Jamf Nation Community

@bentoms Thanks for your reply.

Are you saying casperadmin/casperinstall need access to the share as well? They have the correct folder permissions and the share (of the folder) only has 'Everyone' as full control, with no other users to the share.

I probably should add that the share is a hidden share (CasperDP$)

@daniel.parkin, I've just re-read your original post.

Can you mount the Share via your Mac? (Forget Casper Admin for now).

@bentoms,

I've gone home for the day, but from memory i couldn't map the master DP. I could map the other DP's. Ill look into it tomorrow and get back to you.

Using Windows 2K SP2 and SMB.
Casper 9.32.
See how we have our setup below. The only missing field from the screen shots is "Special permissions" and those are unchecked for both Casperinstall and Casperadmin accounts.

external image link

external image link

I don't think I've ever tried setting it up as a folder inside a share, although not being able to mount it at all from the Mac would certainly need to be resolved to have any chance.

Assuming the NTFS (file & folder) permissions are correct, could the SMB sharing permissions be stopping you connecting?

@boettchs Cheers mate - that's exactly how it is on our 2012 R2

@davidacland Thanks for the response. I think you may have misunderstood - we have the actual permission restrictions on the folder itself, and on the share permissions is the 'Everyone' - Full Control. Firstly, this is how our orgnaisation does all of its sharing - because the security permissions on the folder actually gate the folder, and secondly this is best practice for SMB shares, as far as i've been taught. The effect of this is is that shares can be viewed by anyone, but not access, unless it is hidden (which most of ours is) and it simplifies our management overhead - only one set of permissions to deal with and wrangle when troubleshooting.

@bentoms I can access all the shares from Windows (12 of them) - but i can access all but the master DP on the Mac. Our macs are AD bound. Thanks for your pointer in this - it appears this is where i need to start investigating. All the permissions are exactly the same - thanks to the DFS replication stream, the permissions are set on the Gold Master, and replicated out to site servers. There is nothing special about the master DP, except for the tickbox in JSS.

Is it possible i've overlooked something and the master DP needs to be configured differently?

So i've tried a few things - setting DP as IP address, FQDN, and change the MasterDP to another server. As soon as it becomes the Master DP, casper admin cannot connect. I can manually map the share via hostname, FQDN and IP.

I have no idea what is going on with casper admin.

@daniel.parkin][/url,

So, using your CasperAdmin account (Active Directory account?), can you mount the SMB on a Mac using those credentials?
*One thing to check - Kerberos tickets on the Mac you're using. If there's one there already, and the name is alphabetically before CasperAdmin, then you need to nuke it and then sign into the SMB with the CasperAdmin account. You'll know you did that right if you get prompted for the correct ID/Pass and it shows as mounted under CasperAdmin.

Try that to start...as well as CasperInstall account (doing the same as above with Kerby tix).

*Edit: Note that every time we put in a request to setup a new DP - the Wintel guys always have issues getting this setup correctly. Been dealing with this all week. Those shots above are the end result of them being correct.

Scott

The only other reasons I've had Casper Admin fail to mount a share are:

• Another share on ther same server is already mounted
• Kerberos tickets authenticating before Casper Admin gets a chance
• A typo or incorrect case used in the share name
• Incorrect server address
• Permissions unable to access the share
• Using a DFS path instead of straight SMB to the server FQDN

That's about all the reasons that I've come across in the past few years. Hopefully these will help to narrow it down a bit!

@boettchs Thanks for your assistance - i have destroyed any kerberos tickets to minimise interactions - but even so, they were all past the 'c' in the alphabet. I've tried multiple profiles - using all the credentials i could get my hands on - and casperadmin still fails to mount the share, even though (after the fact) i can manually map it using the method i please.

@davidacland Thanks for the response. I've checked all these, except for #2 as im not sure what you mean. I've used local profiles before using AD LDAP to get into Casper Admin to try and eliminate kerberos beating me to the punch

It feels like i've pretty much tried everything - i even loaded the share with just the casperadmin/install and my domain account permissions, removing 'Everyone' just to be sure.

At this point im putting heavy pressure on my line manager to either get me training or to bring someone in with it. Unfortunately, being in Australia, the next training is a few months away (March), and my current arrangements end at the end of February.

The last thing I would try (just in case) is to give the Casper read/write user (that Casper Admin uses) full control in the NTFS permissions screen so that user has full access under the sharing tab and full control under the security tab. I wouldn't leave it like that but it will at least help narrow down the problem.

Other than that I would recommend reaching out to your JAMF Support representative as they are always very willing to help get issues like this resolved.

@daniel.parkin - have a look at this thread. It sounded familiar, so see if this might be something you can do (account names have spaces).

https://jamfnation.jamfsoftware.com/discussion.html?id=10957

Scott