Another windows permission problem

[anodos]

Okay. Let's deal with the problems we see. Assuming this isn't an LDAP environment, your local "users" group is colliding with "BUILTIN\users" and breaking mappings. You'll need to rename that group to something else. For instance "smb_users". Is the user with problems a member of "shared"?

 

[tvo.psc]

Okay. Let's deal with the problems we see. Assuming this isn't an LDAP environment, your local "users" group is colliding with "BUILTIN\users" and breaking mappings. You'll need to rename that group to something else. For instance "smb_users". Is the user with problems a member of "shared"?

Renamed group to "smb_users" as suggested. Only two users in that group - user1 and user2. The share can be accessed from 3 of 4 PCs in my office using either user1 or user2 credentials. Cannot access share from 4th PC with either.

 

[anodos]

Renamed group to "smb_users" as suggested. Only two users in that group - user1 and user2. The share can be accessed from 3 of 4 PCs in my office using either user1 or user2 credentials. Cannot access share from 4th PC with either.

Can you post the output of net groupmap list

 

[tvo.psc]

Can you post the output of net groupmap list

net groupmap list
Environment LOGNAME is not defined. Trying anonymous access.
smb_users (S-1-5-21-1059828769-753519628-2512994261-1005) -> smb_users
private (S-1-5-21-1059828769-753519628-2512994261-1004) -> private
shared (S-1-5-21-1059828769-753519628-2512994261-1001) -> shared

 

[anodos]

net groupmap list
Environment LOGNAME is not defined. Trying anonymous access.
smb_users (S-1-5-21-1059828769-753519628-2512994261-1005) -> smb_users
private (S-1-5-21-1059828769-753519628-2512994261-1004) -> private
shared (S-1-5-21-1059828769-753519628-2512994261-1001) -> shared

Can you issue a service samba_server restart

 

[Basil Hendroff]

I'm curious what SMB version is running on the PCs. If you wouldn't mind, run up a PowerShell session as administrator on a working PC and execute the following two commands:

Code:

PS C:\> dir \\localhost\c$

The second command must be executed within about 10 seconds of executing the first command:

Code:

PS C:\> Get-SmbConnection -ServerName localhost

I'm really only interested in output from the second command. It should look something like the following:

Code:

ServerName  ShareName  UserName            Credential          Dialect  NumOpens
----------  ---------  --------            ----------          -------  --------
localhost   c$         DomainName\UserN... DomainName.Testi... 3.02     0

The Dialect is of interest. Repeat for the rogue PC.

 

[tvo.psc]

I'm curious what SMB version is running on the PCs. If you wouldn't mind, run up a PowerShell session as administrator on a working PC and execute the following two commands:

Code:

PS C:\> dir \\localhost\c$

The second command must be executed within about 10 seconds of executing the first command:

Code:

PS C:\> Get-SmbConnection -ServerName localhost

I'm really only interested in output from the second command. It should look something like the following:

Code:

ServerName  ShareName  UserName            Credential          Dialect  NumOpens
----------  ---------  --------            ----------          -------  --------
localhost   c$         DomainName\UserN... DomainName.Testi... 3.02     0

The Dialect is of interest. Repeat for the rogue PC.

Working PC:

PS C:\WINDOWS\system32> Get-SmbConnection -ServerName localhost

ServerName ShareName UserName Credential Dialect NumOpens
---------- --------- -------- ---------- ------- --------
localhost c$ PSCAUX\Thomas MicrosoftAccount\xxxxxx@hotmail.com 3.1.1 0




Rogue PC:

PS C:\WINDOWS\system32> Get-SmbConnection -ServerName localhost

ServerName ShareName UserName Credential Dialect NumOpens
---------- --------- -------- ---------- ------- --------
localhost c$ PSC-MASTER\Thomas PSC-MASTER\Thomas 3.1.1 0
localhost IPC$ PSC-MASTER\Thomas PSC-MASTER\Thomas 3.1.1 0

 

[tvo.psc]

Can you issue a service samba_server restart

Out of office yesterday.

Issued service samba_server restart with no benefit.

 

[anodos]

Can you post output of pdbedit -L?

 

[tvo.psc]

Can you post output of pdbedit -L?

[root@freenas ~]# pdbedit -L
user1:1000:u1
user2:1001:u2

 

[Basil Hendroff]

I wonder... For Windows 8 and above, Microsoft has been promoting their Microsoft account, which is based on an email address, over local Windows accounts. This caused samba authentication problems for FreeNAS.

localhost c$ PSCAUX\Thomas MicrosoftAccount\xxxxxx@hotmail.com 3.1.1 0

On the working PC, Thomas logs in using his Microsoft account xxxxx@hotmail.com. This maps in FreeNAS to one of the two users User1 or User2. Thomas is authenticated via this mechanism.

localhost c$ PSC-MASTER\Thomas PSC-MASTER\Thomas 3.1.1 0
localhost IPC$ PSC-MASTER\Thomas PSC-MASTER\Thomas 3.1.1 0

On the rogue PC, Thomas appears to be a local PC account. Thomas is denied access to FreeNAS because there is no account Thomas on FreeNAS.

This post details the issue https://www.ixsystems.com/community/threads/microsoft-account-user-mapping.26277/

 

[Basil Hendroff]

@tvo.psc Did you manage to get to the bottom of this? Curious to know if you resolved the issue.

 

[tvo.psc]

@tvo.psc Did you manage to get to the bottom of this? Curious to know if you resolved the issue.

No, I never resolved the issue. FYI the rogue PC does have a microsoft user account and a local PC account, both as administrators. Could not access the freenas shares from either account. Tried suggestions in all the previous posts. Decided to stop beating my head against the wall for now.

Thanks for your time. Will post if I stumble upon a solution in the future.