MacOS – Why mac smb connect fails with login from cli but works from finder and with guest account

macosNetworksmb

So i have one mac (Yosemite) sharing a folder read only for many users and the guest account is enabled to mount/access that folder so users may download whatever. I am connecting to the share as the manager with another mac (Sierra). It works when I run as guest user from the command line:

mount_smbfs //guest@macbook-pro.local/Files /tmp/files
ls /tmp/files
fileA    fileB

or if I connect from finder as the guest:

click MacBook-Pro -> Connect As -> Guest -> Connect
double click Files
ls /Volumes/Files
fileA    fileB

Now there is one admin user account on the mac (Yosemite). I want to mount/access to that folder with read write privilege, but all attempt to mount the folder with a login fail if I require the username from the command line.

mount_smbfs //admin@macbook-pro.local/Files /tmp/files
Password for MacBook-pro.local:
mount_smbfs: server rejected the connection: Authentication error

However, if I connect with Finder:

click MacBook-Pro -> Connect As -> Registered User
Username: admin
Password: password
 -> Connect
double click Files
ls /Volumes/Files
fileA    fileB

In every case of successful connections, I can see in the server share section of System Properties that when I click the File Sharing: On -> Options… reveals

Share files and folders using SMB
  Number of users connected: 1

Can you guess why the connection is rejected when I try to connect by smb with the command line using the account that requires authentication?

Edit

Yes, AFP connect works in every case including the cli with an account requiring a password. For example:

mount_afp -i afp://admin@macbook-pro.local/Files /tmp/files
Password: 
ls /tmp/files
fileA    fileB

For the sake of testing I also tried to lower smb authentication rules just in case, but there was no effect, even sending password on plaintext. As such:

sudo nano /etc/nsmb.conf
   [default]
   minauth=none
^c+X
mount_smbfs smb://admin:password@macbook-pro.local/Files /tmp/files
mount_smbfs: server rejected the connection: Authentication error

EDIT2

Here are some log files in case anyone can get any information from them about this problem. (Sorry to post the logs offsite, but there was too much text in the successful logs.)

First, Client log of connecting to MacBook-Pro.local via SMB through Finder using flow like so:

Click MacBook-Pro
Connect As: Registered User
Name: admin
Password: password
Connect

Produces log output like this in the console:

http://paste.ubuntu.com/23308183/

Now the list of all share folders is available to the admin of course. So clicking the Files folder produces a more log output like so:

http://paste.ubuntu.com/23308186/

Files folder mounts and can be read/write by admin user

For comparison, here is a log from Console when trying to connect to the resource using pure command line tool mount_smbfs:

default 09:43:21.257429 -0400   gamed   GKClientProxy: clientForBundleID:
default 09:43:21.257543 -0400   gamed   GKClientProxy: updateIfRecentlyInstalled
default 09:43:21.258623 -0400   gamed   GKClientProxy: clientForBundleID:
default 09:43:21.258751 -0400   gamed   GKClientProxy: updateIfRecentlyInstalled
default 09:43:21.277114 -0400   opendirectoryd  Client: <private>, UID: 0, EUID: 0, GID: 0, EGID: 0
default 09:43:21.277194 -0400   opendirectoryd  <private> completed, delivered 1 result
default 09:43:22.025420 -0400   mount_smbfs subsystem: com.apple.SystemConfiguration, category: SCPreferences, enable_level: 0, persist_level: 0, default_ttl: 0, info_ttl: 0, debug_ttl: 0, generate_symptoms: 0, enable_oversize: 0, privacy_setting: 2, enable_private_data: 0
default 09:43:22.030767 -0400   mount_smbfs subsystem: com.apple.network, category: , enable_level: 0, persist_level: 0, default_ttl: 0, info_ttl: 0, debug_ttl: 0, generate_symptoms: 0, enable_oversize: 0, privacy_setting: 2, enable_private_data: 0
default 09:43:22.069146 -0400   opendirectoryd  Client: <private>, UID: 0, EUID: 0, GID: 0, EGID: 0
default 09:43:22.069231 -0400   opendirectoryd  <private> completed, delivered 1 result
default 09:43:22.069385 -0400   opendirectoryd  Client: <private>, UID: 0, EUID: 0, GID: 0, EGID: 0
default 09:43:22.069479 -0400   opendirectoryd  <private> completed, delivered 1 result
default 09:43:22.072139 -0400   opendirectoryd  Client: <private>, UID: 502, EUID: 502, GID: 20, EGID: 20
default 09:43:22.072212 -0400   opendirectoryd  <private> completed, delivered 1 result
error   09:43:22.146661 -0400   kernel  loginwindow is not entitled
error   09:43:22.146708 -0400   kernel  loginwindow is not entitled
error   09:43:22.146799 -0400   kernel  UserEventAgent is not entitled
error   09:43:22.146882 -0400   kernel  UserEventAgent is not entitled
default 09:43:22.886004 -0400   AppleIDAuthAgent    SERVER Doing account check for "a...n@???????.???". (scheduledAccountCheckDispatcher()/AppleIDAuthd.cpp #545) accountCheckDispatch
default 09:43:22.886074 -0400   AppleIDAuthAgent    Checking account <private>
default 09:43:22.887673 -0400   AppleIDAuthAgent    _AppleIDAuthAccountForAppleID falling back to account aliases

