I've set up Samba so that it uses the same username and password as my Microsoft account, so on Windows authentication is automatic when opening shares. However, with the same configuration I can't connect from macOS 10.14, getting an authentication error.
I'm serving from Ubuntu 19.04 with samba 4.10.0+dfsg-0ubuntu2.4
.
- There's a regular linux account for each user, with the username set to
user@example.com
. - The linux accounts have the shell set to
/usr/sbin/nologin
. - The password is set to the same password as the Microsoft account.
- Samba accounts have also been added, with the same user name and password.
When I connect from Windows 10, I see it sends a domain of MicrosoftAccount
and it works fine. It also works fine from Samba's smbclient
.
From macOS, it doesn't matter if I send MicrosoftAccount\user@example.com
or user@example.com
as the user name, it always sends the domain as example.com
and auth fails. I see the same behaviour in the finder and with smbview
.
I was able to work around this by adding username map = /etc/samba/username_map
to [global]
in smb.conf
, with a line user@example.com = user
.
Is there some config on the macOS side to make it respect the domain as specified? Or is this a standard config that most NAS and other units will use so they work with macOS?
Edit: Here's a log entry from a failed auth, trying as microsoftaccount\user@example.com
. Of note is the first auth line showing example.com, and not microsoftaccount
as the domain:
[2019/10/06 00:22:54.879743, 3] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[microsoftaccount\user] domain=[example.com] workstation=[MAC] len1=24 len2=184
[2019/10/06 00:22:54.740866, 3] ../../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.20.104 (192.168.20.104)
[2019/10/06 00:22:54.741239, 3] ../../source3/smbd/oplock.c:1422(init_oplocks)
init_oplocks: initializing messages.
[2019/10/06 00:22:54.741382, 3] ../../source3/smbd/process.c:1948(process_smb)
Transaction 0 of length 73 (0 toread)
[2019/10/06 00:22:54.741464, 3] ../../source3/smbd/process.c:1541(switch_message)
switch message SMBnegprot (pid 2332) conn 0x0
[2019/10/06 00:22:54.774931, 3] ../../source3/smbd/negprot.c:636(reply_negprot)
Requested protocol [NT LM 0.12]
[2019/10/06 00:22:54.775036, 3] ../../source3/smbd/negprot.c:636(reply_negprot)
Requested protocol [SMB 2.002]
[2019/10/06 00:22:54.775114, 3] ../../source3/smbd/negprot.c:636(reply_negprot)
Requested protocol [SMB 2.???]
[2019/10/06 00:22:54.775380, 3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2019/10/06 00:22:54.836522, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2019/10/06 00:22:54.836625, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2019/10/06 00:22:54.836700, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2019/10/06 00:22:54.836786, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'spnego' registered
[2019/10/06 00:22:54.836845, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'schannel' registered
[2019/10/06 00:22:54.837231, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2019/10/06 00:22:54.837334, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2019/10/06 00:22:54.837408, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp' registered
[2019/10/06 00:22:54.837486, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2019/10/06 00:22:54.837566, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_basic' registered
[2019/10/06 00:22:54.837639, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_ntlm' registered
[2019/10/06 00:22:54.837751, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_negotiate' registered
[2019/10/06 00:22:54.837827, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'krb5' registered
[2019/10/06 00:22:54.841888, 3] ../../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'fake_gssapi_krb5' registered
[2019/10/06 00:22:54.842332, 3] ../../source3/smbd/negprot.c:771(reply_negprot)
Selected protocol SMB 2.???
