Skip to content

Strange permission problems when accessing Windows server from macOS

For years, I experienced some very strange permissions problem: Occasionally, when I tried to access files on a Windows server from macOS, the operation would fail because of insufficient access rights. This was very strange because often I had just placed the files there a few hours earlier using the same user. Or at least I thought so…

As it turns out, macOS supports two methods of authentication when accessing a CIFS / SMB server: Kerberos and NTLMv2, preferring the first one. So, an existing Kerberos ticket is used, when it is available, and macOS will not use NTLMv2 credentials in that case, even when they are stored in the Keychain. Now, combine this with the fact that Microsoft’s Remote Desktop client internally uses Kerberos authentication, and you might get an idea what happened:

When I was accessing the Windows file server while I was also logged in to a system in the same domain via Remote Desktop, the user that I used for Remote Desktop would be preferred over the user for which the NTLMv2 credentials were stored in the Keychain. When there was no Remote Desktop session, the stored NTLMv2 credentials would be used. Thus, without being aware of it, I would use two different users for accessing the file server, depending on whether I also had a Remote Desktop session open or not.

Once I realized this (which, to be honest, took me a few years), there was a simple solution for this: avoiding the use of NTLMv2 completely and always using Kerberos for authentication. Unforunately, macOS only has built-in support for Kerberos authentication when the system is joined to an Active Directory domain. However, I did not want to make my Mac a domain member.

Obviously, manually retrieving a Kerberos ticket with kinit is an option, but using this command-line utility is cumbersome because Kerberos tickets need to be renewed periodically. Luckily, I found a nice tool called Kerberos Ticket Autorenewal, which does exactly what its name promises: When registered as a login item, it will retrieve a Kerberos ticket right after you log in and it will then periodically renew this ticket, getting the Kerberos credentials from the macOS Keychain.

As these Kerberos tickets take precedence over the ones that are created by the Remote Desktop client, access to Windows file servers always happens using the correct credentials. As a nice side effect, this means that NTLMv2 authentication can be disabled for the Active Directory domain, unless there are other clients which still rely on it and which cannot be switched to Kerberos.