Can't access SMB share on FreeNAS 11.2 neither from WIN10 nor Linux

[slusek]

Dear Sirs,

My box is running FreeNAS 11.2. I have prepared three datasets to set them as SMB shares: set1, set2, set3. the owner is user1 and the group myusers, who own the datasets. I also added user2 with auxiliary group myusers. The datasets have windows type permissions.
Configuration of the SMB service were at first at default, but I couldn't access the shares neither from Windows 10 not Linux. In Ubuntu Linux I see the shares, but then it asks me for username, workgroup and password, but I can't get throug. In windows, the host is not visible untill I type the path in the explorer \\myhostname\ but then it asks for username and password and again I can't get in (the workgroup of win10 is the same as on the SMB service). Could anyone please indicate settings, that could work?

Regards,
Slusek

 

[KrisBee]

Which user credentials did you use to access the smb share from Linux? user1 or user2?

 

[anodos]

Post output of the following:
net groupmap list
net getlocalsid
testparm -s
pdbedit -L

 

[slusek]

Which user credentials did you use to access the smb share from Linux? user1 or user2?

I tried both without luck

 

[slusek]

Post output of the following:
net groupmap list
net getlocalsid
testparm -s
pdbedit -L

net groupmap list

[root@myhostname ~]# net groupmap list
user2 (S-1-5-21-2286618025-256768639-1465971763-1005) -> user2
homeusers (S-1-5-21-2286618025-256768639-1465971763-1000) -> homeusers
syncthing (S-1-5-21-2286618025-256768639-1465971763-1004) -> syncthing
user1 (S-1-5-21-2286618025-256768639-1465971763-1001) -> user1

net getlocalsid
[root@myhostname ~]# net getlocalsid
SID for domain MYBOX is: S-1-5-21-2286618025-256768639-1465971763

testparm -s

[root@myhostname ~]# testparm -s
Load smb config files from /usr/local/etc/smb4.conf
Processing section "[set1]"
Processing section "[set2]"
Processing section "[set3]"

Loaded services file OK.
Server role: ROLE_STANDALONE

# Global parameters
[global]
deadtime = 15
disable spoolss = Yes
dns proxy = No
dos charset = CP1250
hostname lookups = Yes
kernel change notify = No
lm announce = Yes
load printers = No
logging = file
map to guest = Bad User
max log size = 51200
max open files = 469901
netbios aliases = MYHOSTNAME
nsupdate command = /usr/local/bin/samba-nsupdate -g
panic action = /usr/local/libexec/samba/samba-backtrace
printcap name = /dev/null
security = USER
server min protocol = SMB2_02
server role = standalone server
server string = mybox
username map = /usr/local/etc/smbusers
workgroup = MY_WORKGROUP
idmap config *: range = 900-100000000
idmap config * : backend = tdb
acl allow execute always = Yes
create mask = 0666
directory mask = 0777
directory name cache size = 0
dos filemode = Yes
ea support = Yes
store dos attributes = Yes
strict locking = No


[set1]
comment = Home Directories
path = "/mnt/myvol/home/%U"
read only = No
valid users = %U
veto files = /.snapshot/.windows/.mac/.zfs/
vfs objects = zfs_space zfsacl streams_xattr recycle
zfsacl:acesort = dontcare
nfs4:chown = true
nfs4:acedup = merge
nfs4:mode = special
recycle:subdir_mode = 0700
recycle:directory_mode = 0777
recycle:touch = yes
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle/%U


[set2]
comment = multimedia
path = "/mnt/myvol/set2"
read only = No
veto files = /.snapshot/.windows/.mac/.zfs/
vfs objects = zfs_space zfsacl streams_xattr recycle
zfsacl:acesort = dontcare
nfs4:chown = true
nfs4:acedup = merge
nfs4:mode = special
recycle:subdir_mode = 0700
recycle:directory_mode = 0777
recycle:touch = yes
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle/%U


[set3]
path = "/mnt/myvol/set3"
read only = No
veto files = /.snapshot/.windows/.mac/.zfs/
vfs objects = zfs_space zfsacl streams_xattr
zfsacl:acesort = dontcare
nfs4:chown = true
nfs4:acedup = merge
nfs4:mode = special

pdbedit -L

[root@myhostname ~]# pdbedit -L
user1:1000:Name
root:0:root


I am sorry, but I had to slightly anonymize the results, however I think the logic is consistent with the outcome. I didn't know those commands before, but what I see from manpages, it looks worry some the last one, why I don't see user2.

Any help would be appreciated.

Regards,
Slusek

 

[KrisBee]

I don't know what version of Ubuntu you are using, but install the smbclient package. Then as a non-root user see if you can list your FreeNAS SMB shares using this command: smbclient -L xxx.xxx.xxx.xxx -U user1 -m SMB3 substitute your FreeNAS IP for xxxx. You should be prompted for user1's (FreeNAS) password.

 

[slusek]

I am running Ubuntu 18.04. With smbclient no luck either.

$ smbclient -L 192.168.xxx.yyy -U user1 -m SMB3
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\user1's password:
session setup failed: NT_STATUS_LOGON_FAILURE

I also tried providing my workgroup of the NAS:

$ smbclient -L 192.168.xxx.yyy -U MY_WORKGROUP\\user1 -m SMB3
WARNING: The "syslog" option is deprecated
Enter MY_WORKGROUP\user1's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Best regards,
Slusek

 

[KrisBee]

What happens if you delete and re-creating user1 account on FreeNAS?

 

[slusek]

What happens if you delete and re-creating user1 account on FreeNAS?

I think I have a bit too many things already configured on this user, to skip this idea. The other thing is, that I guess it will not solve the issue with other users whom I would like to give access to the share based on the group?

 

[anodos]

"rm /var/db/samba4/.usersimported", then "service ix-pre-samba start", then run pdbedit -Lv to see if the user appears.

 

[anodos]

It looks like you've modified the default idmap range. You may want to make those so that BUILTIN won't overlap your local users (i.e. use the out of box defaults). If you're going to hack around with these idmap ranges, you also need to make sure you clear out winbind caches (otherwise this can cause auth failures).

 

[slusek]

"rm /var/db/samba4/.usersimported", then "service ix-pre-samba start", then run pdbedit -Lv to see if the user appears.

The indicated file was empty before those commands and afterwards. The second command displayed messages about importing user1 and root accounts for domain MYHOST. Before I was configuring samba shares for MY_WORKGROUP. On top of that there was nothing about the user2 which was created for the purpose of having access to the shares.
Nevertheless, I had not possibility to open the shares using user1 using MY_WORKGROUP or MYHOST in the workgroup arguments on Ubuntu 18.04.

Regards,
Wojtek

 

[slusek]

It looks like you've modified the default idmap range. You may want to make those so that BUILTIN won't overlap your local users (i.e. use the out of box defaults). If you're going to hack around with these idmap ranges, you also need to make sure you clear out winbind caches (otherwise this can cause auth failures).

I did that because I thought it indicates UID to skip importing and user1 and user2 were in the 900 - 1100 range. That change was long time after I have realized that nothing works. What is the default range then? Unfortunately I don't remember.

 

[slusek]

In the documentation w.r.t. troubleshooting I read:

If the SMB service will not start, run this command from Shell to see if there is an error in the configuration:

testparm /usr/local/etc/smb4.conf

If clients have problems connecting to the SMB share, go to Services ‣ SMB ‣ Configure and verify that Server maximum protocol is set to SMB2.

Neither in new nor legacy interface I find "Server maximum protocol" parameter. I find it in the file indicated in the above mentioned command and it is set to SMB3. If I change it to SMB2 using vi and restart the SMB service from the command line, I still can't log in. The odd thing is, that if I restart the SMB service from GUI, the setting automatically is changed back to SMB3.

 

[KrisBee]

I did that because I thought it indicates UID to skip importing and user1 and user2 were in the 900 - 1100 range. That change was long time after I have realized that nothing works. What is the default range then? Unfortunately I don't remember.

FYI The defaults on SMB service are "range low 90000001" to "range high 100000000"

 

[KrisBee]

In the documentation w.r.t. troubleshooting I read:

Neither in new nor legacy interface I find "Server maximum protocol" parameter. I find it in the file indicated in the above mentioned command and it is set to SMB3. If I change it to SMB2 using vi and restart the SMB service from the command line, I still can't log in. The odd thing is, that if I restart the SMB service from GUI, the setting automatically is changed back to SMB3.

Of course it does, you can't simply hack a system file and expect it not to be reset. Why would you want to change the "Server maximum protocol" anyway? Its the "minimum" value that can in some cases cause a connection to fail, if for example the client tries to connect using SMB1 when the server only accepts SMB2 and above.

Apart from anything else, hacking around seems to have screwed up your samba passwrd file. I wouldn't expect "root" to be in the output of "pdbedit -L" as you have shown above.

 

[anodos]

Can you verify that user2 is present in your "getent passwd" output? Is user2 locked in the UI? Has "disable password login" been checked?
I don't like it that user1 and user2 are in the groupmap output (this appears to be a bug). "service samba_server stop", "rm /var/db/samba4/group-mapping.tbd", service ix-pre-samba start, service samba_server start.
Once you have done this, increase logging to "normal", try to authenticate to the share, and then review content of /var/log/samba4/log.smbd (you can attach here as txt file).

 

[KrisBee]

Can you verify that user2 is present in your "getent passwd" output? Is user2 locked in the UI? Has "disable password login" been checked?
I don't like it that user1 and user2 are in the groupmap output (this appears to be a bug). "service samba_server stop", "rm /var/db/samba4/group-mapping.tbd", service ix-pre-samba start, service samba_server start.
Once you have done this, increase logging to "normal", try to authenticate to the share, and then review content of /var/log/samba4/log.smbd (you can attach here as txt file).

@anodos If when creating a user account you create a new group with the same name, wouldn't you expect to see that new group it in the output of net groupmap list ?

 

[slusek]

Can you verify that user2 is present in your "getent passwd" output?

I confirm it is there, with default shell set to bash

Is user2 locked in the UI? Has "disable password login" been checked?

User is not locked and "enable password login" is set to Y.
Actually, I changed it to N, than back again to Y and restarted the SMB service and it workes now. How come that such temporary change allowed to start it working properly? Is that coincidence, that you asked about disabled while in gui is enabled?

I don't like it that user1 and user2 are in the groupmap output (this appears to be a bug). "service samba_server stop", "rm /var/db/samba4/group-mapping.tbd", service ix-pre-samba start, service samba_server start.

Once you have done this, increase logging to "normal", try to authenticate to the share, and then review content of /var/log/samba4/log.smbd (you can attach here as txt file).

Why do you consider such output as worrysome? Those are primary groups of those users, where homeusers is their auxiliary group. For the moment as it works, I will refrain from issuing indicated commands.

Thank you very much for directing me to the solution.

One more question - at the moment I don't see my host in Windows 10's network view. I have to typein \\myhost\ in the path to see it. In linux it is directly visible. Which setting is responsible for that and what is the reason why it is different from those two clients?

 

[slusek]

Of course it does, you can't simply hack a system file and expect it not to be reset. Why would you want to change the "Server maximum protocol" anyway? Its the "minimum" value that can in some cases cause a connection to fail, if for example the client tries to connect using SMB1 when the server only accepts SMB2 and above.

Apart from anything else, hacking around seems to have screwed up your samba passwrd file. I wouldn't expect "root" to be in the output of "pdbedit -L" as you have shown above.

Well, the only change I tried to do from command line was the one thing I posted. If root should not be there (e.g. I would not like to expose /root as samba home share), how can I delete that?