SMB Network Shares and AD Home Directories

shalford
New Contributor

We are new to JSS and were using Profile Manager to manage our Macs before making the switch. In our old Profile Manager setup we had the Finder ‘Connected Servers’ setting to show on the users desktop. We are currently pushing out an Art Share to one of our Mac labs and mounting it on the workstation desktop using the Finder ’Connected servers’ setting I mentioned above. We are than hiding the users home drive mount on the desktop, but displaying their documents folder in the Dock.

I don’t see and option to hide the users home directory in JSS. The issue is that the workstation is mounting the root of the share and not their home folder directly. Although the user does not have access to any folder but their own with in the root, we would rather them not see the other folders in this share. I there a solution where I can hide the home directory mount from the desktop or possibly not show connected servers on the desktop and create an alias on the desktop or Dock?

34 REPLIES 34

davidacland
Honored Contributor II
Honored Contributor II

Hi, that's the default behavior or the AD plugin unfortunately. Here's our SMBHome mounting script that can mount the subdirectory.

https://github.com/amsysuk/public_scripts/blob/master/mount_SMBHome/mounthome.sh

shalford
New Contributor

Thanks for the response! Is there anyway that I can hide the root share of the user AD home folder? The script works great but if I disable the setting to not show connected servers on the desktop our users network share as well as the scripted My Documents folder disappear.

davidacland
Honored Contributor II
Honored Contributor II

You can do sub-directory mounting so you can mount smb://server.com/sharedfolder/userhome, instead of just smb://server.com/sharedfolder, but no matter which way you do it a share point has to be mounted to give the user access.

It would be possible to mount something like smb://server.com/sharedfolder/userhome/Documents directly but that would get very complicated, very quickly.

I'm not sure what you mean about the other bit, but showing network drives on the desktop is a finder preference so you can set that to either show or hide connected network drives depending on your needs.

My Documents is a default Windows folder, not sure how that relates to the drive mounting stuff but if you can give a bit more detail I might be able to help further.

shalford
New Contributor

The mount AD home directory script works great when I run it on the machine when the AD user is logged in. I think that JSS runs scripts as the root user so I need to change the $USER variable to $3? I have copied the modified script and created a policy with it in JSS. I configured the policy to run when the user logs into the computer. It seems that once I push out the policy the AD plugin on my test machine breaks?!? I've had to redeploy an image to my test machine due to not being able to log in or rebind the computer to AD. Any help with this would be great.

!/bin/bash

Created by Amsys

Use at your own risk. Amsys will accept

no responsibility for loss or damage

caused by this script.

ADVANCED MODIFICATION ONY BELOW THIS LINE

Create a log writing function

writelog()
{
echo "${1}"
}

writelog "STARTING: User drive mount"

Already mounted check

The following checks confirm whether the user's personal network drive is already mounted,

(exiting if it is). If it is not already mounted, it checks if there is a mount point

already in /Volumes. If there is, it is deleted.

isMounted=mount | grep -c "/Volumes/$3"

if [ $isMounted -ne 0 ] ; then
writelog "Network share already mounted for $3"
exit 0
fi

Mount network home

writelog "Retrieving SMBHome attribute for $3"

Get Domain from full structure, cut the name and remove space.

ShortDomainName=dscl /Active Directory/ -read . | grep SubNodes | sed 's|SubNodes: ||g'

Find the user's SMBHome attribue, strip the leading \ and swap the remaining in the path to /

The result is to turn smbhome: \server.domain.compath ohome into server.domain.com/path/to/home

adHome=$(dscl /Active Directory/$ShortDomainName/All Domains -read /Users/$3 SMBHome | sed 's|SMBHome:||g' | sed 's/^[]*//' | sed 's::/:g' | sed 's/ ////g' | tr -d ' ' | sed 's/ /%20/g')

Next we perform a quick check to make sure that the SMBHome attribute is populated

case "$adHome" in
"" )
writelog "ERROR: ${USER}'s SMBHome attribute does not have a value set. Exiting script."
exit 1 ;;
* )
writelog "Active Directory users SMBHome attribute identified as $adHome"
;;
esac

Mount the network home

mount_script=`/usr/bin/osascript > /dev/null << EOT
tell application "Finder"
activate
mount volume "smb://${adHome}"
end tell
EOT`

writelog "Script completed"

Script End

exit 0

davidacland
Honored Contributor II
Honored Contributor II

Correct, $3 if its running as a Casper policy.

