Why can't I access File Sharing when Open Directory is enabled in macOS Mojave?

Hi all.

I posted the follow answer on Ask Different to this same question there. Hopefully it'll help.

The issue is the ACLs are not set up in the local directory for SMB and AFP. These used to be created in the older Server apps that had File Sharing in them. I've written an AppleScript that takes care of all this. It creates the appropriate ACL groups in the directory (/Local/Default/Groups/com.apple.access_smb and com.apple.access_afp), then adds all the users to it. The script is below. I threw it together today trying to solve this very issue. Hopefully it will help others.

-- Script to sort out ACLs for file sharing

set savedDelimiters to AppleScript's text item delimiters

display alert "Setup File Sharing ACLs" message "This script will set up the appropriate ACLs in the local directory to allow users to connect to file sharing on a macOS 10.14 server with OpenDirectory.

WARNING: Changes will be made to your local directory. Administrator privileges are required (you will be prompted for a password).

USE AT YOUR OWN RISK!

Set for all users, or only a single user?" buttons {"Cancel", "All Users", "Single User"} default button "Single User" cancel button "Cancel"

if button returned of result = "All Users" then

set progress description to "Loading User List..."

-- Load all directory users from the server

-- (identified by UserShell value of '/bin/bash'; most likely to be normal users)

-- The delimiter is horrible, but it's the only way to do it

set delimiter to tab & tab & "UserShell = (" & return & " \"/bin/bash\"" & return & ")"

set AppleScript's text item delimiters to {delimiter & return, delimiter}

set users to every text item of (do shell script "dscl /LDAPv3/127.0.0.1 search /Users UserShell \"/bin/bash\"")

else if button returned of result = "Single User" then

repeat

set username to the text returned of (display dialog "Enter Username:" default answer "" with icon note)

if username is "" then

display alert "Please enter username, or click cancel to end"

else

exit repeat

end if

end repeat

-- Add blank element to end, as this happens with output from dscl above

set users to {username, ""}

end if

-- Create the SMB & AFP ACL groups if necessary (this may be the first user)

createACLGroup("afp", 250)

createACLGroup("smb", 110)

-- Go through all the users now

set total to (length of users) - 1

set progress total steps to total

set progress description to "Adding Users to ACLs..."

set current to 0

repeat with idx from 1 to total

-- Need to use indexed repeat because of issue with missing username in list from dscl

set username to item idx of users

try

set progress completed steps to current

set progress additional description to "User " & (current + 1) & " of " & total & " (" & username & ")"

-- Now, check to see if the user is already in the file sharing lists

set AppleScript's text item delimiters to {" "} -- Split words, not letters!

set currList to every text item of (do shell script "dscl /Local/Default read Groups/com.apple.access_smb GroupMembership")

if username is in currList and length of users is 1 then

-- Only alert if in single user mode

display alert "Username already set up"

else

-- Go ahead and set it up

-- Firstly, get the user's GeneratedUID from the LDAP directory

set isError to false

try

set guid to second item of (every text item of (do shell script "dscl /LDAPv3/127.0.0.1 read Users/" & username & " GeneratedUID"))

on error

display alert "Error" message "User " & username & " is not a directory user"

set isError to true

end try

if not isError then

-- Add the user to the group

addUserToACL("afp", username, guid)

addUserToACL("smb", username, guid)

end if

end if

set current to current + 1

on error

-- Likely an empty username from the delimiters tokenising the list from dscl

end try

end repeat

set current to total

display alert "Process completed!"

set AppleScript's text item delimiters to savedDelimiters

on createACLGroup(acltype, groupid)

try

do shell script "dscl /Local/Default read Groups/com.apple.access_smb"

on error

-- Doesn't exist, so we need to create it!

do shell script "dscl /Local/Default create Groups/com.apple.access_" & acltype with administrator privileges

do shell script "dscl /Local/Default create Groups/com.apple.access_" & acltype & " RealName \"" & changeCaseOfText(acltype, "upper") & " ACL\"" with administrator privileges

do shell script "dscl /Local/Default create Groups/com.apple.access_" & acltype & " PrimaryGroupID " & groupid with administrator privileges

end try

end createACLGroup

on addUserToACL(acltype, username, guid)

do shell script "dscl /Local/Default append Groups/com.apple.access_" & acltype & " GroupMembership " & username with administrator privileges

do shell script "dscl /Local/Default append Groups/com.apple.access_" & acltype & " GroupMembers " & guid with administrator privileges

