Logging into a SMB file server multiple times with different usernames from one Mac
An issue that I’ve run into at my workplace has been people requesting the ability to log into our SMB-using file servers with different usernames. In my specific case, I have a user who wanted to be logged into one of our Windows file servers as username, but also wanted to connect to a specific share on the same server using a different account called other_username.
Normally, this wouldn’t be an issue except this user wanted to log into share A on the server with username and share B on the server with other_username and have both shares mounted at the same time. This is a problem because the Mac’s normal behavior is to keep using the same username / password authentication when connecting to different shares that are hosted on the same server.
To make this issue that much harder to address, our Macs and our file servers are also both bound to the same Active Directory domain, which means that our users normally aren’t being prompted for their usernames and passwords. Instead, they’re using Kerberos to handle logins for the file servers. Kerberos is using the AD account of the logged-in user as part of its authentication process to our servers, so any file share will mount using that account’s access rights.
Fortunately, it does appear that there is a way to make this work. Even better, it doesn’t require breaking Kerberos or trying to get around it. See below the jump for details.
To connect to an SMB file server using a different username, you can use this procedure:
1. In the Finder, choose the Go menu, then select Connect to Server.
2. Type the network address for the computer or server in the Server Address field in the following format:
smb://other_username:*@server.name.here
The ” * ” is to trigger the server login window for your SMB server, so that the password for the other_username account can be entered.
3. Click the Connect button.
4. Enter the desired username and password when prompted.
Username: other_username
Password: The current account password for other_username
5. Select the share on your SMB server that you want to use.
WARNING: Do not try to mount the same share twice using different usernames.
One way you can verify that you’re actually connected using different usernames is to use the mount command in Terminal. This should show all mounted volumes on the Mac, including mounted fileshares. The fileshare mount information should include which account was used to mount the share.
NOTE:
Depending on your file server, this approach may not work consistently. On our Isilon storage, the SMB share would mount with the user-specified username every time. On another server I tested, the server would prefer the specific username that was last used to connect and keep using that username when mounting additional shares.
Hat tip: kbotnen in the ##osx-server IRC room
Prior to 10.7, we’d do the same thing with smb://username@server.fqdn.tld
Thanks!
Nice, a bit cleaner documented than our internal documentation 🙂
I use mount_smbfs from the terminal, which is not kerberized. But that is not something I would promote for my regular users in our AD environment.
Very useful.
Thank you
I was wondering what I should do if I want to connect to smb://zanes22:*@ww1file-01.wildwood.org . I tried to, but it told me I couldn’t connect. (Y’know, it’s my school’s server)
I tried this but it still connects using the username that I’m logged onto my MacBook Pro with. Unfortunately that isn’t going to work as I need to use a different username for this SMB share. I’d appreciate any thought people might have on this.
The best info. Clear and precise.
SO helpful. Thank you very much for posting this!
Extremely helpful! @aknjeer are you trying to access the same share with two different accounts? From my testing that doesn’t work, but two separate shares does work.
…This is great. Anyway to pre-define a domain designation? IE: domain\username?
This is super helpful and solved my problem! Any idea how to configure it to survive a reboot? I just confirmed that it does not. 😦