Mounting shares with kerberos

smith_kyle
New Contributor III

I'm trying to mount some authenticated shares, but am having a helluva time. We have a NAS that we want to mount when the user logs in. These are shared student machines, and we have the mobile home directories set to expire on logout to keep the machine's clean. The students store anything they need to save in their network home directory, but we have a few classes that require additional storage, so those classes also mount a NAS.

I've been able to get drives to mount using mount_smbfs, jamf mount, applescript, and configuration profiles, but have so far had limited success mounting them when trying to use kerberos authentication. The following works when specifying a username/password manually:

jamf mount -server $serverAddress -share $shareName -type $shareType -workgroup ADDOMAIN -username $userName -password $userPassword

mount_smbfs 'smb://ADDOMAIN;user:password@server/share' /Volumes/share

osascript -e 'mount volume "smb://server/share"'

Which would be fine for a single user, but this is for hundreds of users. What I would like to achieve is a command where I can specify a server/share, and it will use kerberos/the credentials of the user logging in or the user already logged in to mount the share.

My current solution is a configuration profile, but the users are prompted for their password to the server/share when they first log in (the same password they just entered).

Any help would be much appreciated!

Kyle

7 REPLIES 7

htse
Contributor III

if you interactively mount that share in Finder right now, will it mount with Kerberos?

Look
Valued Contributor III

If you are using the commands without the username and password and it is still not working then the Kerberos is not working correctly, I doubt it's the commands that are at fault.
Run klist from terminal on one of the test machines when logged in as a user and make sure you have an entry like.
krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM
If this is present then locally Kerberos is probably working, so look at the NAS end and see whether there is something there likely to prevent authentication.

smith_kyle
New Contributor III

Thanks!

Running klist does give me the entry like you mentioned. If I try to connect to the server from Finder, though, I do still get prompted for a password.

So maybe that's where I should have started...if I log in as one user, create a kerberos identity for another user, and then try to mount that user's network home folder, it mounts no problem and doesn't ask for credentials. When I try to mount the NAS, though, it asks for credentials. The NAS is integrated with AD, so my understanding was that kerberos logins would work with it since students authenticate with their AD credentials. Trying to verify if the NAS supports kerberos or not...

Thanks,

Kyle

jack_bishop
New Contributor III

Check to make sure your domain suffix matches one of the service principals in the server's keytab file. For example, if the Mac is mycomputer.subdomain.company.com and the server is server.company.com, the Mac won't use kerberos.

Adding a service principal is different based on the OS. Let me know if you are using Isilon and I'll give you the commands.

Jack

smith_kyle
New Contributor III

Thanks - do you mean the domain suffix of the NAS or our AD server? We are using a .local domain for AD. It looks like kerberos on the macs are working when connecting to other file servers, so I think it's just the NAS :/

jack_bishop
New Contributor III

It's definitely the NAS. There is no service principal with a matching domain name, so the Mac never tries to use kerberos. Windows server do some funkiness to mask this issue.

The best thing to do is look at the spn list in the keytab, then add whatever is necessary.

smith_kyle
New Contributor III

So the weirdest thing happened...I didn't know the NAS had a DNS name at first, but found out it did and wanted to make it more user-friendly for the students instead of having to find it by IP. It looks like it now mounts without asking for a password...go figure...gonna have to do some more testing. I'm mounting it with a configuration profile btw.

Thanks for your help!

Kyle