An issue that I’ve run into at my workplace has been people requesting the ability to log into our SMB-using file servers with different usernames. In my specific case, I have a user who wanted to be logged into one of our Windows file servers as username, but also wanted to connect to a specific share on the same server using a different account called other_username.
Normally, this wouldn’t be an issue except this user wanted to log into share A on the server with username and share B on the server with other_username and have both shares mounted at the same time. This is a problem because the Mac’s normal behavior is to keep using the same username / password authentication when connecting to different shares that are hosted on the same server.
To make this issue that much harder to address, our Macs and our file servers are also both bound to the same Active Directory domain, which means that our users normally aren’t being prompted for their usernames and passwords. Instead, they’re using Kerberos to handle logins for the file servers. Kerberos is using the AD account of the logged-in user as part of its authentication process to our servers, so any file share will mount using that account’s access rights.
Fortunately, it does appear that there is a way to make this work. Even better, it doesn’t require breaking Kerberos or trying to get around it. See below the jump for details.
For those who wanted a copy of my FileVault 2 session slides from Penn State’s MacAdmins Conference 2013, here are links to the slides in PDF and Keynote format.
PDF document link: http://tinyurl.com/PSUMac2013PDF
Keynote slides link: http://tinyurl.com/PSUMac2013key
As covered previously, Greg Neagle’s createOSXinstallPkg is a versatile tool for installing or upgrading Mac OS X in a variety of situations. One of the nicer features is that you can edit the OS X installer to install additional packages.
However, the limitations of the OS X install environment mean that there are a number of installers that won’t install correctly. In particular, packages that rely on pre- or postflight scripts to perform important tasks may fail to run properly in the OS X install environment.
To help work around this limitation, I’ve developed First Boot Package Install.pkg, an installer package that enables other packages to be installed at first boot.
Update – 4-17-2014: An updated First Boot Package Install.pkg is now available. See this post for details. The repo address has also changed; links in this post have been updated.
It’s designed for use with createOSXinstallPkg with the goal of allowing installer packages that can’t run in the OS X Install environment to be used as part of a createOSXinstallPkg deployment workflow. See below the jump for the details.
In last night’s XProtect update, Apple added two new version checks. The first new check looks for Apple’s com.apple.java.JavaAppletPlugin Java browser plug-in identifier. This Apple Java browser plug-in is running on Mac OS X 10.6.x or was installed on 10.7.x or later by Java for OS X 2012-005 or earlier. Installing Java for OS X 2012-006 and later on 10.7.x and 10.8.x automatically removes the Apple Java browser plug-in.
The second new check looks for Apple’s com.apple.java.JavaPlugin2_NPAPI Java browser plug-in identifier. In this case, the Apple Java plug-in was re-enabled using the procedure in the following Apple KBase article: http://support.apple.com/kb/HT5559
This update also removes the Oracle Java browser plug-in version check from 10.6.x’s XProtect. Both new Apple Java version checks and the Oracle Java browser plug-in version check are in the 10.7.x and 10.8.x XProtect. See below the jump for the details.
I’ll be speaking about FileVault 2 at the Penn State MacAdmins Conference 2013, which is being held from May 22nd – 24th, 2013 in State College. For those interested, my talk will be on Thursday, May 23.
As a follow-on to my earlier post about running remote commands with SSH, I noticed I was repeatedly running particular commands via SSH on remote machines. I was copying and pasting the bits I needed into Terminal, but it was still a manual process and manual processes should be scripted whenever possible.
Here’s the script I wrote to solve my particular problem.
#!/bin/bash # At the prompt, enter the IP address # or DNS name of the machine you want # to connect to. echo -n "Enter IP Address or Domain Name: " read ipaddress # At the prompt, enter the username # of the account you want to log in # with. echo -n "Enter Username: " read username # At the prompt, enter the command that # you want to run on the remote machine. echo -n "Enter the command you want to run on the remote machine: " read command echo "" echo "" # Error checking to verify that the correct # information has been entered. If incorrect # info has been entered, selecting No will # exit the script. echo "Is the information below correct?" echo "" echo "Remote machine: $ipaddress" echo "Username: $username" echo "Command: $command" echo "" echo "If it is correct, select Yes" echo "" select yn in "Yes" "No"; do case $yn in Yes) echo "OK, the script will continue."; break;; No ) echo "To avoid errors, the script will need to be restarted. Exiting the script."; exit 0;; esac done echo "" echo "" # Check to see if the command needs to be # run with root privileges. If root privileges # are needed, the SSH connection will force # pseudo-tty allocation, which allows the command # to be run via sudo echo "Does this command need to run with root privileges? Once you select Yes or No, the command will run on the remote machine." echo "Note: You will be prompted if authentication is required. If running the command as root, you may be prompted twice." echo "" select yn in "Yes" "No"; do case $yn in Yes) echo ""; ssh -t $username@$ipaddress "sudo $command"; break;; No ) echo ""; ssh $username@$ipaddress "$command"; break;; esac done #Exiting the script echo "" echo "" echo "Finished running the remote command" exit 0
The script is also available on my GitHub repo at the following location: