Is It Possible to Mount SMB Share Using Kerberos Token of Current User on MacOS
-
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
Yes, that is normally what you have to do. Since SMB doesn't use keys, you need to use passwords. SMB is not designed around non-user mapping so has some odd security problems here.
But I can do as shown here
Simply an example (not my server info)
https://support.apple.com/library/content/dam/edam/applecare/images/en_US/osx/yos_connect_to_server.pngand not have to pass separate credentials. The credentials are automatically pulled in using the domain users information.
-
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
Yes, that is normally what you have to do. Since SMB doesn't use keys, you need to use passwords. SMB is not designed around non-user mapping so has some odd security problems here.
But I can do as shown here
Simply an example (not my server info)
https://support.apple.com/library/content/dam/edam/applecare/images/en_US/osx/yos_connect_to_server.pngand not have to pass separate credentials. The credentials are automatically pulled in using the domain users information.
That's because you joined the domain and are using a kerberos key. You want to do something VERY different on your server since you don't want an end user logged in passing their personal credentials along like you do on the Mac desktop.
-
-
If you do that mapping on the Mac, and then log in as another user, hopefully they can't see the files from the first user. If they can, that's even worse.
-
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
Yes, that is normally what you have to do. Since SMB doesn't use keys, you need to use passwords. SMB is not designed around non-user mapping so has some odd security problems here.
But I can do as shown here
Simply an example (not my server info)
https://support.apple.com/library/content/dam/edam/applecare/images/en_US/osx/yos_connect_to_server.pngand not have to pass separate credentials. The credentials are automatically pulled in using the domain users information.
That's because you joined the domain and are using a kerberos key. You want to do something VERY different on your server since you don't want an end user logged in passing their personal credentials along like you do on the Mac desktop.
So what would be the recommended approach? I'm attempting to standardize our system setup for our mac user here, and as it is, we currently have to login as the user, and create the individual connections like above.
Which is time consuming to say the least, and incredibly annoying if we have to change anything.
-
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
If you do that mapping on the Mac, and then log in as another user, hopefully they can't see the files from the first user. If they can, that's even worse.
This I'm not following, the goal is to create a central point that I can simply drag to an individual users desktop on any given mac, and have them connect to my Windows file server.
Since this is a shared resource (organizationally) they would presumably be able to see the files saved on this SMB server.
-
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
If you do that mapping on the Mac, and then log in as another user, hopefully they can't see the files from the first user. If they can, that's even worse.
This I'm not following, the goal is to create a central point that I can simply drag to an individual users desktop on any given mac, and have them connect to my Windows file server.
Since this is a shared resource (organizationally) they would presumably be able to see the files saved on this SMB server.
That should work. Once they login to the Mac and it's domain joined it should use the Kerberos token to authenticate.
-
@dbeato this won't work as it would require us (IT dept) knowing people's passwords.
-
@coliver said in Is it possible to mount smb share using login credentials of current user.:
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
If you do that mapping on the Mac, and then log in as another user, hopefully they can't see the files from the first user. If they can, that's even worse.
This I'm not following, the goal is to create a central point that I can simply drag to an individual users desktop on any given mac, and have them connect to my Windows file server.
Since this is a shared resource (organizationally) they would presumably be able to see the files saved on this SMB server.
That should work. Once they login to the Mac and it's domain joined it should use the Kerberos token to authenticate.
How would I pass the kerberos credentials into the mapping? Nothing I'm seeing appears to address it.
-
The goal here, is to use the domain user credentials, regardless who it is, and what system they logon.
I want to be able to simply add this as a part of our image and just hand it out. Once the user logs into the system for the first time (and afterwards) IT would simply drag a "shortcut" to the task tray.
Rather than requiring the user to run "Command+K" and browsing the share as shown in the above example.
-
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@coliver said in Is it possible to mount smb share using login credentials of current user.:
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
If you do that mapping on the Mac, and then log in as another user, hopefully they can't see the files from the first user. If they can, that's even worse.
