I work with a lot of Windows servers. This means connecting to a VPN and then mounting a share via Samba (SMB). Alas, Keychain won’t autofill saved passwords for Windows servers where the username is prefixed with a domain, like auth\stephanieleary.
The current best practice for managing lots of these shares is, from what I can tell from hours and hours of Googling and consulting an Apple training rep:
- Create an alias once you’re connected to the share.
- Delete any previously saved passwords you have in Keychain for that server.
- Reconnect to the alias and have Keychain save THAT password.
But even this does not work reliably. As you can imagine, once you start working with four or five of these things, it becomes challenging to remember the appropriate combination of VPN, server/share, domain\username, and password.
Today, after YEARS of struggling (intermittently) with this, I finally remembered something: you can save usernames in the connection string. And — this I knew — you can save connection strings as favorite servers in the Finder’s Go → Connect to Server window.
UNIX geeks are probably laughing at me right now.
One more quick search confirmed that I can save not only the username, but also that pesky domain prefix and, yes, the password too. Here’s the syntax:
(From a tip on the invaluable Mac OS X Hints site.)
This is nowhere near as secure as Keychain, since it makes the password visible to anyone who sits down at the computer and opens up the Connect to Server window. For my purposes, that’s OK — no one else uses my laptop. This just goes on the list of passwords I’ll have to reset if the laptop is ever lost or stolen. And my list of connections wasn’t secure anyway, because I had to save them all in a text file that I could pull up every time I needed to switch servers.
Thanks for the tip. I’ve been looking for confirmation that this is a “feature” of OS X.
Philip Keller says
In fact, I found you can get Keychain to remember the password reliably. In the “best practice” steps that you gave (thank you!), add a step 0, derived from your technique (thanks again!):
0. “Connect to Server” > smb://domain;username@server/share
To start with a clean slate, you should probably open Keychain Access and delete the network passwords for the server. (step -1)
It appears that the alias includes the URL exactly as given when you mounted the volume (look at the contents of an alias file to see). So if you mount the volume with the username, as above, and then create an alias, it’ll contain the right username and will be able to retrieve the password from the Keychain. (Here’s the post that made me think of this.)
Thanks for your tip. Like you, I’ve been annoyed by this for ages. I just couldn’t figure out why my aliases were working fine on one computer and not on another.
Stephanie Leary says
Fantastic tip, Philip, and much more secure than saving the passwords in the (relatively open) server list. Thanks!
it works! great help!
Philip Keller says
A further follow-up, because I was once again having trouble getting this to work, on another machine: if the connect string “smb://domain;username@server/share” fails to connect, try replacing the server name with its IP address (see credits for this hint). Worked for me.
Amy Bennett says
I’m trying to get this working as well. No matter what I do, it always asks me to give the password on reboot.
I’m up to the stage of deleting the network passwords for the server from Keychain Access but I’m not sure what the entries should look like for a smb server.
Philip Keller says
In Keychain Access, search for the server name. There should be an entry with Name=servername, Kind=”network password”, Account=domain\username, Where=smb://servername/…, Password=password.