Category "Admin tips"

With NoMAD version 1.1 just a short ways around the corner, we wanted to start sharing the Shares preference file… see what we did there!?!

Note: As a beta this file format is still subject to change… but we wanted to give you an idea of what was coming.

What is this?

With 1.1 NoMAD will be able to arbitrarily mount shares specified in a preference file. Since the shares are rather different than the rest of the NoMAD preferences, we’ve put them into a new plist to make things easier.

Where does it go?

Currently this preference is at menu.nomad.shares, but as with all things beta, this may change.

How do you make it?

There are 3 top-level objects in the file.

1. Version – this is the version number of the file format. Currently the only version is 1

2. HomeMount – This is a Dictionary of attributes for if the user’s home profile should be mounted.

Groups – [String] – Only mount the home for members of these AD groups
Mount – Bool – Mount automatically or not
Options – [String] – Array of mount options defined below

3. Shares – [Dictionary] – An array of dictionaries with each dictionary defining a mount point and associated attributes. Below is what goes into each Dictionary
AutoMount – Bool – Is the share automatically mounted
ConnectedOnly – Bool – Is the share only mounted when on the AD domain
Groups – [String] – An array of AD group names. This share will only automount for members of that group
LocalMount – String – A local mount point
Name – String – The name of the share as it will appear in the NoMAD menu item
Option – [String] – Array of mount options defined below
URL – String – The actual URL of the mount point in the form of “smb://dc1.nomad.test/Homes”

Options

First off huge thanks to @frogor for having figured these out. Note that most of these are probably not very useful or safe. Please use at your own risk. The primary ones that most admins will care about are MNT_RDONLY, MNT_DONTBROWSE and MNT_NOEXEC.

"MNT_RDONLY" - Mounts the share read only
"MNT_SYNCHRONOUS" - All I/O to the file system should be done synchronously.
"MNT_NOEXEC" - Prohibts execution of code from the share
"MNT_NOSUID" - Do not allow set-user-identifier or set-group-identifier bits to take effect.
"MNT_NODEV" - Do not interpret character or block special devices on the file system.
"MNT_UNION" - Causes the namespace to appear as the union of directories of the mounted filesystem with corre-
sponding directories in the underlying filesystem.
"MNT_ASYNC" - All I/O to the file system should be done asynchronously.
"MNT_CPROTECT" -
"MNT_EXPORTED" - Filesystem is exported
"MNT_QUARANTINE" - File system is quarantined
"MNT_LOCAL" - File system is stored locally
"MNT_QUOTA" - Quotas are enabled
"MNT_ROOTFS" - Identifies the root filesystem
"MNT_DOVOLFS" - Filesystem supports volfs (deprecated flag in Mac OS X 10.5)
"MNT_DONTBROWSE" - Does not display the share in the Finder
"MNT_IGNORE_OWNERSHIP" - Ignore ownership information on file system objects
"MNT_AUTOMOUNTED" - Set flags on the mountpoint to indicate that the volume has been mounted by the automounter.
"MNT_JOURNALED" - Mount filesystem journaled
"MNT_NOUSERXATTR" - User extended attributes not allowed
"MNT_DEFWRITE" - Filesystem should defer writes
"MNT_MULTILABEL" - Support for individual labels
"MNT_NOATIME" - Do not update the file access time when reading from a file.

Preference file itself


{ HomeMount = {
Groups = ( "Domain Users" );
Mount = false;
Options = ( );
};
Shares = (
{ AutoMount = false;
ConnectedOnly = true;
Groups = ( "Share Mounter Test" );
LocalMount = "";
Name = "File Server 2";
Options = ( );
URL = "smb://dc2.eng.nomad.test/Files";
},
{ AutoMount = true;
ConnectedOnly = true;
Groups = ( );
LocalMount = "";
Name = "Home Shares";
Options = ( );
URL = "smb://dc1.nomad.test/Homes";
},
);
Version = "1";
}

Starting with NoMAD 1.0.5(640)BETA NoMAD can now support environments that don’t have Active Directory. If you have a Kerberos environment that has been integrated with an LDAP server, NoMAD can give you the same functionality that you would get if AD was in the mix. Since there’s a variety of different LDAP setups, please test this in your environment and let us know if it’s missing anything.

Getting it working

NoMAD is designed to automatically configure as much as possible and relies on a number of AD-focused methods to do that. In the situation where you don’t have an AD environment you may not have all of these services in place. Don’t worry! As you can manually configure everything that you may need.

Starting Off

To get NoMAD to start doing LDAP-only queries you can set the LDAPOnly preference key to true.

SRV Records

NoMAD by default attempts to find both LDAP and Kerberos services via SRV records in your DNS. You most likely have these for your Kerberos KDCs, but you may not have the records for your LDAP servers. To get around this you can just designate your LDAP servers manually with the LDAPServerList preference key to a comma separated list of your LDAP servers.

LDAP over SSL

Many LDAP environments are configured to use LDAP over SSL. NoMAD fully supports this, but you’ll need to set the LDAPOverSSL preference key to true.

Test It!

NoMAD will allow for password changes, scripts and other actions, sign in and sign out and local password synchronization. The only major feature that you won’t have will be the password expiration countdown. This is mostly because there’s no real standard way to do this in an LDAP-only environment. However, if you’re interested in this please let us know and how you’ve implemented it, as this is something we’d be happy to put more work into.

 

Most NoMAD users are pushing preferences via configuration profiles. This is a great thing, but does make troubleshooting a bit tougher as the defaults command won’t show what keys are forced.

So… have a look at pref-finder.

Launch the tool and specify a preference domain you want to look at. You’ll be able to see all of the keys for that domain, check just a single key, check if a key is forced, or what most people will use it for, show all forced keys for a particular domain.

pref-finder -d com.trusourcelabs.NoMAD -k LastUser -f -F -a

It has a project page, and can be downloaded here.

NoMAD 1.0.3 responds to a number of Apple Events that you can send it from the CLI and other methods.

Current Actions

  • nomad://open – launches the application
  • nomad://signin – opens the sign in dialog if the system is on the domain and a user is not already signed in
  • nomad://user:pass@signin – causes NoMAD to get a Kerberos ticket for that user and password. If the Keychain is set to be used, this password will be stored in the keychain.
  • nomad://update – makes NoMAD update immediately
  • nomad://passwordchange – will show the change password window

If you have 1.0.3 or later installed, clicking on any of the above links will cause NoMAD to react. You can also use this from scripts via the “open” command.

open nomad://signin

In a shell script will cause NoMAD to launch, if it isn’t already and then show the sign in window if AD is reachable. This is a pretty handy thing to use at the end of your enrollment workflow to get the user’s password starting to sync.

 

© 2017 Orchard & Grove Inc.