_Drive() {
True_Path=$(echo $Share_Path | sed 's//////'$Current_User'@/g')
logger "Sharemount:$Share_Name Attempting to mount $True_Path"
sudo -u $Current_User osascript -e 'mount volume "'$True_Path'"'
}

##### START #####

Current_User=$3
Share_Path=$4
Share_Name="$(echo $Share_Path | awk -F"/" '{print $NF}')"

if [[ "$Current_User" ]] && User_Ready && Share_Path_Valid && Not_Mounted; then
Mount_Drive
else
logger "Sharemount:$Share_Name Conditions not met to attempt drive mounting $Share_Path"
fi

##### End seperate process #####
) &

##### FIN #####

EHoug
New Contributor II

I find that this works fine for me

SMBHome="$(dscl /Active Directory/UNN/All Domains/ -read /Users/$USER SMBHome | awk '{ print $2 }' | sed -e 's////g')"
osascript <<EOF
tell application "Finder" to open location "cifs:" & "$SMBHome"
EOF

I would imagine you would need to change the awk and sed section to suit your environment. I have this as part of a login script that is called by a LaunchAgent for all users. I prefix with "cifs:" as this suits my environment but this could just as easily be set as "smb:"

You will get a progress window when this task is performed but again this suits our environment