Can't access SMB shares while Open Directory is enabled
Originator: | futuretap | ||
Number: | rdar://46204370 | Date Originated: | 21-Nov-2018 10:46 PM |
Status: | Duplicate/45410001/Open | Resolved: | |
Product: | macOS + SDK | Product Version: | 10.14.1 |
Classification: | Serious Bug | Reproducible: | Always |
Summary: I've configured an OD master on a Mojave server. Now I can't access any shares on that machine via SMB (from a 10.13.6 client). Access via AFP still works but since SMB is required for Time Machine server, I can't backup to Mojave server. Steps to Reproduce: Please see here: https://apple.stackexchange.com/q/340896/1931 Expected Results: Actual Results: Version: 10.14.1 Notes:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Apple response
Engineering has determined that your bug report is a duplicate of another issue and will be closed.
My response
Thanks. Turns out that the SMB-ACL group didn't include the affected users or their group. Adding them to this group solved the issue. It would be convenient if this would be an exposed setting and not be required to fiddle with system groups.
Apple response
Engineering has requested the following information regarding your bug report:
Kerberos is enabled by default. You may need to auth bind to the ODM. However, we don't know if the authentication is failing for local users, or for OD users. https://support.apple.com/en-us/HT204021
Regarding NTLM: To view the authentication methods available in Open Directory: dscl /LDAPv3/127.0.0.1 -read /config/dirserv apple-enabled-auth-mech
To allow clients to authenticate to the ODM using NTLMv2: dscl -u diradmin -p /LDAPv3/127.0.0.1 -append /Config/dirserv apple-enabled-auth-mech SMB-NTLMv2
Other possible problems are SACLs or ACLs.
My response
I have no idea how to do a "full Kerberos setup" or how to "turn on the NTLM hashes". Shouldn't the Server app or the Sharing Settings app take care of this?
Apple response
This issue behaves as intended based on the following:
Probably because previously it was using LKDC (local Kerberos) to log in. When you promoted it to OD Master, the LKDC gets disabled and if you want Kerberos, you have to do the full Kerberos setup. If you are willing to uses NTLMv2 for authentication, then you will need to turn on the NTLM hashes for that user account on your server.
Please update your bug report to let us know if this is still an issue for you.