If you can mount a file server using AFP but not SMB

SMB 3 security requirements might prevent you from mounting a share point using SMB.

Check your connection settings

SMB 3 is the default connection method In OS X Yosemite. SMB 3 requires the connection to perform a "Validate Negotiate" request after authenticating. As a result, all SMB 3 sessions must be signed unless the connection is done as a guest or an anonymous connection. 

If your file server is an Open Directory client and is anonymously bound to an LDAP server, use one of the following methods to connect:

  1. Use authenticated binding when you connect to the LDAP server.
  2. Change the role of the file server to an Open Directory replica.  This also sets up kerberos on your server.
  3. Configure your SMB server or client to only use SMB 2.

Additional information about SMB

Session signing in SMB 3 requires that a bound computer is able to access the md4 (password) of every user in the directory server. As a result, client connections are only granted to "trusted" computers. These are computers that are authentication bound (authbound) using directory administrator (diradmin) credentials.

Example: Your server is myserver.example.com and myserver is anonymous bound to some other LDAP server. A client using OS X Yosemite tries to mount a share on myserver by authenticating with a user from the server myserver is bound to. In Yosemite, this fails to connect because of the session signing requirement.

In cases where your server can't be authbound by diradmin to the directory server that contains the accounts you want your users to authenticate with, you can modify the SMB Server and/or Client’s settings to only allow less secure SMB 2 connections.

Setting your client to use SMB 2

You can tell your client computers using OS X Yosemite to only connect using SMB 2.

Use a text editor or the Terminal to change the value of the smb_neg setting (SMB negotiation) in the nsmb.conf file located in the /etc directory. Choose one of these values: smb_neg=normal, smb2_only, smb3_only.

Using a value of normal (the default when the value isn't specified) tells the client to negotiate with the server for the highest dialect supported by the client and the server. 

For example, an nsmb.conf that is configured to only use SMB 2 looks like this:

[default]
smb_neg=smb2_only

Setting your server to deny SMB 3 connections

If needed, you can also set your server to only accept SMB 2 connections. Server Dialect is controlled by a bit-field in server preferences. The keyword for this bit-field is ProtocolVersionMap. Only three bits are currently used:

Value Meaning
2 Support SMB 2 
4 Support SMB 3

Combine bits to support multiple dialects. 

Example of setting ProtocolVersionMap to allow SMB 2 only by setting the ProtocolVersionMap to “2”:

sudo scutil --prefs com.apple.smb.server.plist

get /

d.add ProtocolVersionMap # 2

set /

commit

apply

quit

Learn more

For additional help, see the nsmb.conf man page.

Last Modified: