Changing SMB NetBIOS name disables share access

[extremesurf]

I am in the process of setting up a new TrueNAS SCALE system running 22.02.4, and everything was going smoothly until I changed the SMB NetBIOS name from 'TrueNAS' to anything else (doesn't seem to matter what I change it to, if it's not 'TrueNAS' I lose access to all of the datasets/shares.

I tried to regenerate the group mappings, restart, etc but doesn't make any difference. As soon as I change it back to 'TrueNAS' access is instantly restored on both Windows and Mac. I am accessing via the IP address so it shouldn't matter. I have the Hostname set to match the NetBIOS name as well.

I'm not sure if this is related, but in order to disable access and prevent dataset/share names from being displayed to unauthorized users I have set it up as follows:

• I have enabled Access Based Share Enumeration on the datasets
• In the Filesystem ACL for each dataset/share I have deleted the 'Group builtin_users' and manually added each user that has access with FULL CONTROL
• In the Share ACL for each dataset/share I have deleted EVERYONE access and enter the SID for each user that has access with permission FULL and ALLOWED

Everything works perfectly with this configuration until the NetBIOS name is changed, then both Mac and Windows users lose access with 'Access Denied' and the shares are no longer displayed.

 

[extremesurf]

Just to follow up on this with some additional information in trying to make the datasets/shares accessible while the NetBIOS name is set to something other than 'TrueNAS':

If I edit the Share ACL and add an entry for S-1-1-0 Everyone / FULL / ALLOWED to one or more of the SMB shares, whatever shares I have added S-1-1-0 Everyone / FULL / ALLOWED to will immediately start working on both Mac and Windows. Doesn't make a difference whether or not the other users SID's are left there or not, if 'Everyone' is present the share works under the alternate NetBIOS name.

As soon as S-1-1-0 Everyone is deleted (while the NetBIOS name is set to something other than 'TrueNAS'), that seems to be the point when the share stops working. In the Share ACL I also tried adding the Domain 'local' (to match what is set under 'Network >> Global Configuration >> Domain') and set the user's username under 'Name', but after you click 'Save' these Domain and Name fields both delete themselves.

Also I should have mentioned that I am not using AD, just regular Samba / SMB.

I'm not sure if this is a bug or if I am missing something, but I sincerely appreciate any suggestions or feedback!

 

[extremesurf]

Something else interesting: If I add S-1-1-0 Everyone / FULL / ALLOWED to a Share ACL and also have the user SID for my user set as well, I can connect to the share no problem. Then if I delete S-1-1-0 Everyone / FULL / ALLOWED and 'Save', then I am still able to continue to read/write data in that share until I disconnect. After I disconnect and then try to reconnect (with only the user SID in the Share ACL), then on Mac I get 'There was a problem connecting to the server, there are no shares available or you are not allowed to access them' and on Windows I just get 'Access Denied'.

 

[extremesurf]

I created a PDF (see attached) of the process I used to create the datasets/shares so they are only displayed & accessible to authorized users. Just thought this might be helpful in narrowing down the problem, if I have done something wrong maybe it will jump out at someone.

 

[anodos]

SMB share ACL is evaluated at time of SMB tree connect. Filesystem ACLs are enforced by the kernel as one would normally expect.

Changing netbios name is a disruptive process, among other things, it forces a change of system SID. Share ACLs explicitly store NT security descriptors (which contain only SIDs for identifying principals) in samba's share_info.tdb file. The netbios name change, changes the SID mapping, which changes how the SD will be enforced.

In general, you shouldn't be changing the netbios names of production servers (or at least do it during a maintenance window).

 

[extremesurf]

Thank you for the information, greatly appreciated! As I mentioned, I am still in the process of setting up this new server so it is not in production, however in my ignorance I had no idea that the users SID change when you change the NetBIOS name. This is good to know and makes perfect sense now that you have explained it.

I have changed the users SID's to match the new updated SID's any now it is working as expected again under the new NetBIOS name. Thank you again for taking the time to explain it!