MacOS – Access Lion SMB shares from Linux

macosserver.appsmbunix

I have this fantastic new Lion server that I've gotten all setup with my user accounts, files, etc. File sharing is up and running, everything. Except for one problem: the users running Linux (we use both Linux and OS X clients) cannot authenticate and access the SMB shares.
All of the users' accounts are setup as network accounts (i.e. in Open Directory not the local user database)

Interestingly enough, if the user account is setup as a local account (not Open Directory) the user can authenticate just fine. And we can't switch away from Open Directory because we use the LDAP authentication for some of our other tools.

Does anyone have any ideas on what to do to get this working? I've been pulling my hair out trying.

Best Answer

Samba no more, for Lion Server mount.cifs needs extra options, "nounix,sec=ntlmssp"

  [root@50centos ~]# 
  [root@50centos ~]# yum install samba-client samba-common cifs-utils
 ...
  [root@50centos ~]# mkdir /mnt/lion_smb
  [root@50centos ~]# mount -t cifs -o MikeCochran,trustno1,nounix,sec=ntlmssp //198.252.206.140/smb_share /mnt/lion_smb/

          =^..^=       `·.¸¸ ><((((º>.·´¯`·><((((º>   

MikeCochran@stack:~$ 
MikeCochran@stack:~$ sudo apt-get install cifs-utils
  ...
MikeCochran@stack:~$ mkdir /mnt/lion_smb
MikeCochran@stack:~$ mount.cifs //198.252.206.140/smb_share /mnt/lion_smb/ -o user=MikeCochran,password=trustno1,nounix,sec=ntlmssp
MikeCochran@stack:~$ 
MikeCochran@stack:~$ mkdir /mnt/lion_smb_dup
MikeCochran@stack:~$ mount -t cifs //198.252.206.140/smb_share /mnt/lion_smb-dup -o username=MikeCochran,password=trustno1,nounix,sec=ntlmssp

apologies for the delay!!

Related Solutions

MacOS – Some SMB shares unavailable from Mountain Lion

Solution: Join the Mountain Lion system to the Active Directory domain. User can still log in with their local user name, but when connecting to smb://servername, OSX will stop defaulting to .local for credentials. This is new to ML, and I think it is a bug, but this is the only solution that we have found.

MacOS – Authenticate Mac users by LDAP

Here are some settings that are working for now to provide a Default Kiosk Style Account logging in by ldap authentication.

Fileserver: MacBookPro Mac OS: El Capitan

This is based on Connecting 10.5 to Stanford's LDAP

With this setup, all ldap users will log in, but have the same home directory and system user id. It is only useful if one ldap user at a time will log in to the machine.

Create the default user home folder contents

Make a standard user from Apple -> System preferences -> Users & Groups

User: ldaptemplate
Pass: randomAnyP@ssKe1

Logout

Make a folder with a unique id as the owner, then copy all inside ldaptemplate to the new folder.

su -s 
mkdir /Users/ldap
rsync --quiet --recursive --links --perms --group --delete --extended-attributes /Users/ldaptemplate/ /Users/ldap
chown -R 900 /Users/ldap

Add the home directory reset script to the login hook

mkdir /Library/Management
nano /Library/Management/ldapcleanup.bash

Paste in the script below

#!/bin/bash
# /Library/Management/ldapcleanup.bash
# Copies the templates user home directory to the Kiosk user home dir
# When a Kiosk user logs in using LDAP authentication

templateDir="/Users/ldaptemplate/";
targetDir="/Users/ldap";
targetOwner=900;

# this script must be run as root, bail if it is not
if [ "$(whoami)" != "root" ]; then
echo "This script must be run as root!"
exit 0;
fi

# here we test to make sure both the directories we are using exist on this system
if [ ! -d $templateDir ] || [ ! -d $targetDir ]; then
echo "Either $templateDir or $targetDir did not exist!";
exit 0;
fi

# now we use rsync to make the target mirror the template
# note that we are not preserving owner
rsync --quiet --recursive --links --perms --group --delete --extended-attributes $templateDir $targetDir

# and then we make sure everything has the correct owner
chown -R $targetOwner $targetDir

exit 0;

Save the script and close the editor

control + x y return

Make the script run when a user logs in

 defaults write com.apple.loginwindow LoginHook /Library/Management/ldapcleanup.bash

Exit root user terminal mode

exit

Add your ldap.server.tld to the list in Directory Services

command + space -> Directory Utility -> enter

Click lock and authenticate to make changes

Choose LDAPv3 -> Edit -> New

    Server Name or IP Address: ldap2.server.tld
    √ Encrypt using SSL
    √ Use for authentication
    Continue

Select Server -> Click Edit

Set all the parts of each tab like below, so they match your ldap server requirements and information fields provided. Stuff here, worked on this particular job.

