Can't access SMB shares while Open Directory is enabled

Number:rdar://46204370 Date Originated:21-Nov-2018 10:46 PM
Status:Duplicate/45410001/Open Resolved:
Product:macOS + SDK Product Version:10.14.1
Classification:Serious Bug Reproducible:Always
I've configured an OD master on a Mojave server. Now I can't access any shares on that machine via SMB (from a 10.13.6 client). Access via AFP still works but since SMB is required for Time Machine server, I can't backup to Mojave server.

Steps to Reproduce:
Please see here:

Expected Results:

Actual Results:




Apple response

Engineering has determined that your bug report is a duplicate of another issue and will be closed.

My response

Thanks. Turns out that the SMB-ACL group didn't include the affected users or their group. Adding them to this group solved the issue. It would be convenient if this would be an exposed setting and not be required to fiddle with system groups.

Apple response

Engineering has requested the following information regarding your bug report:

Kerberos is enabled by default. You may need to auth bind to the ODM. However, we don't know if the authentication is failing for local users, or for OD users.

Regarding NTLM: To view the authentication methods available in Open Directory: dscl /LDAPv3/ -read /config/dirserv apple-enabled-auth-mech

To allow clients to authenticate to the ODM using NTLMv2: dscl -u diradmin -p /LDAPv3/ -append /Config/dirserv apple-enabled-auth-mech SMB-NTLMv2

Other possible problems are SACLs or ACLs.

My response

I have no idea how to do a "full Kerberos setup" or how to "turn on the NTLM hashes". Shouldn't the Server app or the Sharing Settings app take care of this?

Apple response

This issue behaves as intended based on the following:

Probably because previously it was using LKDC (local Kerberos) to log in. When you promoted it to OD Master, the LKDC gets disabled and if you want Kerberos, you have to do the full Kerberos setup. If you are willing to uses NTLMv2 for authentication, then you will need to turn on the NTLM hashes for that user account on your server.

Please update your bug report to let us know if this is still an issue for you.

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!