SMB Shares mounted at Login with AD-OD-MCX triangle

[jkonrad]

So we now have 10.3.9 clients authenticating users with AD, then getting group permissions (allowed apps and such) from OD and MCX. However, the login items preference is acting strangely.

In the past I have connected to a network share (smb or afp doesn’t matter) and then dragged that mount into the login Items preference. It would show up with the correct url (like smb://server/sharepoint). However now it shows up with a strange url, “cifs://username@server/sharepint”

Mapped this way the share will not mount during login.

It does not make a difference if I check “Mount with user’s name and password” or not.

Can I edit this URL mannually?

[jkonrad]

I am now using inspector and the MCXsettings directly. I’ve changed the url to “smb://server/sharepoint” and it still will not mount at logon.

After logging in the student can use “Connect to Server …” from the finder and type the exact url and they will mount the share without being asked for their username and password.

Any ideas? I’ve also tried the url with the IP address of the server in case it’s a DNS thing. Still no dice.

I know the student is connecting to the OD server and getting MCXsettings becasue I can change other preferences and the changes are reflected on the next login (like allowed programs)

[jkonrad]

Just digging for any new help. I have now built a small program that mounts that shares for the users when executed and then placed that in the login preference in MCX and it works.

Still it would be much, much better to just use mount at login. Why does this not work under AD/OD, but did under pure OD?

[jkonrad]

Just an update, if I use AFP protocol and check “mount with user name and password” it will automount. However, smb will not work. Why?

[superrcat]

[QUOTE BY= jkonrad] I am now using inspector and the MCXsettings directly. I’ve changed the url to “smb://server/sharepoint” and it still will not mount at logon.

After logging in the student can use “Connect to Server …” from the finder and type the exact url and they will mount the share without being asked for their username and password.

Any ideas? I’ve also tried the url with the IP address of the server in case it’s a DNS thing. Still no dice.

I know the student is connecting to the OD server and getting MCXsettings becasue I can change other preferences and the changes are reflected on the next login (like allowed programs)[/QUOTE]

The reason why this occurs is because SecurityAgent is trying to mount the SMB share before the Kerberos ticket cache is initialized. Since a Kerberos ticket is not available at the time of the mount attempt, the authentication type falls back to LM/NTLMv1. A lot of sites have security policies in place that only allow NTLMv2 or better for an authentication type. With those policies in place, the mount attempt fails during log in. By time the log in completes, the Kerberos ticket cache is available. This would be why a user can then mount their share without re-prompting for credentials.

This is resolved in Tiger and was not a simple fix.

[Author]

Posts