My primary requirement is to make use of a macOS Monterey machine as a server (with out operating macOS Server, which is deprecated) to host SMB shares whereas utilizing Lively Listing as my community accounts supply (an Ubuntu server operating Samba4 AD DC), and produce other macOS machine’s person’s loging in utilizing the Kerberos SSO Extension (in different phrases, with out having to enter credentials for the shares). Appeared easy sufficient 🙂
For the server, I initially explored the built-in smb setup in Monterey (ie: enabling “File Sharing”) with the machine certain (authenticated bind) to the AD DC, however when attempting to login through SMB from the shopper machines (click on on the server on the left of a finder window), “Community Customers” can’t see shares created by an area admin person (although the Kerberos SSO Extension dealt with passing the SSO credentials flawlessly). If I logged into the macOS Monterey server machine with an Lively Listing account, it created an area house folder after which I might auto-log-in with the Kerberos-SSO extension for that very same person as anticipated from a shopper machine (however might solely see the house folder for that community person as a share – nonetheless could not see those that the native admin account created). Searched for a very long time, tried numerous recommendations, however gave up on that choice.
Figured I might attempt putting in samba from samba.org so I did a brew set up samba on the Monterey server machine. I set it up much like one other SMB file server I’ve operating on Ubuntu (eg: safety = advertisements, configured realm = AD.DOMAIN.COM, and many others.) however I appear to be unable to get it to speak to the AD DC server to validate person accounts. I get plenty of “NT_STATUS_NO_LOGON_SERVERS” within the debug log together with “winbindd not operating” (which in fact, would not look like obtainable for macOS today until I’ve missed it). So – samba.org’s implementation would not appear to choose up the strategies Apple has used to get the kerberos authentication and area binding working regardless of having completed that AD authenticated bind on the server machine and seeing correct output from sudo ktutil checklist (even when configuring the smb.conf to incorporate password server - dc.advert.area.com), and I do not appear to have the ability to work out what these underlying parts are with out spending considerably extra time right here. (did discover that homebrew’s method code for samba compiled it by default utilizing --without-ads, which was downside #7 or #8 I stumbled upon – which informed me that the method trimmed samba all the way down to the fundamentals to get it to compile on a mac).
I’ve spent fairly a little bit of time looking for others who might have documented this similar setup (host SMB shares on a mac utilizing AD because the supply for community accounts and Kerberos SSO Extension because the macOS shopper’s authentication technique (although I might accept merely coming into a username/password and saving that to the keychain)) to no avail. Looking for macos and samba carry up plenty of stuff all the best way again to 2004 (making it more durable to sift by means of, as a few of the older gadgets are not related)
Query:
Quite than troubleshooting my setup, config recordsdata, and many others. (which could take some time), I am questioning if anybody can level me to a documented setup like this that they’ve seen that somebody has managed to get working? I’ve nearly exhausted the methods wherein I can seek for this setup. (I understand this seems to be like an ask to do my looking for me, however I am actually simply trying to see if somebody already has this operating and might share a number of tips they used to get it going that I’ll not have run throughout but – if my ache sounds acquainted).
Failing that, maybe I will begin a brand new put up with numerous element on my two approaches right here (together with what I’ve already tried over the previous few weeks) to see if I’ve missed one thing. I do know – attempting to get a mac to host a sturdy samba file server might be not the very best concept (however I will cling to that requirement for some time longer earlier than I elect to go along with another choice).
Thanks upfront!