[2019/10/06 00:22:54.844972, 3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
Selected protocol SMB3_02
[2019/10/06 00:22:54.874939, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2019/10/06 00:22:54.879743, 3] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[microsoftaccount\user] domain=[example.com] workstation=[MAC] len1=24 len2=184
[2019/10/06 00:22:54.879870, 3] ../../source3/param/loadparm.c:3872(lp_load_ex)
lp_load_ex: refreshing parameters
[2019/10/06 00:22:54.880055, 3] ../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2019/10/06 00:22:54.880219, 3] ../../source3/param/loadparm.c:2786(lp_do_section)
Processing section "[global]"
[2019/10/06 00:22:54.880649, 2] ../../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[printers]"
[2019/10/06 00:22:54.880859, 2] ../../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[print$]"
[2019/10/06 00:22:54.881558, 2] ../../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[photos]"
[2019/10/06 00:22:54.881761, 2] ../../source3/param/loadparm.c:2803(lp_do_section)
adding IPC service
[2019/10/06 00:22:54.882109, 3] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [example.com]\[microsoftaccount\user]@[MAC] with the new password interface
[2019/10/06 00:22:54.882189, 3] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [example.com]\[microsoftaccount\user]@[MAC]
[2019/10/06 00:22:54.882352, 3] ../../source3/auth/check_samsec.c:399(check_sam_security)
check_sam_security: Couldn't find user 'microsoftaccount\user' in passdb.
[2019/10/06 00:22:54.889113, 2] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [microsoftaccount\user] -> [microsoftaccount\user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2019/10/06 00:22:54.889240, 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [example.com]\[microsoftaccount\\user] at [Sun, 06 Oct 2019 00:22:54.889207 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MAC] remote host [ipv4:192.168.20.104:51103] mapped to [example.com]\[microsoftaccount\\user]. local host [ipv4:192.168.20.177:445]
{"timestamp": "2019-10-06T00:22:54.889398+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.20.177:445", "remoteAddress": "ipv4:192.168.20.104:51103", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "example.com", "clientAccount": "microsoftaccount\\user", "workstation": "MAC", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "microsoftaccount\\user", "mappedDomain": "example.com", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 14644}}
[2019/10/06 00:22:54.889565, 3] ../../source3/auth/auth_util.c:2192(do_map_to_guest_server_info)
No such user microsoftaccount\user [example.com] - using guest account
[2019/10/06 00:22:54.903462, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2019/10/06 00:22:54.907333, 3] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[microsoftaccount\user] domain=[SAMBA] workstation=[MAC] len1=24 len2=184
[2019/10/06 00:22:54.907430, 3] ../../source3/param/loadparm.c:3872(lp_load_ex)
lp_load_ex: refreshing parameters
[2019/10/06 00:22:54.907519, 3] ../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2019/10/06 00:22:54.907650, 3] ../../source3/param/loadparm.c:2786(lp_do_section)
Processing section "[global]"
[2019/10/06 00:22:54.907903, 2] ../../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[printers]"
[2019/10/06 00:22:54.907995, 2] ../../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[print$]"
[2019/10/06 00:22:54.917347, 2] ../../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[photos]"
[2019/10/06 00:22:54.917663, 3] ../../source3/param/loadparm.c:1621(lp_add_ipc)
adding IPC service
[2019/10/06 00:22:54.917730, 3] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [SAMBA]\[microsoftaccount\user]@[MAC] with the new password interface
[2019/10/06 00:22:54.917852, 3] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [SAMBA]\[microsoftaccount\user]@[MAC]
[2019/10/06 00:22:54.918003, 3] ../../source3/auth/check_samsec.c:399(check_sam_security)
check_sam_security: Couldn't find user 'microsoftaccount\user' in passdb.
