Secure way to mount a password protected cifs share in mac

mac-osx mac mount server-message-block cifs
16,533

Solution 1

A more secure solution than that proposed by SvenW, and one that is more in keeping with the Apple way of doing things, is to add the password to the keychain. Here's how you would do it for an AFP share (I assume all you'd need to do is change the protocol specified by the -r option but I don't have the possibility of testing this with SMB right now; note that the whitespace in "afp " is intentional and necessary and I've only used this in a 10.6 environment):

sudo security add-internet-password -a "username_here" -D "Network Password" -r "afp " -l "cifs_share" -s "myserver.com" -p "cifs_share" -w "password_here"  -T "/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent"

Here's the relevant part of the man page for the security command:

add-internet-password [-h] [-a account] [-s server] [-w password] [options...] [keychain]
            Add an internet password item.

            -a account      Specify account name (required)
            -c creator      Specify item creator (optional four-character code)
            -C type         Specify item type (optional four-character code)
            -d domain       Specify security domain string (optional)
            -D kind         Specify kind (default is "application password")
            -j comment      Specify comment string (optional)
            -l label        Specify label (if omitted, service name is used as default label)
            -p path         Specify path string (optional)
            -P port         Specify port number (optional)
            -r protocol     Specify protocol (optional four-character SecProtocolType, e.g. "http", "ftp ")
            -s server       Specify server name (required)
            -t authenticationType
                            Specify authentication type (as a four-character SecAuthenticationType, default is "dflt")
            -w password     Specify password to be added
            -A              Allow any application to access this item without warning (insecure, not recommended!)
            -T appPath      Specify an application which may access this item (multiple -T options are allowed)
            -U              Update item if it already exists (if omitted, the item cannot already exist)

            By default, the application which creates an item is trusted to access its data without warning.  You can remove this default access
            by explicitly specifying an empty app pathname: -T "". If no keychain is specified, the password is added to the default keychain.

The same thing should work for an SMB share, but note that the mechanism for matching keychain entries is quite particular (e.g. requiring that odd whitespace in the protocol name), so you need to test and be precise about how you store the password. When I first used this approach, I found that in order to get the paramaters right, it helped to first create the password in the keychain via the GUI (i.e. mount the share in the Finder and tick the box to save the authentication credentials to the keychain) and work backwards by examining the resulting entry in the keychain.

As noted by SvenW, the keychain needs to be unlocked for this approach to work, but that should happen automatically when the user logs in and should not be a problem based on your description. I'd also like to confirm that Kerberos does indeed work in 10.5 and 10.6 but is problematic in 10.7.

Solution 2

Put a ~/Library/Preferences/nsmb.conf file with the following content into the home directory of the user you want to do the mount:

[myserver.com]
username=username_here
password=password_here

After that, you can simply do 

mount -t smbfs -o -d=755,-f=755 //myserver.com/cifs_share /mountpoint

Solution 3

For me, it was a matter of looking at what was IN my keychain

enter image description here

and matching that up with my auto_smb map...

/../Volumes/ServiceData -fstype=smbfs,soft ://home._smb._tcp.local/ServiceData

Share:
16,533

Related videos on Youtube

icasimpan
Author by

icasimpan

Currently employed as Technical Specialist in a Japanese-owned agency under the ITO Division. Previously worked as System Administrator (~4 years) and Software Build Engineer(7+ years) and very much proficient in git, subversion and jenkins. My direct sysadmin experience totals about 10years+ and codes mostly in shell(bash) and distilled in my open source Shell Scripting Development Kit and framework - ShCF. Been proficient in Perl but my skills on it has been rusty lately due to unuse. I could read a python code but don't rely on me to troubleshoot it(I'll learn about it later). Experience with open source systems is in installation and usage...most familiar with CentOS and Ubuntu, Apache, PHP and has a bit of knowledge in Qmail and MySQL. Virtualization experience is mostly in VMWare (the free version), Oracle VirtualBox and Parallels. Public cloud experience includes AWS, Rackspace Cloud, Google Cloud, DigitalOcean and of course Acquia for Drupal. I don't hate Microsoft Windows but I just like a Unix-like system (and I run cygwin, msys2 and now WSL) so I'm kinda at home with the CLI regardless of OS. Been experimenting with golang lately and loving it :)

Updated on September 18, 2022

Comments

  • icasimpan
    icasimpan almost 2 years

    I'm maintaining a heterogeneous network of mac and linux so I decided to create a little perl script to unify mounting strategies across machines.

    Actually, I already have a working perl script, however, the password seems is part of the command line which I don't like:

     mount_smbfs -d 755 -f 755 //username_here:[email protected]/cifs_share

    Tried reading the man pages for mount_smbfs and nsmb.conf but I am still confused as to how to move forward.

    My machines are Snow Leopard, Leopard and Lion machine.

  • Zoredache
    Zoredache over 12 years
    Storing a password still isn't that great. Do you know if OSX will do kerberos? Or is there a way to store the credentials in the keychain?
  • FooBee
    FooBee over 12 years
    Using the keychain requires a user to be logged in and his keychain unlocked. Up to 10.6 Kerberos worked, but I never managed to get it to work with SMB on 10.7 after Apple introduced their own CIFS client and switched to Heimdal from MIT Kerberos.
  • FooBee
    FooBee over 12 years
    On BSD, where the mount_smbfs was taken from, you could store a pre-"encrypted" (better: scrambled) password into the conf file, but smbcrypt is missing at least on 10.7.
  • icasimpan
    icasimpan over 12 years
    @SvenW, I tried your approach and but instead used /etc/nsmb.conf since it is the global config file. It worked great! Thanks. +1 for you :)
  • icasimpan
    icasimpan over 12 years
    thanks for your suggestion. I would consider that when we do use afp later. For now, having the username and password simplifies things for me.
  • icasimpan
    icasimpan over 12 years
    @SvenW I thought it works. Tried even putting it on ~/Library/Preferences/nsmb.conf and it was still asking for a password. Sorry, I got confused earlier as I had other shares from the same server with the same authentication :(
  • Vebjorn Ljosa
    Vebjorn Ljosa almost 11 years
    It works with -r "smb ". One way to find out such things is to run security dump-keychain.
  • Noldorin
    Noldorin over 10 years
    This syntax is not supported unfortunately. You must be thinking of the FreeBSD version of mount / mount_smbfs.
  • ssc
    ssc almost 8 years
    This doesn't seem to work on OS X Yosemite; even with the file created as described, mount_smbfs asks for a password.
  • Michele Dall'Agata
    Michele Dall'Agata over 6 years
    I tried all possible combination in macOS High Sierra and it doesn't ask for the password only if the share is already mounted from the Finder. It's driving me mad.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Mounting NAS drive with cifs using credentials file through fstab does not work
Why is my OSX client having so much trouble connecting to our SMB server?
Issue with mount.cifs in Ubuntu [while accessing Windows samba share using a localServerUser]
mount.cifs operation not supported but smbclient connects as expected
Mac OS X automount not mounting fstab entries correctly
File Sharing on Windows Server to Mac OS X clients
How to fix OSX client to Windows share hangs?
Preventing Mac OS X clients from polluting Windows shares with resource forks
How to mount a windows administrative share on linux via SMB
Linux samba server: cifs_mount failed w/return code = -12