If you can use AFP but not SMB to mount a file server

SMB 3 security requirements might not let you use SMB to mount a share point.

Check your connection settings

Server Message Block (SMB) 3 is the default way to connect to a server in macOS. It requires the connection to perform a validate negotiate request after it authenticates. All SMB 3 sessions must be signed unless you connect as a guest or anonymously.

You might have a macOS file server that's an Open Directory client and is anonymously bound to a Lightweight Directory Access Protocol (LDAP) server. If so, use one of these methods to connect:

  • When you connect to the LDAP server, use authenticated binding.
  • Change the role of the file server to an Open Directory replica. This also sets up kerberos on your server.
  • Disable validate negotiate requests on your client.
  • Set up your SMB server or client to use only SMB 2.

Learn about session signing

Session signing in SMB 3 requires a bound computer to access the md4 (password) of every user in the directory server. As a result, SMB 3 grants client connections only to "trusted" computers. These are computers that use directory administrator (diradmin) credentials to be authentication-bound (authbound).

Sometimes diradmin can’t authbind your server to the directory server that contains the accounts that you want your users to authenticate with. In this case, you can either disable the client's requests to validate negotiate, or adjust the server to accept only less secure SMB 2 connections. To do this, modify the SMB Server settings, the client's settings, or both.

Disable validate negotiate requests on your client

If you disable validate negotiate, you will increase susceptibility to man-in-the-middle attacks. You should disable validate negotiate requests only if both client and server are on a secured network.

To set the value of the validate_neg_off setting in the nsmb.conf file in the /etc directory, use a text editor or Terminal. For more client side SMB configuration options, see the man page for nsmb.conf.

Here's what an nsmb.conf file that you've configured to disable validate negotiate requests looks like:

[default]
validate_neg_off=yes

Set your macOS server to deny SMB 3 connections

Validate negotiate requests are an SMB 3 feature that clients initiate. To prevent clients from making these requests, you can set your macOS server to accept only SMB 2 connections. A bit-field in server preferences controls Server Dialect. The keyword for this bit-field is ProtocolVersionMap. It uses only three bits:

Value Meaning
1 Support SMB 1
2 Support SMB 2 
4 Support SMB 3

To support multiple dialects, combine bits.

This example sets ProtocolVersionMap to allow SMB 2. To do this, it sets the ProtocolVersionMap to "2":

sudo scutil --prefs com.apple.smb.server.plist

get /

d.add ProtocolVersionMap # 2

set /

commit

apply

quit

Published Date: