A solution to SMB "wrong password" and "net use: system error 86" with Windows 10 client

[Alex52155]

Hello,


Currently using TrueNAS-12.0-U8.1, I encountered a strange issue: From my Windows 10 client, every SMB connection attempt was refused with "wrong username / password". Attempts to connect via PS "

Code:

net use

" were answered with "system error 53".

I decided to join this forum not with a problem, but with a solution!
In my case, the cause of this was pretty cryptic and it took me a while to find it.

Basically, the default group policy setting for "Network Security: LAN Manager authentication level" is set to

Code:

Send LM & NTLM - use NTLMv2 session security if negotiated

, which doesn't actually send NTLMv2.
Changing the group policy setting to

Code:

NTLMv2 only

instantly resolved the "wrong username / password" error. To do so, use

Code:

gpedit.msc

and look in Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options.

It is described in-depth here: https://arran.physics.gla.ac.uk/wp/igr-it/2021/05/20/truenas-and-windows-clients-ntlmv2-issues/

Hope this will help somebody in the future.

Best regards!

 

[anodos]

Network security LAN Manager authentication level - Windows 10

Best practices, location, values, policy management and security considerations for the policy setting, Network security LAN Manager authentication level.

docs.microsoft.com

If you look at default settings for Windows, the setting you had is _not_ the default, which means potentially something changed your security settings from the default to something horribly insecure.

 

[Alex52155]

Network security LAN Manager authentication level - Windows 10

Best practices, location, values, policy management and security considerations for the policy setting, Network security LAN Manager authentication level.

docs.microsoft.com

If you look at default settings for Windows, the setting you had is _not_ the default, which means potentially something changed your security settings from the default to something horribly insecure.

I guess that's what it means. I never manually edited this setting... I guess I now have to contemplate a little about the security of this client.

 

[anodos]

My memory on this is somewhat fuzzy, but IIRC the default for this setting was changed to only allow NTLMv2 in Windows Vista / Server 2008. This means that if this client is joined to an AD domain that was originally Server 2003 or earlier, you may need to use the group policy editor to modify the default domain policy. You would potentially not see issues with Windows servers on the domain because they get NTLM settings through group policy as well. TrueNAS requires direct admin intervention to enable NTLMv1 (even when we're joined to AD).

 

[anodos]

Where this sort of issue will manifest itself is when client tries to use ntlmssp instead of kerberos for auth. In AD environment this means issues potentially with DNS, user mounting via IP address instead of FQDN (kerberos doesn't work with IP addresses and so clients fall back to ntlmssp), etc.