My primary requirement is to make use of a macOS Monterey machine as a server (with out operating macOS Server, which is deprecated) to host SMB shares whereas utilizing Energetic Listing as my community accounts supply (an Ubuntu server operating Samba4 AD DC), and produce other macOS machine’s person’s loging in utilizing the Kerberos SSO Extension (in different phrases, with out having to enter credentials for the shares). Appeared easy sufficient 🙂
For the server, I initially explored the built-in smb setup in Monterey (ie: enabling “File Sharing”) with the machine sure (authenticated bind) to the AD DC, however when making an attempt to login through SMB from the shopper machines (click on on the server on the left of a finder window), “Community Customers” can’t see shares created by a neighborhood admin person (although the Kerberos SSO Extension dealt with passing the SSO credentials flawlessly). If I logged into the macOS Monterey server machine with an Energetic Listing account, it created a neighborhood house folder after which I may auto-log-in with the Kerberos-SSO extension for that very same person as anticipated from a shopper machine (however may solely see the house folder for that community person as a share – nonetheless could not see those that the native admin account created). Searched for a very long time, tried a number of options, however gave up on that choice.
Figured I might attempt putting in samba from samba.org so I did a
brew set up samba on the Monterey server machine. I set it up much like one other SMB file server I’ve operating on Ubuntu (eg: safety = advertisements, configured realm = AD.DOMAIN.COM, and many others.) however I appear to be unable to get it to speak to the AD DC server to validate person accounts. I get a number of “
NT_STATUS_NO_LOGON_SERVERS” within the debug log together with “
winbindd not operating” (which in fact, does not seem like accessible for macOS nowadays until I’ve missed it). So – samba.org’s implementation does not appear to choose up the strategies Apple has used to get the kerberos authentication and area binding working regardless of having finished that AD authenticated bind on the server machine and seeing correct output from
sudo ktutil record (even when configuring the smb.conf to incorporate
password server - dc.advert.area.com), and I do not appear to have the ability to work out what these underlying elements are with out spending considerably extra time right here. (did discover that homebrew’s method code for samba compiled it by default utilizing
--without-ads, which was downside #7 or #8 I stumbled upon – which informed me that the method trimmed samba right down to the fundamentals to get it to compile on a mac).
I’ve spent fairly a little bit of time looking for others who might have documented this similar setup (host SMB shares on a mac utilizing AD because the supply for community accounts and Kerberos SSO Extension because the macOS shopper’s authentication technique (although I might accept merely getting into a username/password and saving that to the keychain)) to no avail. Trying to find macos and samba deliver up a number of stuff all the best way again to 2004 (making it tougher to sift by means of, as among the older objects are not related)
Quite than troubleshooting my setup, config information, and many others. (which could take some time), I am questioning if anybody can level me to a documented setup like this that they’ve seen that somebody has managed to get working? I’ve nearly exhausted the methods by which I can seek for this setup. (I understand this seems to be like an ask to do my looking for me, however I am actually simply seeking to see if somebody already has this operating and might share just a few methods they used to get it going that I could not have run throughout but – if my ache sounds acquainted).
Failing that, maybe I will begin a brand new publish with a number of element on my two approaches right here (together with what I’ve already tried over the previous few weeks) to see if I’ve missed one thing. I do know – making an attempt to get a mac to host a strong samba file server might be not the very best thought (however I will cling to that requirement for some time longer earlier than I elect to go along with another choice).