error   09:43:22.891028 -0400   AppleIDAuthAgent    ### Request GS token for '<private>' start failed: -101
default 09:43:22.891078 -0400   AppleIDAuthAgent    ### Authenticate '<private>' failed: <private>
default 09:43:22.891158 -0400   AppleIDAuthAgent    SERVER Didn't succeed with .authenticate, and error is ERROR:"CSIdentityErrorDomain" #-101 kCSIdentityAppleIDInvalidAccountOrPasswordErr {  } so releasing session. (___Z31__AppleIDSessionDoCreateSessionPK10__CFStringS1_PK14__CFDictionaryPS1_PS4_PP9__CFError_block_invoke()/AppleIDXMLServerCommunications.cpp #902) queue.session.
default 09:43:22.891399 -0400   AppleIDAuthAgent    Next time for '<private>': 2016-10-11 13:43:22 +0000 (497886202.891342 + 0.000000), 0.000000 seconds
default 09:43:22.891514 -0400   AppleIDAuthAgent    Next time for '<private>': 2016-10-11 13:43:22 +0000 (497886202.891467 + 0.000000), 0.000000 seconds
default 09:43:22.891560 -0400   AppleIDAuthAgent    Next action time for <private>: <private> (because the account does not have a certificate nor an uploaded csr)
default 09:43:25.393805 -0400   CommCenter  #watchdog #I Callback Watchdog: checkin 119
default 09:43:25.394014 -0400   CommCenter  #watchdog #I Server Watchdog: checkin 119
default 09:43:28.212369 -0400   opendirectoryd  Client: <private>, UID: 502, EUID: 502, GID: 20, EGID: 20
default 09:43:28.212476 -0400   opendirectoryd  <private> failed with error '<private>' (2)
default 09:43:29.061659 -0400   kernel  SmartBattery: finished polling type 4
default 09:43:29.847392 -0400   gamed   GKClientProxy: clientForBundleID:
default 09:43:29.847446 -0400   gamed   GKClientProxy: updateIfRecentlyInstalled
default 09:43:29.847970 -0400   gamed   GKClientProxy: clientForBundleID:
default 09:43:29.847992 -0400   gamed   GKClientProxy: updateIfRecentlyInstalled
default 09:43:29.879093 -0400   opendirectoryd  Client: <private>, UID: 0, EUID: 0, GID: 0, EGID: 0
default 09:43:29.879183 -0400   opendirectoryd  <private> completed, delivered 1 result

WORKAROUND

I found this AppleScript snippet works from the command line.

osascript -e 'tell application "Finder" to mount volume "smb://admin:password@macbook-pro.local/Files"'

It will launch a confirmation window with the password field filled in. However, it requires putting the password in clear text. Obviously, it can also be done without the password and type it every time.

osascript -e 'tell application "Finder" to mount volume "smb://admin@macbook-pro.local/Files"'

So I tried saving the password. After ticking the box to save the login to the keychain, the same command succeeds without having the password in the cleartext, but still presents the confirmation window with the Password box filled in and the "Remember password" box also ticked.

Having the password saved, still did not apply to the mount_smbfs connection. The attempt to mount failed.

Perhaps this osascript idea is a workaround, but it does not answer the question why samba connects by finder but not while using cli.

Best Answer

GKClientProxy: clientForBundleID:4