Windows File Sharing for Local Network Directory accounts in macOS Mojave
I'm struggling with how directory services and local Mac accounts interact. I'm hoping to not have to specifically assign the 'Windows File Sharing' option to each user individually or Network Directory group access.
Is it possible to share files to Windows clients who have a Local Network Directory (Open Directory) account in macOS Mojave?
Solution 1:
Think of macOS like a unix server. It runs it's own directory service and unless / until you bind it to another directory (like LDAP or NIS or AD) - you get any local account / password only when a SMB share tries to authenticate. It typically allocates user id number 501 to the first user so when a lot of Macs share files, the file server will see all the initial Mac accounts as the "same 501 account"
If you're OK setting up one Mac server - then I would go with Server.app to set up your small number of accounts but this gets unwieldy after a dozen to a few hundred accounts and you'll want to set the Mac to join an external domain. Then you could have people sign in to the shares using that scheme to issue unique ID numbers and accounts to each person to keep things straight.
For the Mac running LDAP/OpenDirectory there are several posts here that apply:
- Authenticate Mac users by LDAP
So - to address the two main points:
- You don't need to do anything specific to allow SMB sharing permissions - if the account exists on the Mac due to being a local account or part of a directory it subscribes to - shares that allow all users will just work when a correct user/pass is presented from windows SMB clients (or any SMB client for that matter)
- You can have multiple directories of accounts - the Mac will order them in most preferred to last checked - as long as one user is found in one directory - that user can potentially log in.
Start small with this - you can set up two or three users and test easily. Once you figure out if you want server app or just normal sharing (you might not need server.app) you can find the log files that log errors and quickly suss out when there's a problem in most cases.
Solution 2:
It is indeed possible to enable Windows File Sharing for a network directory account. You'll need to do the following:
- Run
sudo pwpolicy -u <shortname> -sethashtypes SMB-NT on
in a Terminal; authenticate for sudo. - Have the user you just modified in step 1 set their password. This does not mean they have to change it; if you run
passwd <shortname>
, they can enter the same password in both the Old Password and New Password prompts. This is enough to get the Mac to re-hash the password for the SMB-NT type required for Windows file sharing.
Unfortunately, there does not seem to be a way for the admin to do this for someone, without the admin needing to reset their password to something else. Hope this helps!