This I'm not following, the goal is to create a central point that I can simply drag to an individual users desktop on any given mac, and have them connect to my Windows file server.
Since this is a shared resource (organizationally) they would presumably be able to see the files saved on this SMB server.
That should work. Once they login to the Mac and it's domain joined it should use the Kerberos token to authenticate.
How would I pass the kerberos credentials into the mapping? Nothing I'm seeing appears to address it.
Are you domain joined?
-
@scottalanmiller yup.
-
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
If you do that mapping on the Mac, and then log in as another user, hopefully they can't see the files from the first user. If they can, that's even worse.
This I'm not following, the goal is to create a central point that I can simply drag to an individual users desktop on any given mac, and have them connect to my Windows file server.
Since this is a shared resource (organizationally) they would presumably be able to see the files saved on this SMB server.
Are they on Kerberos and have access to that share? Does the same thing work on Windows?
-
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller yup.
Okay, so this is a Mac? This isn't a question that can be asked generically. This depends on the SMB protocol server being used. Is this Mac, Samba, Windows, etc. That makes a difference. What is needed or will work for UNIX that isn't Mac doesn't apply to Mac because Mac doesn't use Samba and all other UNIX does.
-
The thing that you are trying to do, I think, is something that even Windows can't do. Or else I'm not understanding the goal. Can you explain it in a Windows context then we can translate to Mac or Samba?
-
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
If you do that mapping on the Mac, and then log in as another user, hopefully they can't see the files from the first user. If they can, that's even worse.
This I'm not following, the goal is to create a central point that I can simply drag to an individual users desktop on any given mac, and have them connect to my Windows file server.
Since this is a shared resource (organizationally) they would presumably be able to see the files saved on this SMB server.
Are they on Kerberos and have access to that share? Does the same thing work on Windows?
On Windows I haven't investigated, but we simply create a shortcut for the user, and their domain credentials allow them access to the share.
We support Kerberos yes. I could open the share using Apple's "Connect to server" without having to type in additional credentials.
-
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller yup.
Okay, so this is a Mac? This isn't a question that can be asked generically. This depends on the SMB protocol server being used. Is this Mac, Samba, Windows, etc. That makes a difference. What is needed or will work for UNIX that isn't Mac doesn't apply to Mac because Mac doesn't use Samba and all other UNIX does.
(tags buddy tags) although I should've put this bit into the OP.
-
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
The thing that you are trying to do, I think, is something that even Windows can't do. Or else I'm not understanding the goal. Can you explain it in a Windows context then we can translate to Mac or Samba?
Windows World:
Create shortcut on desktop: Server1
Shortcut details
Target: \server.domain.com
Immediately opens the available shares on the server without having to pass additional credentials.
-
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
The thing that you are trying to do, I think, is something that even Windows can't do. Or else I'm not understanding the goal. Can you explain it in a Windows context then we can translate to Mac or Samba?
Windows World:
Create shortcut on desktop: Server1
Immediately opens the available shares on the server without having to pass additional credentials.
Okay, so in theory all we need is a link to the URI and we'd like that sitting on the Mac desktop so they just click on that?
-
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller said in Is it possible to mount smb share using login credentials of current user.:
@dustinb3403 said in Is it possible to mount smb share using login credentials of current user.:
@scottalanmiller yup.
Okay, so this is a Mac? This isn't a question that can be asked generically. This depends on the SMB protocol server being used. Is this Mac, Samba, Windows, etc. That makes a difference. What is needed or will work for UNIX that isn't Mac doesn't apply to Mac because Mac doesn't use Samba and all other UNIX does.
(tags buddy tags) although I should've put this bit into the OP.
The tags and OP say UNIX, and not MacOS, which while MacOS is UNIX for sure, it's also totally separate from all other UNIX in this case. So solving for the 99% would leave you without an answer here