« All posts

Mounting Mac SMB Shares from Linux Without Weakening Security

A deep dive into mounting a Mac's SMB share from Linux via Kerberos and LKDC instead of the common fix that weakens macOS password storage.

The piece traces why a Linux client fails with NT_STATUS_LOGON_FAILURE when mounting a Mac mini's SMB share, even though an iPhone connects to the same account without issue. The root cause isn't networking or credentials but the fact that macOS keeps multiple authentication paths for a local account: NTLMv2, which needs a stored NT hash, and Kerberos, which relies on the Mac's built-in Local KDC (LKDC). A fresh account never gets an NT hash minted, so Linux tools like smbclient and mount.cifs fail at the NTLM door, while Apple clients quietly succeed via Kerberos.

The commonly suggested fix—enabling per-user Windows File Sharing—forces macOS to store a weaker password hash, per Apple's own documentation. Instead, the author replicates what the iPhone does: discovering the LKDC realm via mDNS and authenticating with Kerberos. A tricky gotcha along the way is that smbclient derives its service principal name from the hostname, while the Mac actually registers cifs/LKDC:SHA1.<hash>; the fix is to use the LKDC name in place of the hostname in the UNC path and force the real IP separately.

For a persistent, always-mounted setup, the write-up builds a keytab so root can silently obtain tickets, wires the realm into /etc/krb5.conf.d, and uses systemd timer/mount/automount units to keep the TGT fresh and the share available on demand. For engineers, this offers both a clear mental model of how LKDC-based Kerberos works and a reusable blueprint for secure, no-compromise cross-platform SMB access.