Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Scrubelicious

macrumors newbie
Original poster
Aug 23, 2008
12
10
USA
I am having an issue with the Local Network Directory accounts accessing an Open Directory Replica over SMB file sharing.
When accessing the Master their is no issue for the accounts to access a shared folder over SMB.

But when accessing on the of the Replicas they are not able to login, if I set the settings to AFP, they are able to login.
Not sure what is causing the issue, also contacted Apple but their feedback was they do not support Catalina anymore.


I would appreciate any help, tip or direction.

Thanks
 
Interesting is I just tested out random accounts and, one account seems to have access over SMB but the others don't??
 
I tend to think it has do with some older Macs before Apple decided to make SMB default at request of many, many active directory bonds! Older Macsthat so users might be using g super old Macs on your domain!
 
Interesting is I just tested out random accounts and, one account seems to have access over SMB but the others don't??
It sounds like not all your users are in the SMB access group. Take a look at this document from Apple: https://support.apple.com/en-us/HT210659
If your users aren’t in the com.apple.access_smb group they’re not going to be able to connect over SMB.
 
  • Like
Reactions: hobowankenobi
Thank you guys for your feedback!

I tend to think it has do with some older Macs before Apple decided to make SMB default at request of many, many active directory bonds! Older Macsthat so users might be using g super old Macs on your domain!
All the Clients and Servers are running Catalina and are have the current Server App.

It sounds like not all your users are in the SMB access group. Take a look at this document from Apple: https://support.apple.com/en-us/HT210659
If your users aren’t in the com.apple.access_smb group they’re not going to be able to connect over SMB.
I will check this out! I did add one user the the same group where the account works with no luck also the other users that are in the group also have no access. It seems only this one account works???

What I also noticed, when adding a group or user to the Shared & Permission list on the Replica. It will show Fetching instead of the name of the group.

Does this give more light in the issue?
 
It sounds like not all your users are in the SMB access group. Take a look at this document from Apple: https://support.apple.com/en-us/HT210659
If your users aren’t in the com.apple.access_smb group they’re not going to be able to connect over SMB.
I tried the Make sure that users can access the SMB server section.
when using the when using the
Code:
dscl . read /Groups/com.apple.access_smb command
command I get following back
Code:
<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
 
I tried the Make sure that users can access the SMB server section.
when using the when using the
Code:
dscl . read /Groups/com.apple.access_smb command
command I get following back
Code:
<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
Maybe there's something wrong with your Open Directory server and replica. I fortunately no longer use OD so I don't have much to offer there, but that's where I'd start looking.
 
I don't mean to sound condescending, but have you checked the basics? I always found OD to be incredibly finicky. Can you do a forward and reverse nslookup for both the master and replica successfully? Is the time correct everywhere?
 
I don't mean to sound condescending, but have you checked the basics? I always found OD to be incredibly finicky. Can you do a forward and reverse nslookup for both the master and replica successfully? Is the time correct everywhere?
When I run the host command and both machine the both resolve with each assigned IP address. Since you mentioned it. All server are assigned with a host name (computer_name.domain.com) which are forward to our external IP. Then our DNS are ascend to send each host name to their corresponding IP address. So I guess it looks like this:
computer_name.domain.com -> public_IP -> computer_IP

When we created the replica, it wouldn't work using the IP address, but it had no issues when using the host name (computer_name.domain.com). When I mentioned this to Apple they did respond this wouldn't cause the issues that I am having since the Open Directors serves are bind.

I do find it odd that I was able to login over SMB with one account but not with the other no matter if they are in the same user group or not.

For testing purposes I did a clean install (Catalina) on two machine and did the same process creating a OD master and a OD Replica. The result is the same behaviour.

Is their a way to see if SMB is doing something or is damaged in Catalina?
 
So I just came across another issue. When a users is logged in over AFP (scene SMB don't work) the folders they create are assigned to them. Which means I have to assigned all the groups permission manually. Does this help?
 
So I just came across another issue. When a users is logged in over AFP (scene SMB don't work) the folders they create are assigned to them. Which means I have to assigned all the groups permission manually. Does this help?
This is (was) a fairly common problem for Mac OS file servers over the years. Folders don't seem to inherit the correct permissions. I remember this back to 10.5 at least...

If you want to see and manage permissions more easily—especially ACLs, which are invisible in the GUI yet take precedent over POSIX permissions—I suggest a good admin tool.

Server had a fairly good permissions manager pane up to about 10.13. Sadly, Apple killed it off. TinkerTool Sytem is the only tool left I am aware of with all features needed in a good interface:

Screen Shot 2021-02-02 at 11.43.25 PM.png
 
Having managed Mac File servers since System 9...I threw in the towel with Mac file servers. 10.12 was the last OS that I used or supported in production.

Switched to Synology, and it has been very good. I would not go back. While not perfect, Synology manages the same permissions better, easier, and more reliably. Tons of other benefits too. AFP and SMB work as expected. I strongly suggest anybody that is fighting file serving on Macs...stop fighting. Make the move.
 
  • Like
Reactions: DJLC and satcomer
I should also add, that while I have not used it (so I can't vouch for it), Synology has directory services too. Both OD and AD compatible services are available.

NoMAD + AD is pretty great...if you have or want to connect Macs to AD without having to bind.
 
The problem is that we have RAIDs here that are fully functional and are loaded with Data. They just need controller head unit. We would have to replace all hardware; which I doubt they will to do so at this moment/

Anyways back to the topic. I found what was the issue. it seems you are not able to login with your username with space between the First and Last name. It only works over SMB when writing both name together.

:rolleyes:o_O
 
  • Like
Reactions: DJLC
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.