Skip to main content

We are new to JSS and were using Profile Manager to manage our Macs before making the switch. In our old Profile Manager setup we had the Finder ‘Connected Servers’ setting to show on the users desktop. We are currently pushing out an Art Share to one of our Mac labs and mounting it on the workstation desktop using the Finder ’Connected servers’ setting I mentioned above. We are than hiding the users home drive mount on the desktop, but displaying their documents folder in the Dock.



I don’t see and option to hide the users home directory in JSS. The issue is that the workstation is mounting the root of the share and not their home folder directly. Although the user does not have access to any folder but their own with in the root, we would rather them not see the other folders in this share. I there a solution where I can hide the home directory mount from the desktop or possibly not show connected servers on the desktop and create an alias on the desktop or Dock?

Hi, that's the default behavior or the AD plugin unfortunately. Here's our SMBHome mounting script that can mount the subdirectory.



https://github.com/amsysuk/public_scripts/blob/master/mount_SMBHome/mounthome.sh

Thanks for the response! Is there anyway that I can hide the root share of the user AD home folder? The script works great but if I disable the setting to not show connected servers on the desktop our users network share as well as the scripted My Documents folder disappear.

You can do sub-directory mounting so you can mount smb://server.com/sharedfolder/userhome, instead of just smb://server.com/sharedfolder, but no matter which way you do it a share point has to be mounted to give the user access.



It would be possible to mount something like smb://server.com/sharedfolder/userhome/Documents directly but that would get very complicated, very quickly.



I'm not sure what you mean about the other bit, but showing network drives on the desktop is a finder preference so you can set that to either show or hide connected network drives depending on your needs.



My Documents is a default Windows folder, not sure how that relates to the drive mounting stuff but if you can give a bit more detail I might be able to help further.

The mount AD home directory script works great when I run it on the machine when the AD user is logged in. I think that JSS runs scripts as the root user so I need to change the $USER variable to $3? I have copied the modified script and created a policy with it in JSS. I configured the policy to run when the user logs into the computer. It seems that once I push out the policy the AD plugin on my test machine breaks?!? I've had to redeploy an image to my test machine due to not being able to log in or rebind the computer to AD. Any help with this would be great.



!/bin/bash



Created by Amsys



Use at your own risk. Amsys will accept



no responsibility for loss or damage



caused by this script.



ADVANCED MODIFICATION ONY BELOW THIS LINE


Create a log writing function



writelog()
{
echo "${1}"
}



writelog "STARTING: User drive mount"



Already mounted check



The following checks confirm whether the user's personal network drive is already mounted,



(exiting if it is). If it is not already mounted, it checks if there is a mount point



already in /Volumes. If there is, it is deleted.



isMounted=mount | grep -c "/Volumes/$3"



if [ $isMounted -ne 0 ] ; then
writelog "Network share already mounted for $3"
exit 0
fi



Mount network home



writelog "Retrieving SMBHome attribute for $3"



Get Domain from full structure, cut the name and remove space.



ShortDomainName=dscl /Active Directory/ -read . | grep SubNodes | sed 's|SubNodes: ||g'



Find the user's SMBHome attribue, strip the leading \\ and swap the remaining in the path to /



The result is to turn smbhome: \\server.domain.compath ohome into server.domain.com/path/to/home



adHome=$(dscl /Active Directory/$ShortDomainName/All Domains -read /Users/$3 SMBHome | sed 's|SMBHome:||g' | sed 's/^[]*//' | sed 's::/:g' | sed 's/ ////g' | tr -d '
' | sed 's/ /%20/g')



Next we perform a quick check to make sure that the SMBHome attribute is populated



case "$adHome" in
"" )
writelog "ERROR: ${USER}'s SMBHome attribute does not have a value set. Exiting script."
exit 1 ;;
* )
writelog "Active Directory users SMBHome attribute identified as $adHome"
;;
esac



Mount the network home



mount_script=`/usr/bin/osascript > /dev/null << EOT
tell application "Finder"
activate
mount volume "smb://${adHome}"
end tell
EOT`



writelog "Script completed"



Script End



exit 0

Correct, $3 if its running as a Casper policy.



Not sure if the policy is doing anything else but there isn't anything in the script that could do this. The steps it performs are:




  • Check if /Volumes/$3 is already mounted and exit if it is

  • Read the SMBHome attribute using dscl and exit if it isn't populated

  • Mount the volume

Thank you all for the help! Replacing $USER with $3 in the script provided above worked great!

Good day I am trying to run this script and am getting an error. Any help in getting this to work would be greatly appreciated. FYI: I am trying to automate network homefolder mapping with a Active directory bind



rlopez01-mac:~ rlopez$ #!/bin/bash
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ # Created by Amsys
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ #
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ # Use at your own risk. Amsys will accept
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ # no responsibility for loss or damage
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ # caused by this script.
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ ##### ADVANCED MODIFICATION ONY BELOW THIS LINE #####
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ # Create a log writing function
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ writelog()
>
> {
>
> echo "${1}"
>
> }
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ writelog "STARTING: User drive mount"
STARTING: User drive mount
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ # Already mounted check
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ # The following checks confirm whether the user's personal network drive is already mounted,
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ # (exiting if it is). If it is not already mounted, it checks if there is a mount point
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ # already in /Volumes. If there is, it is deleted.
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ isMounted=mount | grep -c "/Volumes/$3"
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$
rlopez01-mac:~ rlopez$ if [ $isMounted -ne 0 ] ; then
>
> writelog "Network share already mounted for $3"
>
> exit 0
>
> fi
Network share already mounted for
logout



[Process completed]

Hi @Kushnirskiy the code is a bit hard to read without the formatting. What bit are you stuck on?

