Jamf Nation Community

OK, so after some thought, I'm assuming when Self Service makes an attempt to mount the distribution point, OS X is applying the local credentials, which, for the network account, authenticate fine for the server, just not for CasperShare, so it doesn't mount the sharepoint and I get my error. The local admin account doesn't authenticate to the server so the JSS gets its time to shine and uses the accounts as specified in the JSS for the sever, which does work.

Does this sound like it might be what's happening? If so, any way around this? The server is also our main file server, so network accounts need to access it. I could give Read permissions to everyone for CasperShare, but then it's a firesale for all our packages. I could move the DP to another box, I guess, but then I'd need a box, etc.

Any help is appreciated.

My first thought is that maybe the application has been open for a while and is no longer storing the credentials?

If you've restarted and then relaunched the application by hand, the only other thing I can think of is that maybe there is another policy running in the background that has the share mounted.

I also recently ran into this issue, Casper Suite 8.63

We also use LDAP for Self Service logins so we can show certain things to certain groups. I wanted to tighten security so someone couldn't just browse the Distribution Point by manually mounting it and getting access to software they shouldn't have, so I set chmod 750 to the folder, and ACLs for my read only, read/write accounts that I stated in JSS under Distribution Points and populated those permissions recursively.

I wonder what actually is happening when Self Service mounts the Distribution Point. In theory it's supposed to use the settings you setup in JSS for the read-only account, which it seems to, but somehow the LDAP credentials of the logged in user is coming into play. Maybe a bug? If Distribution Point is kerberized with the login user, it's not using the read only JSS login to do the work it seems.

whenever servers and clients are kerberized the kerberos ticket will be used to mount the casper distribution point before any of the accounts set up in the JSS.

Why not just http/s distribution points?

Except you can get around the kerberized credentials by dictating on mount which credentials to use ala

sudo mount -t afp afp://user:pass@name.of.server/distributionpoint /Volumes/distributionpoint

I would have assumed that it just uses the JSS read only credentials provided and passed that info along when you are about to run a Self Service item. But you know what they say about assumptions.

Why not use http distribution points? Because they haven't been setup yet =)

After further testing this is what I've come up with so far.

If you type in at the Go - Connect to Server prompt afp://user:pass@name.of.server/distributionpoint it respects those credentials and mounts with those credentials even if you are kerberized. If you try to do this while you are kerberized from the command line, it ignores it. The GUI must be doing some kerberos ticket management / able to ignore the kerberos ticket behind the scenes so that it respects the explicit credentials. If we could only figure out how and replicate it on the command line level.

Thanks Han, a lot of great info here, and I saw the Feature Request you put in. Have an upvote. Hopefully we'll see something from JAMF in an update.