Connection Tab:

Configuration name: ldap2.server.tld
Server Name or IP Address: ldap2.server.tld
default timeouts
√ Encrypt using SSL
Default port is 636 (your server may need custom)

Search & Mappings Tab

This part makes or breaks the login. I needed only a minimal setting in the end. Basically the things on the left side of the boxes can map to LDAP properties on the right side. They may be information about the person or account stuff like network home folder and many other things.

Choose Custom, erase everything from left box then add following.

> People         (Search base: ou=People,dc=server,dc=edu)
    RecordName   Map to uid
> UserAuthenticationData (Search base: ou=People,dc=server,dc=edu)
    RecordName  Map to uid
> Users      Search base: ou=People,dc=server,dc=edu) 
             Map to inetOrgPerson
    AuthenticationAuthority  Map to uid
    EMailAddress             Map to mail
    FirstName                Map to givenName
    JobTitle                 Map to title
    LastName                 Map to sn
    NFSHomeDirectory         Map to #/Users/ldap
    OrganizationName         Map to serverEduStaffDepartment
                             (or some existing ldap field)
    PostalAddress            Map to postalAddress
    PrimaryGroupID           Map to #900 
    RealName                 Map to cn (users ldap full name)
    RecordName               Map to aid (users ldap id)
    UniqueID                 Map to #900
                            (Default owner of that folder we made)
    UserShell                #/bin/bash

Security tab:

This ldap server requires the group authorized account to search it. Without this account the login screen on the Mac showed a red dot, unable to connect to the network. This information is setup and provided by the LDAP admin team in this organization.
```
Access to Directory
  √ Use authentication when connecting 
  Distinguished Name: uid=someid,ou=SomeGroup,dc=server,dc=edu
  Password: somelongpasswordstringprovidedbyldapadmins

Click OK, OK
```

Choose Search Policy

Click + 
Add your new LDAP server to the list

Choose Directory Editor an try to use the LDAP search and login.

Select Users in node /LDAPv3/ldap.server.tld
    * Try searching for your id, If you can't find it something wrong
      with setup.
    * Click the lock to authenticate. If you can't something did not
      map right. Check that mac did not auto-correct 'uid'

Click lock to de-authenticate

Close Directory Utility

Allow network login from Users & Groups

This part is just telling mac to check the ldap directory for user accounts.

Click Apple -> System preferences -> Users & Groups

    Automatic Login: Off
    Display login window as Name and password
    Show fast user switching menu as Full Name
    Click the lock to make changes and authenticate
    √ Allow network users to log in at login window
    Click Edit near Network Account Server: 
    Click + and choose the ldap server created previously

After these changes, the MacBook was rebooted and I could log in as LDAP authenticated users. Log messages now show:

Sep  1 13:40:24 MacBook-Pro SecurityAgent[652]: User info context 
                values set for auser
Sep  1 13:40:44 MacBook-Pro KeyAccess[62]: opened session B8860100,
                auser (en_US)

After all the setup was done, the answer to the original question, "Have any advice to allow users to authenticate on this mac by LDAP to access share folders?" is to setup everything like above, then share the folder with the network user.

Add network logins to the shared resource

Click Apple -> System preferences -> Sharing
Choose File Sharing
Select the Shared Folder:
Click + in the Users box
Choose Network Users
Search for the ldap ID you want to add
Highlight the user
Click Select

After this, when the backup toy was launched, the network users authenticated and the script ran as well as it did when authenticated against the local user account.

Best Answer

Related Solutions

MacOS – Some SMB shares unavailable from Mountain Lion

MacOS – Authenticate Mac users by LDAP

Related Question