File Sharing Issue on Domain

rawweb

macrumors 6502a
Original poster
Aug 7, 2015
882
604
Hi, hoping for some insight on how to potentially resolve an issue.

I work for a corporation and head up a small video/media production team. The rest of the company is primarily Windows and as such we're bound via AD on their network.

I have a small group of Macs which are all connected via optical thunderbolt 2 cables via thunderbolt bridge to a machine that is 'file sharing' a local DAS raid (https://www.bhphotovideo.com/c/product/1384883-REG/lacie_stgm24000400_8big_24tb_rack_thunderbolt.html/?ap=y&ap=y&smp=y&smp=y&lsft=BI:514&gclid=CjwKCAiAyeTxBRBvEiwAuM8dnRhvtsoXaHqvQF5yPUMPkdWb5uqaDFExvb8aS_T6gNkxTnf87PUNGxoCPOkQAvD_BwE). Unfortunately, 'file sharing' appears to be going out over the very slow 10/100 corporate domain, I can see this in the network preferences. If I disconnect the corporate ethernet cable, suddenly 'file sharing' changes to the local IP I've configured in the bridge and my local storage solution works great and fast. In addition to showing up as a flag on their security scans, other Macs on the network are connecting first via the slow domain, unless we manually connect to my file share first than reconnect their corporate wifi or ethernet. The thunderbolt bridge is prioritized in the network lists, but it doesn't have any effect on the file sharing settings. Any ideas on if this is is something I can fix or shall I try to reinvent my little private network?
 

rawweb

macrumors 6502a
Original poster
Aug 7, 2015
882
604
Would disabling ethernet/wifi on those macs and doing this from yours be an option? https://support.apple.com/en-gb/guide/mac-help/mchlp1540/mac

Someone else may come along with a proper fix, but this might be a band aid solution.
I'm guessing what I want to do is something MacOS just can't do. The current workaround is for the other user/Mac to stay disconnected from the corporate network on boot; then connecting to my shared drive via Thunderbolt bridge. Next after the share is connected user can enable wifi to get on the corporate network (internet). If done this way, the user is able to enjoy a super fast connection to my 8 drive SSD raid (roughly 700-900MB/s over TB Bridge). If not done this way, the user appears to be connecting to the drive via the corporate domain and is stuck with R/W of around 90-100 MB/s.

What I would love is for this shared drive to not go out over the company network and stay to my local thunderbolt network

Depends how old is Macs that are sharing? You have to look those machines to see if it has the 10/100/1000 ports on the network!
The Mac's involved are: 2019 Mac Pro, 3 2017 iMac Pro's and in a pinch a 2010 Mac Pro via 10GBE. Again, wishing there was a way for file share to go over the thunderbolt bridge instead of defaulting to the corp network.
 

satcomer

macrumors 603
Feb 19, 2008
6,487
1,005
The Finger Lakes Region
I'm guessing what I want to do is something MacOS just can't do. The current workaround is for the other user/Mac to stay disconnected from the corporate network on boot; then connecting to my shared drive via Thunderbolt bridge. Next after the share is connected user can enable wifi to get on the corporate network (internet). If done this way, the user is able to enjoy a super fast connection to my 8 drive SSD raid (roughly 700-900MB/s over TB Bridge). If not done this way, the user appears to be connecting to the drive via the corporate domain and is stuck with R/W of around 90-100 MB/s.

What I would love is for this shared drive to not go out over the company network and stay to my local thunderbolt network



The Mac's involved are: 2019 Mac Pro, 3 2017 iMac Pro's and in a pinch a 2010 Mac Pro via 10GBE. Again, wishing there was a way for file share to go over the thunderbolt bridge instead of defaulting to the corp network.
There is Over Thunderbolt 3: https://www.akitio.com/adapters/thunder3-10g-network-adapter
 

hobowankenobi

macrumors 65816
Aug 27, 2015
1,083
309
on the land line mr. smith.
It would not be a simple config fix...but iSCSI would be a better road to move forward with, to utilize Gig+ ethernet to mount drives as though they are local.

I have run Macs attached to a dedicated iSCSI some years ago, with good throughput.

Just googling around, and I see this tool that seems to allow you to run your Mac as an iSCSI server. Which would be exactly what you would need, along with the iSCSI initiator for each Mac that connects to the server.

No experience with the Mac server tool (always used a dedicated iSCIS server), you would have to test extensively.

Check the videos in the links for a good overview of the setup.
 

rawweb

macrumors 6502a
Original poster
Aug 7, 2015
882
604
It would not be a simple config fix...but iSCSI would be a better road to move forward with, to utilize Gig+ ethernet to mount drives as though they are local.

I have run Macs attached to a dedicated iSCSI some years ago, with good throughput.

Just googling around, and I see this tool that seems to allow you to run your Mac as an iSCSI server. Which would be exactly what you would need, along with the iSCSI initiator for each Mac that connects to the server.

No experience with the Mac server tool (always used a dedicated iSCIS server), you would have to test extensively.

Check the videos in the links for a good overview of the setup.
Not really looking to abandon the thunderbolt optical cables, I suppose another solution would be to buy a Mac mini and have it host the share without being connected to corp ethernet.
 

hobowankenobi

macrumors 65816
Aug 27, 2015
1,083
309
on the land line mr. smith.
OK, reading through again, I think I have a better understanding, but can you clarify how the client Macs are connecting to the storage? I am unclear about the second network connection...that is interfering with the domain. You mention speeds that sound like a direct TB connection.