Not sure if the policy is doing anything else but there isn't anything in the script that could do this. The steps it performs are:

  • Check if /Volumes/$3 is already mounted and exit if it is
  • Read the SMBHome attribute using dscl and exit if it isn't populated
  • Mount the volume

shalford
New Contributor

Thank you all for the help! Replacing $USER with $3 in the script provided above worked great!

Kushnirskiy
New Contributor

Good day I am trying to run this script and am getting an error. Any help in getting this to work would be greatly appreciated. FYI: I am trying to automate network homefolder mapping with a Active directory bind

rlopez01-mac:~ rlopez$ #!/bin/bash
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ # Created by Amsys
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ #
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ # Use at your own risk. Amsys will accept
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ # no responsibility for loss or damage
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ # caused by this script.
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ ##### ADVANCED MODIFICATION ONY BELOW THIS LINE #####
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ # Create a log writing function
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ writelog()
> > {
> > echo "${1}"
> > }
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ writelog "STARTING: User drive mount"
STARTING: User drive mount
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ # Already mounted check
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ # The following checks confirm whether the user's personal network drive is already mounted,
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ # (exiting if it is). If it is not already mounted, it checks if there is a mount point
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ # already in /Volumes. If there is, it is deleted.
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ isMounted=mount | grep -c "/Volumes/$3"
rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ rlopez01-mac:~ rlopez$ if [ $isMounted -ne 0 ] ; then
> > writelog "Network share already mounted for $3"
> > exit 0
> > fi
Network share already mounted for logout

[Process completed]

davidacland
Honored Contributor II
Honored Contributor II

Hi @Kushnirskiy the code is a bit hard to read without the formatting. What bit are you stuck on?

calumhunter
Contributor III

@Kushnirskiy It looks like you just copied and pasted the script into a terminal window?

wsauce
New Contributor

Hi @davidacland ,

I'm wondering if you can point out where I'm going wrong with this. I'm trying to run your full script as a LoginHook but recieve the error "There was a problem connecting to server "name"." when logging in.

I'm fairly new to all this so I may have done something completely wrong, any advise would be greatly appreciated.

Thanks

Edit: it's probably worth pointing out I'm not using JSS at all

davidacland
Honored Contributor II
Honored Contributor II

Hi @wsauce

I'd recommend running the script manually while logged in as an AD user to see if it mounts the drive ok. If it doesn't, it should give you some decent feedback to explain why.

wsauce
New Contributor

Thanks for that @davidacland. It works fine manually which I'm guessing points toward the LoginHook being the cause.

I have the script directly on Macintosh HD and have simply used this.

sudo defaults write com.apple.loginwindow LoginHook /mounthome.sh

Any issues with this I should be aware of?

calumhunter
Contributor III

@wsauce

LoginHooks are run as root. You need to tell the script that $USER is the currently logged in user

Try adding the following above the write log function

USER=`stat -f%Su /dev/console`

davidacland
Honored Contributor II
Honored Contributor II

@wsauce you could also switch to a LaunchAgent instead which will still let you use $USER.

apizz
Valued Contributor

@davidacland, question for you. This script is great, but am running into a minor hiccup. Because of issues with Cryptolocker and network homes, we have a few users that don't have a network home specified in AD.

So when the command below is run (took out the seds for the example):

dscl . -read /Users/$USER SMBHome

it produces an error:

No such key: SMBHome

Trying to add an additional case or some check that accounts for this scenario and writes an error in the log file, but haven't been successful as of yet. Do you or anyone else have any ideas of how I might accomplish this?

davidacland
Honored Contributor II
Honored Contributor II

Hi @aporlebeke

We use this code to capture that issue:

case "$adHome" in 
 "" ) 
    echo "ERROR: ${$USER}'s SMBHome attribute does not have a value set.  Exiting script."
    exit 1  ;;
 * ) 
    echo "Active Directory users SMBHome attribute identified as $adHome"
    ;;
esac

You can just redirect the echo with >> to whatever log file you want to use 🙂

apizz
Valued Contributor

Thanks @davidacland. I actually did something a little different which I got to work. Kept the case statement the same, but edited the dscl command to not specify the SMBHome key and then grep -e "SMBHome:". That way dscl does not produce the No such key: SMBHome error and the case statement properly displays an error when no text is produced. See my change below:

ADHome=$(dscl . -read /Users/$USER 
                | grep -e "SMBHome:" 
                | sed 's|SMBHome:||g' 
                | sed 's/^[\]*//' 
                | sed 's:\:/:g' 
                | sed 's/ ////g' 
                | tr -d '
' 
                | sed 's/ /%20/g')

Thanks so much for all your work on the script! A LOT better than what our users do now where a parent directory is mounted and they have to navigate through various directories to find their network home folder.

mrtaylor
New Contributor

Thanks @davidacland This is a great script. I'm trying to add another bit of functionality to create a desktop alias to the network share. Here's my script:

Mount the network home

mount_script=`/usr/bin/osascript > /dev/null << EOT

tell application "Finder" activate mount volume "smb://${adHome}" end tell

tell application "Finder" make new alias to "smb://${adHome}" at desktop end tell

EOT`

I'm getting an error:
243:324: execution error: Finder got an error: Can’t make class alias. (-2710)

Can anyone see where I'm going wrong?

Cheers,
Matt

davidacland
Honored Contributor II
Honored Contributor II

I think the alias would be for /Volumes/${USER} so tell application "Finder" make new alias to "/Volumes/${USER}" at desktop end tell

I would normally change the finder preferences with a config profile to show network drives on the desktop which might make it a bit simpler.

Chuey
Contributor III

@davidacland Does your login script work with Mac OS Sierra ?

We are using the Active Directory service under Directory Utility and enabling the "Use UNC Path from AD...with SMB".

When a general user logs in, the World on their dock is their network home directory but when clicked the user is prompted for a password. How could I have bypass the user having to enter their password?

Thanks for any info

apizz
Valued Contributor

@Chuey Part of the reason for this home directory mounting script in the first place is because of issues with the "Use UNC path from AD with SMB" setting. We ran into problems when we first started with the JSS where the first time an AD user would login to a machine they would be informed that they couldn't be logged in at this time, but as soon as the computer was restarted they would be able to login.

As is documented in a number of different threads, it's recommended you disable the Use UNC path setting.

I've only done very minor testing with macOS Sierra, but IIRC this mounting script does still work.

davidacland
Honored Contributor II
Honored Contributor II

Hi @Chuey

As @aporlebeke said, if you use the script, you don't need to to enable the "Use UNC path..." checkbox.

The script will use the standard macOS authentication system so if the user has a Kerberos ticket, it will use that instead of asking them for a username and password.

Chuey
Contributor III

@davidacland Thank you. I just tested your script by executing it via command line and it still prompts me for the password. In a perfect world I'd just like to enable "use unc path..." and when the user clicks the "Globe" on their dock that points to their SMB Home it will just open and not prompt for password. Any insight on how I can accomplish that automation ?

Thank you very much for any help

davidacland
Honored Contributor II
Honored Contributor II

If you're getting asked for a password, either using the script or the "use UNC path" option, it will be a problem with the kerberos authentication rather than the drive mounting method.

Both ways of mapping the drive use Kerberos if available and fall back to username/password prompts if Kerberos isn't available.

Chuey
Contributor III

@davidacland I know this was stale for some time but I have not had much time to tinker with MacOS 10.12.X.

it appears that Apple no longer allows mounting in /Volumes unless you are root. This is a problem in our environment where users are not admin. Do you have a workaround for this? We rely heavily on automated mount points when users log in and this is our biggest hiccup with Sierra.

Thanks

davidacland
Honored Contributor II
Honored Contributor II

Hi,

If you are using mount volume "smb://${adHome}" the OS should do the mounting for you. You don't need to specify where it gets mounted.

Is the drive not mounting with that method?

Chuey
Contributor III

@davidacland It is but then prompts the user for a username / password.

calumhunter
Contributor III

Use python and the NetFS API

https://gist.github.com/hunty1/94284f2535a964a2ed8f2297974e98ca

run it like this by providing two arguments, the server address and the share name
./mount_share.py <your.file.server.com/homes/student> <student>

davidacland
Honored Contributor II
Honored Contributor II

@Chuey It still sounds kerberos related to me. If you log in and try to mount the drive using Go > Connect to server... does that also ask for a username & password?

@calumhunter I hadn't tried mounting a drive with Python before. Thanks for sharing 🙂

bentoms
Honored Contributor III
Honored Contributor III

Sounds like this is a new macOS feature, & the Apple have a KB here on how to make a change to use kerb & not prompt.

The AppleScript mount volume uses NetFS & some other logic @hunty. My AppleScript methods piqued the curiosity of @frogor & @kcrawshaw so they reversed engineered it to time the NetFS API.

I was looking to do a Swift NetFS App next year, but seems that the AppleScript's additions still win in some cases.

Chuey
Contributor III

@davidacland My admin account will never ask for the password. Only standard accounts are getting asked to input their password. . .

EDIT If the standard user has never logged into the computer it will allow me to navigate to their network home directory without a password. If I log out and log back in on the same computer it will prompt me for the password. Sorry wanted to clarify that Kerberos is working properly.

apizz
Valued Contributor

@Chuey Was looking at your 11/20 post and we have a portion of our dock setup script - which utilizes dockutil - that adds an additional link (the globe you refer to) to connect to the user's network folder.

Our dock setup script incorporates the same code as the SMB/AD home script to get the full network folder path and then uses this to add the connection to the "Connect to Server" server favorites list as well as an icon to connect to it in the Dock. We prefer to have multiple places for our users to be able access their network folder.

I've copied and pasted the applicable portions of that script into a new script below.

#!/bin/bash

USER=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
LOG="/path/to/logfile.log"
DOCKUTIL="/path/to/dockutil"
SFLTOOL="/usr/bin/sfltool"
PLIST="com.apple.LSSharedFileList.FavoriteServers"
ADHOME=$(/usr/bin/dscl . -read /Users/$USER 
        | grep -e "SERVERNAME" | head -n 1 
        | sed 's|SMBHome:||g' 
        | sed 's|dsAttrTypeNative:original_smb_home:||g' 
        | sed 's/^[\]*//' 
        | sed 's:\:/:g' 
        | sed 's/ ////g' 
        | tr -d '
' 
        | sed 's/ /%20/g')

# For writing info to log file
writelog () {
    /bin/echo "${1}"
    /bin/echo $(date) "${1}" >> $LOG
}

# Add user's AD home folder to Dock for easier access
if [ "${ADHOME}" == "" ]; then
    writelog "ADHOME Shortcut: User ${USER} does not have an SMBHome attribute. Skipping network folder Dock shortcut creation ..."
else
    writelog "FOUND: SMBHome identified for ${USER}."
    writelog "Creating network folder Dock shortcut for ${USER}."
    $DOCKUTIL --add "smb://${ADHOME}" --label "My Network Folder" --before Applications --no-restart 
    writelog "CREATED: Network folder Dock shortcut for ${USER}."
fi

# Add user's AD home folder to Favorite Server list w/ name "My Network Folder"
$SFLTOOL add-item -n "My Network Folder" $PLIST "smb://${ADHOME}"

if [ $? = 0 ]; then
    writelog "Successfully added ${USER}'s network folder to Favorite Servers."
else
    writelog "Failed to add ${USER}'s network folder to Favorite Servers."
fi

exit

Chuey
Contributor III

@aporlebeke Thanks for that.

I'm still confused as to why when I log in to a machine with a user who has never logged in before, the globe automatically appears and is mapped to their network home folder using SMB, and when clicked it opens the share.

BUT if you log out and back in on the same machine with that user and click the globe it prompts for the password again.

Anyone have an idea as to why this happens?

bentoms
Honored Contributor III
Honored Contributor III

@Chuey As posted in another thread, I think you might need this