If users can't edit or authenticate files on a macOS hosted SMB

You may need to confirm a user's server information, connections and directory details, or adjust access.

This article is intended for enterprise and education system administrators.

Verify server information

Make sure users have the correct username, password and hostname (or IP address) of the server.

Bind to the same directory as the server

If the macOS server is running Open Directory or is bound to the Open Directory or Active Directory, perform an authenticated bind to the same directory server. This will allow clients to use Kerberos and session signing. Authenticating using Kerberos also requires you to specify the server using DNS.

Turn on NTLMv2 on Open Directory

If you're in Open Directory and clients can't be bound to the Open Directory master, NTLMv2 may need to be turned on.

  1. Determine which authentication mechanisms are turned on for the Open Directory master using the following Terminal command: 
    dscl /LDAPv3/ -read /config/dirserv apple-enabled-auth-mech
  2. Enter the directory administrator's password. You can reset the Open Directory administrator's password as needed.
  3. Stop and restart Open Directory in the Server.app.

If SMB-NTLMv2 is not listed in the results, you can add it manually by using the following Terminal command:

dscl -u diradmin -p /LDAPv3/ -append /Config/dirserv apple-enabled-auth-mech SMB-NTLMv2

Make sure users can access the SMB server

  1. Run the following Terminal command on the SMB server to see if access is restricted to specific users:
    dscl . read /Groups/com.apple.access_smb
  2. Determine the user's GUID:
    dscl /Search read /Users/<username> GeneratedUID
  3. Add the user to the SMB service access control list (SACL): 
    sudo dscl /Local/Default append Groups/com.apple.access_smb GroupMembership <username>
    sudo dscl /Local/Default append Groups/com.apple.access_smb GroupMembers <guid>

If you want to remove the SACL, use the following Terminal command:

sudo dscl /Local/Default delete /Groups/com.apple.access_smb

Confirm share access

Check to ensure users have access to at least one share in the sharing preferences, either by group or as an individual user. 

Check the read/write ACLs

If users can't write to shares they have access to, temporarily turn off guest access on the share. This will ensure they're not connecting as guests. Guest access is under the advanced file sharing options.

If users can add new files but not edit files made by other users, you may need to create a group level access control list (ACL). To add the ACL, use the following command line and substitute the group name and path to the share point with their actual values:

sudo chmod -R +a "group:YourGroupName allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Volumes/volumename/path/to/share
Published Date: