Mounting a Mac's SMB share from Linux without gutting the Mac's security
Lost an evening to this, so you don't have to. The fix everyone hands you is a single checkbox that quietly downgrades how your Mac stores its password. The clean alternative — Kerberos, the exact thing your iPhone already uses — is "impossible" according to three sources I dug up, one of them Apple's own Heimdal source. They're wrong. What follows is the whole path: why it breaks, why the popular fix is the bad one, and the two setups that actually work (a one-shot command and a hands-off automount). My Mac mini shares a folder over SMB. My iPhone mounts it fine. My Linux box: $ smbclient -L 192.168.0.153 -U tmlr%remote session setup failed: NT_STATUS_LOGON_FAILURE Same username, same password, rejected. Every "fix" on the internet ends with "turn on Windows File Sharing for that user on the Mac." That works, and it's the wrong answer. Here's why, and what to do instead. The problem The credentials are correct — the iPhone's connecting just fine. The handshake even completes; run it with -d3 and you'll see the full NTLMSSP exchange finish before the Mac rejects you. So this isn't networking, isn't the password, isn't the SMB dialect. It's authentication, and only Linux hits it. Why: two doors, one account macOS keeps several credentials for a local account, not one. Look: $ dscl . -read /Users/tmlr AuthenticationAuthority AuthenticationAuthority: ; ShadowHash ; HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2> ; Kerberosv5 ;; tmlr@LKDC:SHA1.XXXX ; LKDC:SHA1.XXXX ; Two things matter in there: HASHLIST is SALTED-SHA512-PBKDF2 (login) and an SRP verifier. There is no NT hash. There's a Kerberosv5 identity in a realm called LKDC:SHA1.<40 hex> . SMB auth has two doors into this account: NTLMv2 — validates against a stored NT hash. Linux smbclient and mount.cifs knock here. Kerberos — validates against the Mac's built-in Local KDC (LKDC), which every Mac runs. Apple clients knock here. Your iPhone walks through the Kerberos door and never touches the NT hash