Auto-mount SMB Shares on MAC with AD login credentials.

[sboomer]

[u]Issue:[/u]

Whenever my AD user logs into a mac, I want them to map smb shares automatically and place them in the dock or desktop. I want to do this without storing their passwords in clear txt, anywhere on the machine.

I have seen numerous posts about doing this with a script that stores the password and username, for security reasons I cannot do this.

[u]Equipment in the Golden Triangle:[/u]

Mac OSX Server 10.5.6 (OD Managed AD Groups/Users)
Microsoft Windows Server 2008 (AD DC)

Thanks in advance for any advice.

[sboomer]

Interesting note about this:

This seems to be happening through the network browser anyways. I go to GO->Network->Server The share will eventually show up in here. So on some level this is happening but I think I am too stupid to figure out how that is happening and make that show up in the dock or desktop.

[bodhisattva]

In my experience with 10.5.5, the automounting of SMB shares, when using Kerberos, failed.

OS X ignores the Kerberos ticket at the login window, and instead prompts the user to enter their plaintext password (assuming plaintext is enabled on the server).

Manually obtaining the TGT and supplying it to the server also fails.

Doing so via the command line works perfectly, which lead me to the workaround:

– setup a local MCX record for the Login window, automounting the SMB share
– ensure “use User name and Password” is selected

This way, the login window presents the Kerb TGT back to the AD server, and properly mounts the network drive during login.

Has anyone else encountered this, and if so, do you have a more elegant solution?

[sboomer]

Interesting.

I am using 10.5.6 on my clients, and did not really have time to test 10.5.5.

What we ended up doing was placing an applescript on the desktop that only defined the path of the share.

The script was written like this:

mount volume “smb://server/share”

Then we saved it as a run only application, and when the user logs in with their AD account, they need only to click on the script and it mounts all the drives I defined in the script to the desktop. No password needed.

So in that respect Kerberos seems to be working, mnus an annoying script icon on the desktop all the time.

What is bothering me is nothing I do seems to get this script to run automatically all the time, and cause I am a neat freak I cannot seem to get it to go in the dock either, but I havent had a lot of time to mess about with that since this work around works for now.

I am not very familiar with how to edit or setup and MCX record. I am afraid to say I am an idiot in this respect, but there I said it.

Could you point me into this because I have been trying to find a way to learn it.

[Author]

Posts