Mac OS X Yosemite client SMB issues on Windows Server 2012 R2

We just installed a Windows Server 2012 R2 to provide simple workgroup file sharing for 20 users.

All users running 10.8 and 10.9 are 100% solid accessing SMB file shares on the 2012 server.

But some Yosemite users are unable to attach over SMB. The error they get is "Access to your account on the server "[servername]" has been denied. Contact your system administrator for more information."

All users are able to access the server using CIFS.

The same user can log straight into the same server using SMB on a different Yosemite computer.

A Yosemite computer that is unable to log into the 2012 R2 server using SMB, *is* able to SMB into a 2008 R2 server.

We wiped a Yosemite system that doesn't allow SMB access and installed an OS from scratch. SMB still denied with the same error.

All Yosemite Macs are running 10.10.3.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jackie ManIT ManagerCommented:
It is a known issue and no solution so far, but there is a workaronnd as shown below.

Windows Server 2012 R2 and SMB3 seem to be working with 10.10.3

Share settings:
Everyone: Read
Authenticated Users: Change, Read
Administrators: Full Control, Change, Read

Security (NTFS) settings:
SYSTEM: Full Control (Applies to "This folder, subfolders, and files")
Local or Domain Administrator: Full Control (Applies to "This folder, subfolders, and files")
CREATOR OWNER: Everything except Full Control, Change permissions, and Take ownership (Applies to "Subfolders and files only")

On Server Manager, go to File and Storage Services > Shares
Uncheck "Allow caching of share"
Check "Encrypt data access"

Despite not letting Creator Owner have full control, the defined user account ends up getting full control anyways. I think the idea for setting restrictions on the share permissions is to circumvent full control. Windows admins typically prefer to set everyone at full control and then have everything secured at the NTFS level. That method just doesn't seem to work well when os x clients are involved. Securing authenticated users at the share level might prevent them from having full control or weird ACL issues.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
d4nnyoAuthor Commented:
That is deep. I googled for an hour without finding that link. I will try it and let you know.
Jackie ManIT ManagerCommented:
I do not have the latest OSX to test.

My finding is from Google search only also but I do have basic understanding of how SMB works from experience.
d4nnyoAuthor Commented:
Haven't had a chance to implement yet
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Mac OS X

From novice to tech pro — start learning today.