[2019/10/06 00:22:54.918070, 2] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [microsoftaccount\user] -> [microsoftaccount\user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2019/10/06 00:22:54.918190, 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [SAMBA]\[microsoftaccount\\user] at [Sun, 06 Oct 2019 00:22:54.918167 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MAC] remote host [ipv4:192.168.20.104:51103] mapped to [SAMBA]\[microsoftaccount\\user]. local host [ipv4:192.168.20.177:445]
{"timestamp": "2019-10-06T00:22:54.918332+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.20.177:445", "remoteAddress": "ipv4:192.168.20.104:51103", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "SAMBA", "clientAccount": "microsoftaccount\\user", "workstation": "MAC", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "microsoftaccount\\user", "mappedDomain": "SAMBA", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 15008}}
[2019/10/06 00:22:54.918523, 3] ../../source3/auth/auth_util.c:2192(do_map_to_guest_server_info)
No such user microsoftaccount\user [SAMBA] - using guest account
[2019/10/06 00:22:54.931366, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2019/10/06 00:22:54.935125, 3] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[user] domain=[example.com@\samba.lan] workstation=[MAC] len1=24 len2=184
[2019/10/06 00:22:54.935213, 3] ../../source3/param/loadparm.c:3872(lp_load_ex)
lp_load_ex: refreshing parameters
[2019/10/06 00:22:54.935573, 3] ../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2019/10/06 00:22:54.935798, 3] ../../source3/param/loadparm.c:2786(lp_do_section)
Processing section "[global]"
[2019/10/06 00:22:54.936127, 2] ../../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[printers]"
[2019/10/06 00:22:54.936260, 2] ../../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[print$]"
[2019/10/06 00:22:54.936359, 2] ../../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[photos]"
[2019/10/06 00:22:54.937227, 2] ../../source3/param/loadparm.c:2803(lp_do_section)
[2019/10/06 00:22:54.937520, 3] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [example.com@\samba.lan]\[user]@[MAC] with the new password interface
[2019/10/06 00:22:54.937590, 3] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [example.com@\samba.lan]\[user]@[MAC]
[2019/10/06 00:22:54.937705, 3] ../../source3/auth/check_samsec.c:399(check_sam_security)
check_sam_security: Couldn't find user 'user' in passdb.
[2019/10/06 00:22:54.937775, 2] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [user] -> [user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2019/10/06 00:22:54.937878, 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [example.com@\\samba.lan]\[user] at [Sun, 06 Oct 2019 00:22:54.937855 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MAC] remote host [ipv4:192.168.20.104:51103] mapped to [example.com@\\samba.lan]\[user]. local host [ipv4:192.168.20.177:445]
{"timestamp": "2019-10-06T00:22:54.937988+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.20.177:445", "remoteAddress": "ipv4:192.168.20.104:51103", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "example.com@\\samba.lan", "clientAccount": "user", "workstation": "MAC", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "user", "mappedDomain": "example.com@\\samba.lan", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 6752}}
[2019/10/06 00:22:54.938073, 3] ../../source3/auth/auth_util.c:2192(do_map_to_guest_server_info)
No such user user [example.com@\samba.lan] - using guest account
And here's my smb.conf:
[global]
log level = 3
workgroup = WORKGROUP
server string = %h server (Samba, Ubuntu)
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
# Mapping users for macOS clients
# username map = /etc/samba/username_map
# Netatalk support
vfs objects = catia fruit streams_xattr
fruit:encoding = native
fruit:resource = file
fruit:metadata = netatalk
fruit:locking = netatalk
fruit:copyfile = yes
ea support = Yes
hide files = /.DS_Store/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/Temporary Items/.TemporaryItems/.VolumeIcon.icns/Icon?/.FBCIndex/.FBCLockFolder/
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[photos]
comment = photos
browseable = yes
valid users = user@example.com
force user = media
writeable = yes
path = /main/photos
create mask = 0774
directory mask = 0775
inherit permissions = yes
Best Answer
You don’t have to do anything on MacOS other than open the finder and connect using Command K - connect to server.
When the dialog pops up, put in your UPN or domain\user.name@this.that and enter the correct password and optionally save to the keychain.
Anything you do to edit /etc files will complicate things, so I would roll those back. If you want to lightly bind the user account to a directory, you can look at things like Apple Enterprise Connect or NomAD or Jamf Connect. Binding the mac to AD causes a lot of pain, so most pros avoid that now and use a different tool if you can’t just use the out of the box setup with Keychain.
My only guess at this point is you somehow need to federate the directory services on linux to ADFS / Microsoft online to get that pairing to work. This synology related article calls this transparent SMB authentication but I'm not sure if that's the correct term to search. The other question says it's using WinBind.