end addUserToACL

on changeCaseOfText(theText, theCaseToSwitchTo)

if theCaseToSwitchTo contains "lower" then

set theComparisonCharacters to "ABCDEFGHIJKLMNOPQRSTUVWXYZ"

set theSourceCharacters to "abcdefghijklmnopqrstuvwxyz"

else if theCaseToSwitchTo contains "upper" then

set theComparisonCharacters to "abcdefghijklmnopqrstuvwxyz"

set theSourceCharacters to "ABCDEFGHIJKLMNOPQRSTUVWXYZ"

else

return theText

end if

set theAlteredText to ""

repeat with aCharacter in theText

set theOffset to offset of aCharacter in theComparisonCharacters

if theOffset is not 0 then

set theAlteredText to (theAlteredText & character theOffset of theSourceCharacters) as string

else

set theAlteredText to (theAlteredText & aCharacter) as string

end if

end repeat

return theAlteredText

end changeCaseOfText

The package you’re using here is an MDM server, and bears little relationship to what Server.app was providing prior to Mojave.

In this case, you might try binding the local system to the domain and see if that helps, though I’d probably look to replace the use of Server.app entirely, save as an MDM tool.

I’d probably look to a NAS box as a more capable alternative, and some of those can tie into LDAP. Wouldn’t be surprised to learn some NAS boxes can serve LDAP, too.

I am facing the same problem with 10.14.1 and server 5.7.1. With enabled open directory I cannot access shares with local and OD users. If I activate the windows file sharing checkbox for a local user in the spring options I am able to connect with this user. As OD users are not shown there this is no workaround for me.

Has anyone an idea how to solve this problem? The same setup with Sierra worked without problems.

admin232 wrote:

I am facing the same problem with 10.14.1 and server 5.7.1. With enabled open directory I cannot access shares....

Has anyone an idea how to solve this problem? The same setup with Sierra worked without problems.

Contact Apple Support directly, or log feedback.

Otherwise...

Wipe and upgrade to the earlier version of macOS and Server.app in the shorter term, then longer-term either Apple fixes this and related, or as folks migrate to a functional server environment.

Server is utterly misnamed as it presently exists, as it is an MDM package. Not a server.

I’m expecting most of us that used Server will be migrating over the next several years, and I’m certainly not inclined to migrate to an environment where I will need to manually maintain and update the pieces of a hand-rolled server environment atop macOS as Apple has suggested in its migration documentation. Which means either another OS, lr hosting the required services.

For an alternative to local LDAP, have a look at Microsoft Azure Active Directory; Azure AD.

I am facing the same problem with 10.14.1 and server 5.7.1. with OpendirectoryMaster turned on.

When I just turn on FileSaharig over AFP anything works fine.

Also a second Server can connect to OpenDirectoryServer without problems.

User and groups are abloe to connect to the second Server ober AFP.

As soon I turn on SMB and AFP, or only SMB on any of my two servers, it is not possible to login to any Share.

It seems to me this is a clear bug in Mojave or macOS Server application 5.7.

There is no server package 5.71. There is an unfortunately-misnamed MDM package.

Server. Is. Dead.

Few that were using server like this, and we’re either rolling our own server distros atop macOS, migrating to Kerio or such where that works, or we’re migrating to a server on a different operating system platform.

yes stop using apple server it rubbish dose not work and has zero use.

I would look at getting a QNAP or some other NAS device that has LDAP built in. Or move to LDAP on Linux or if you really want to go mad you could go down the windows route.

For what ever reason windows gets more love off apple than their own server app.

Hey -- ran across this when I upgraded a 10.13.6 ODM to 10.14.2/Server 5.7.1

I couldn't log in with a newly-created account until I added the account to the (existing) "SMB ACL"/"com.apple.access_smb" group.

Is it truly that simple to address this until Apple fixes this?

Thanks for the script, very nice! It didn't appear to stop my issue of SMB permission denied, but noticed that you created primarygroupID 110, while an older server (10.9.5) lists it as group 251. Does that make any difference, or is the application just looking for the com.apple.access_smb record name (which matches)?

Contacted Apple Support. I posted here as to the result and their fix:

https://discussions.apple.com/thread/8574987?page=5

This didn't work for me. Still no luck. Any other potential solutions?

I think there's more to it than just that -- even if I could get a newly-created user to (now) be able to log in, if I then export my OD archive, I can't reimport it...