Automator application to connect SMB drives with Kerberos Authentication

All PC workstations in the office belong the company domain and single sign-on with kerberos works pretty much flawlessly.  As a Mac user, I also wanted the benefits of single sign-on.  Specifically, it is really nice not having to enter/save passwords for all the company websites.  In addition, connecting to network drives is faster with kerberos.

Lately, Ticket Viewer has not been playing nicely on Sierra, so I am using the terminal to run kinit to get a kerberos ticket at the beginning of the day.   This depends on some settings in /etc/krb5.conf which are displayed below.  Remember to replace REALM with your company domain.

[appdefaults]
forwardable = true
proxiable = true
no-address = true
[libdefaults]
default_realm = REALM
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]


My typical morning routine is to open the laptop, open terminal, run "kinit username@REALM" to get the ticket, then run an automator application to mount the network drives I use.

The other day I remembered that Automator can run shell scripts, so I should be able to have my Automator application get the kerberos ticket before it tries to mount the drives and skip the terminal session.  As I did not want to save my password in a file somewhere on the drive, and trying to extract it from the keychain is problematic in Sierra, I just have my application present a dialog box with password input field and pass that on to kinit.  This works great.  Now I just run my application, type in the password and watch as the drives are connected.  Here is a screenshot of my application showing the applescript that presents the dialog box and gets the ticket.

UPDATE 2018-10-23:
I got tired of typing my password every time, so I saved it in my keychain and altered my automator application to use a shell script instead of an AppleScript because it was much easier.  See below for the shell script.

#!/bin/bash
# get the local IP address
theIP=`/sbin/ifconfig | /usr/bin/grep "inet 10" | /usr/bin/grep -v inet6 | /usr/bin/cut -d" " -f2 | /usr/bin/cut -d. -f1`
# if IP address starts with 10 then I am probably at work
if [ $theIP -eq 10 ]; then
 kticket=`/usr/bin/klist | /usr/bin/grep krbtgt`
 if [ -z "$kticket" ]; then
  /usr/bin/kinit -f  --enterprise --canonicalize username@company.com@COMPANY.COM
 fi
 /usr/bin/open 'smb://server1.company.com/share'
 /usr/bin/open 'smb://server2.company.com/share'
fi

Comments

Post a Comment

Popular posts from this blog

iChat IRC transport with OpenFire and Kraken

Long have I wanted the all-in-one functionality of Adium with the AV chat capabilities of iChat. I really wanted to use iChat for all my messaging needs. I have finally achieved my goal using Openfire , a free XMPP server, and the Kraken plug-in that provides the tranports for other instant messaging services. In my case, I am interested specifically in IRC, but I got my little-used MSN account working also for test purposes. Kraken provides many different tranports. I should clarify my goal a bit. I only care about AV capabilities for protocols that iChat officially supports so I have not tested anything beyond text chatting with MSN. I only use IRC for text chat anyway, no DCC or file transfers. What do you need? You need to install the Openfire server and the Kraken plug-in. The Current versions when I did this were Openfire 3.6.4 and Kraken 1.1.3.beta2. Openfire had a binary download for OS X Snow Leopard, but I had to build Kraken from source. Click on this direct link
Read more

Save kerberos password in keychain for use with kinit on MacOS (was OS X) for use with network drives

Image
I work for a company that uses and Active Directory domain for the internal network. Therefore, kerberos authentication is supported. MacOS also supports kerberos authentication, so I can replicate most of the single sign-on experience on my Mac. I wrote a simple shell script to get a kerberos ticket-granting ticket and mount the network drives: #! /bin/bash # get the local IP address theIP = ` /sbin/ifconfig | /usr/bin/grep "inet 10" | /usr/bin/grep -v inet6 | /usr/bin/cut -d " " -f2 | /usr/bin/cut -d . -f1` # if IP address starts with 10 then I am probably on work's internal network if [ $theIP -eq 10 ] ; then /usr/bin/kinit -f --enterprise --canonicalize username@company . com@COMPANY . COM /usr/bin/open 'smb://server.company.com/share' fi To make this script really useful, I save my password securely in MacOS's keychain so that kinit can grab it automatically. I use the following command in the terminal:  
Read more

Recording the iPhone screen and Mac screen at the same time in one video

Image
 I was browsing the Mac Power Users forum when I ran across this question : "I’m trying to figure out a way to record a demo of my web-based software simultaneously recording a desktop view and a mobile view. I basically want to use and interact with one browser window and have another browser window showing the same thing but with a mobile view. Thoughts?" I use QuickTime Player.  Connect your iPhone/iPad to your Mac with a lightning cable and start a New Movie Recording.  Pick your iPhone/iPad screen as the video source by clicking the little drop down arrow next to the red recording button.   You will get a window showing the contents of your device's screen.  There is no need to actually start recording this video. Leave that window open and start a New Screen Recording in QuickTime player at the same time.  Then just arrange your iPhone window and browser window on your screen and start recording.  You will see both things at the same time.  I uploaded a small video
Read more