Is it Thunderbolt over IP (I would not expect the speeds you are getting)? If so, have you tried changing the service order?

Forget iSCSI. Faster than file sharing over TCP/IP....but will never get to TB speeds without a 10G network.

As for being bound to AD....you might consider using NoMAD to use your AD accounts but without being bound. It's free, fairly easy to setup, and has some nice features. Might be useful.
 
Last edited:

rawweb

macrumors 6502a
Original poster
Aug 7, 2015
882
604
Apologies it’s confusing! The macs in my area are all interconnected via thunderbolt IP bridge, I’m attempting to “file share” my drive via to 4 other machines over thunderbolt. The main purpose of this is an inexpensive video storage solution. As I work for a large corporation that hates Mac, we’re also connected to a Corp network bound to AD via Ethernet or wireless for internet, etc.

I’ve made the thunderbolt bridge prioritized first in the network prefs on all of my macs but it doesn’t have an impact. On my Mac Pro hosting the file share, I can clearly see file sharing system pref that it is sharing out my drive through the Corp network domain. Ex: other users can access this computer via smb://macpro.companydomain.net. If I disconnect my Corp Ethernet cable it will read a local generated IP ex: “via smb://10.10.10.100”.

This share has shown up on a vulnerability scan of theirs and I’d love to find a way for this DAS to not be in their way on their network. Is there anyway to force file sharing to not broadcast through the Corp domain when connected to the house Ethernet?

Thanks for trying to help give me some info, unfortunately no one on the corporate IT side is much help to me.
 

nicho

macrumors 68030
Feb 15, 2008
2,862
1,364
Apologies it’s confusing! The macs in my area are all interconnected via thunderbolt IP bridge, I’m attempting to “file share” my drive via to 4 other machines over thunderbolt. The main purpose of this is an inexpensive video storage solution. As I work for a large corporation that hates Mac, we’re also connected to a Corp network bound to AD via Ethernet or wireless for internet, etc.

I’ve made the thunderbolt bridge prioritized first in the network prefs on all of my macs but it doesn’t have an impact. On my Mac Pro hosting the file share, I can clearly see file sharing system pref that it is sharing out my drive through the Corp network domain. Ex: other users can access this computer via smb://macpro.companydomain.net. If I disconnect my Corp Ethernet cable it will read a local generated IP ex: “via smb://10.10.10.100”.

This share has shown up on a vulnerability scan of theirs and I’d love to find a way for this DAS to not be in their way on their network. Is there anyway to force file sharing to not broadcast through the Corp domain when connected to the house Ethernet?

Thanks for trying to help give me some info, unfortunately no one on the corporate IT side is much help to me.
can you get them to try connecting to smb://10.10.10.100 directly (CMD + K)?
 

hobowankenobi

macrumors 65816
Aug 27, 2015
1,083
309
on the land line mr. smith.
It is a challenge...nothing to test with.

Yes, we those IT guys are a pain. ;)

I do wonder if NOMaD would be of use...so you are not bound. Might open up some possibilities on how the Macs communicate with the AD box, but again, I don't have a way to test.

You might also consider giving a manual/fixed IP (in the same 10.10.10 subnet) for the TB IP config on each Mac, so there is no DNS or DHCP in the config pane. Try one and see if it might prevent the domain controller from hijacking the TB traffic?

If the network admins were actually helpful, I expect they could set up a subnet or VLAN to solve this. It really is not a "Mac" thing....you just need specific traffic routed to specific NICs. Or, if they prefer, they could set up a nice 10G network, or SAN for you. :p
 

sevoneone

macrumors 6502
May 16, 2010
478
332
other users can access this computer via smb://macpro.companydomain.net. If I disconnect my Corp Ethernet cable it will read a local generated IP ex: “via smb://10.10.10.100”
If the network admins were actually helpful, I expect they could set up a subnet or VLAN to solve this. It really is not a "Mac" thing....you just need specific traffic routed to specific NICs.
If your Thunderbolt setup is not tied in with AD, then DNS is going to have no idea how to get to your server except over the ethernet connection. Even if you're using the the network browser and mdns/bonjour to connect with the TB bridge prioritized, if the server is bound to the domain it is going to present itself as macpro.companydomain.net. and thus direct traffic to the corporate IP address.

If you're authenticating to the server using AD, I'm guessing it is something in the authentication flow throwing the security flags if the IP you're connecting to doesn't match what AD expects for the resource you're authenticating to?

Here is a theory (I've never tried something like this in your exact scenario so YMMV), if you bridged the TB and Ethernet network interfaces on the server, that would allow corporate network data to pass over the TB connection and make your server basically soft network switch. You could unplug the ethernet from your mac workstations and they should connect to the network via Thunderbolt just s if they were plugged into ethernet. Their only physical path to your server would then be Thunderbolt and problem solved.

A likely problem with this might be some performance issues depending on how much your four workstations need to access data on the corporate network and internet. Your server's processor will have to handle the load of exchanging any data packets that need to cross the TB<->Ethernet bridge. If it is just 4 workstations, email and some web browsing, I think the impact would be pretty trivial depending on the CPU. Traffic to your video server would only be on the TB side and shouldn't be impacted.
 
  • Like
Reactions: nicho