@Kushnirskiy It looks like you just copied and pasted the script into a terminal window?

Hi @davidacland ,



I'm wondering if you can point out where I'm going wrong with this. I'm trying to run your full script as a LoginHook but recieve the error "There was a problem connecting to server "name"." when logging in.



I'm fairly new to all this so I may have done something completely wrong, any advise would be greatly appreciated.



Thanks



Edit: it's probably worth pointing out I'm not using JSS at all

Hi @wsauce



I'd recommend running the script manually while logged in as an AD user to see if it mounts the drive ok. If it doesn't, it should give you some decent feedback to explain why.

Thanks for that @davidacland. It works fine manually which I'm guessing points toward the LoginHook being the cause.



I have the script directly on Macintosh HD and have simply used this.



sudo defaults write com.apple.loginwindow LoginHook /mounthome.sh


Any issues with this I should be aware of?

@wsauce



LoginHooks are run as root. You need to tell the script that $USER is the currently logged in user



Try adding the following above the write log function



USER=`stat -f%Su /dev/console`

@wsauce you could also switch to a LaunchAgent instead which will still let you use $USER.

@davidacland, question for you. This script is great, but am running into a minor hiccup. Because of issues with Cryptolocker and network homes, we have a few users that don't have a network home specified in AD.



So when the command below is run (took out the seds for the example):



dscl . -read /Users/$USER SMBHome


it produces an error:



No such key: SMBHome


Trying to add an additional case or some check that accounts for this scenario and writes an error in the log file, but haven't been successful as of yet. Do you or anyone else have any ideas of how I might accomplish this?

Hi @aporlebeke



We use this code to capture that issue:



case "$adHome" in 

 "" ) 

    echo "ERROR: ${$USER}'s SMBHome attribute does not have a value set.  Exiting script."

    exit 1  ;;

 * ) 

    echo "Active Directory users SMBHome attribute identified as $adHome"

    ;;

esac


You can just redirect the echo with >> to whatever log file you want to use :)

Thanks @davidacland. I actually did something a little different which I got to work. Kept the case statement the same, but edited the dscl command to not specify the SMBHome key and then grep -e "SMBHome:". That way dscl does not produce the No such key: SMBHome error and the case statement properly displays an error when no text is produced. See my change below:



ADHome=$(dscl . -read /Users/$USER 

                | grep -e "SMBHome:" 

                | sed 's|SMBHome:||g' 

                | sed 's/^[\\]*//' 

                | sed 's:\\:/:g' 

                | sed 's/ ////g' 

                | tr -d '

' 

                | sed 's/ /%20/g')


Thanks so much for all your work on the script! A LOT better than what our users do now where a parent directory is mounted and they have to navigate through various directories to find their network home folder.

Thanks @davidacland This is a great script. I'm trying to add another bit of functionality to create a desktop alias to the network share. Here's my script:



Mount the network home



mount_script=`/usr/bin/osascript > /dev/null << EOT



tell application "Finder"
activate
mount volume "smb://${adHome}"
end tell



tell application "Finder"
make new alias to "smb://${adHome}" at desktop
end tell



EOT`



I'm getting an error:
243:324: execution error: Finder got an error: Can’t make class alias. (-2710)



Can anyone see where I'm going wrong?



Cheers,
Matt

I think the alias would be for /Volumes/${USER} so tell application "Finder" make new alias to "/Volumes/${USER}" at desktop end tell



I would normally change the finder preferences with a config profile to show network drives on the desktop which might make it a bit simpler.

@davidacland Does your login script work with Mac OS Sierra ?



We are using the Active Directory service under Directory Utility and enabling the "Use UNC Path from AD...with SMB".



When a general user logs in, the World on their dock is their network home directory but when clicked the user is prompted for a password. How could I have bypass the user having to enter their password?



Thanks for any info

@Chuey Part of the reason for this home directory mounting script in the first place is because of issues with the "Use UNC path from AD with SMB" setting. We ran into problems when we first started with the JSS where the first time an AD user would login to a machine they would be informed that they couldn't be logged in at this time, but as soon as the computer was restarted they would be able to login.



As is documented in a number of different threads, it's recommended you disable the Use UNC path setting.



I've only done very minor testing with macOS Sierra, but IIRC this mounting script does still work.

Hi @Chuey



As @aporlebeke said, if you use the script, you don't need to to enable the "Use UNC path..." checkbox.



The script will use the standard macOS authentication system so if the user has a Kerberos ticket, it will use that instead of asking them for a username and password.

@davidacland Thank you. I just tested your script by executing it via command line and it still prompts me for the password. In a perfect world I'd just like to enable "use unc path..." and when the user clicks the "Globe" on their dock that points to their SMB Home it will just open and not prompt for password. Any insight on how I can accomplish that automation ?



Thank you very much for any help

If you're getting asked for a password, either using the script or the "use UNC path" option, it will be a problem with the kerberos authentication rather than the drive mounting method.



Both ways of mapping the drive use Kerberos if available and fall back to username/password prompts if Kerberos isn't available.

@davidacland I know this was stale for some time but I have not had much time to tinker with MacOS 10.12.X.



it appears that Apple no longer allows mounting in /Volumes unless you are root. This is a problem in our environment where users are not admin. Do you have a workaround for this? We rely heavily on automated mount points when users log in and this is our biggest hiccup with Sierra.



Thanks

Reply


Terms & ConditionsCookie settings