Getting Windows clients to connect to macOS servers is usually fairly straightforward, but there are a number of issues that can cause problems, and can be tricky to track down. For such scenarios, I’ve put together this list of things to try when you're troubleshooting this kind of situation.
First of all, just having the proper URL to connect to the server is important. So if your server is called “MY-SERVER” and has an IP address of 192.168.1.1, and your share is called “MyShare,” you can format the URL in either of the two following ways:
\\192.168.1.10\MyShare
\\MY-SERVER\MyShare
When you try this and your Windows clients can’t connect to the Mac server, here are a few things you can try:
1. Enable NTLM authentication on your macOS server:
Enable NTLM with:
sudo serveradmin settings smb:ntlm auth = "yes"
If you’re using a very old Windows client version, can also try adding Lanman support, as below:
sudo serveradmin settings smb:lanman auth = “yes”
And you can confirm that the change worked by running:
sudo serveradmin settings smb
2. Add server NetBIOS / workgroup name to authentication credentials:
Depending on the version of Windows you’re using on the client machine, you may need to include the server NetBIOS name (or workgroup name) before the username, separated by a backslash (“\”), as part of the login credentials.
So for username "dave" with NetBios name “MY-SERVER, the full "name" in the login window would look like:
MY-SERVER\dave
You can check the NetBios name of your server with the "serveradmin settings smb” command, and look for the "smb:NetBIOSName” parameter in the output.
3. Allow both NTLM v1 and v2 authentication on your macOS server:
The versions of the NTLM protocol that a Mac server will allow are specified in the following file:
com.apple.GSS.NTLM.plist
Which is located in "/Library/Preferences.”
However, this file doesn't exist by default in a new installation. So in order to enforce this authentication parameter, you need to create the file in that location, with the following contents:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NTLMv1</key>
<true/>
<key>NTLMv2</key>
<true/>
</dict>
</plist>
Give the machine a reboot, and this will allow Mac OS Server to accept both NTLMv1 and NTLMv2 authentication.
4. Enable ACL support:
One other handy tip when you’re connecting Windows clients to a Mac server (this time related to authorization and not authentication) is to enable ACL support for the SMB service (as I mentioned earlier this year in this post), which can ameliorate all kinds of permissions issues that plague only Windows machines. You can do this as follows:
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES
Disabling ACL’s again (should you need to) can be done like so:
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool NO
After doing either one, I’d suggest restarting the SMB service on your server, as follows:
sudo serveradmin stop smb
sudo serveradmin start smb
After running either of the above, you can re-issue the “sudo serveradmin settings smb” command to make sure the changes took.
First of all, just having the proper URL to connect to the server is important. So if your server is called “MY-SERVER” and has an IP address of 192.168.1.1, and your share is called “MyShare,” you can format the URL in either of the two following ways:
\\192.168.1.10\MyShare
\\MY-SERVER\MyShare
When you try this and your Windows clients can’t connect to the Mac server, here are a few things you can try:
1. Enable NTLM authentication on your macOS server:
Enable NTLM with:
sudo serveradmin settings smb:ntlm auth = "yes"
If you’re using a very old Windows client version, can also try adding Lanman support, as below:
sudo serveradmin settings smb:lanman auth = “yes”
And you can confirm that the change worked by running:
sudo serveradmin settings smb
2. Add server NetBIOS / workgroup name to authentication credentials:
Depending on the version of Windows you’re using on the client machine, you may need to include the server NetBIOS name (or workgroup name) before the username, separated by a backslash (“\”), as part of the login credentials.
So for username "dave" with NetBios name “MY-SERVER, the full "name" in the login window would look like:
MY-SERVER\dave
You can check the NetBios name of your server with the "serveradmin settings smb” command, and look for the "smb:NetBIOSName” parameter in the output.
3. Allow both NTLM v1 and v2 authentication on your macOS server:
The versions of the NTLM protocol that a Mac server will allow are specified in the following file:
com.apple.GSS.NTLM.plist
Which is located in "/Library/Preferences.”
However, this file doesn't exist by default in a new installation. So in order to enforce this authentication parameter, you need to create the file in that location, with the following contents:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NTLMv1</key>
<true/>
<key>NTLMv2</key>
<true/>
</dict>
</plist>
Give the machine a reboot, and this will allow Mac OS Server to accept both NTLMv1 and NTLMv2 authentication.
4. Enable ACL support:
One other handy tip when you’re connecting Windows clients to a Mac server (this time related to authorization and not authentication) is to enable ACL support for the SMB service (as I mentioned earlier this year in this post), which can ameliorate all kinds of permissions issues that plague only Windows machines. You can do this as follows:
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES
Disabling ACL’s again (should you need to) can be done like so:
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool NO
After doing either one, I’d suggest restarting the SMB service on your server, as follows:
sudo serveradmin stop smb
sudo serveradmin start smb
After running either of the above, you can re-issue the “sudo serveradmin settings smb” command to make sure the changes took.
RSS Feed