CIFS share does not require password anymore

[celsius]

Hi all, I upgraded my NAS from version 9.2.1.9 to 9.3. All seems to working well except CIFS share. I dont know why, but although I have "Allow Guest Access" unchecked, the share is accessible for guest and password is not required anymore. Everybody can access to the share with read permissions, and I am not able secure the data. Thanks for help.
C.

This is my smb.conf

[global]
server max protocol = SMB3_00
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 456284
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
server string = NAS Server
ea support = yes
store dos attributes = yes
hostname lookups = yes
acl allow execute always = true
acl check permissions = true
dos filemode = yes
domain logons = no
local master = yes
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = standalone
netbios name = nasserver
workgroup = WORKGROUP
security = user
pid directory = /var/run/samba
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP852
unix charset = UTF-8
log level = 1
guest ok = no


[d2]
path = /mnt/dataset/d1/d2
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[d1]
path = /mnt/dataset/d1
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

 

[dlavigne]

From a windows system, what are the permissions for the folder?

 

[celsius]

From Windows are permissions: Everyone Read + Read and Exceute + List Folder content, for user Root Full control and for group Wheel Full control as well. And permissions are same for both shared folders. thx

 

[ck42]

Was about to post a new thread on this... (new user)
I just installed a fresh copy of 9.3 and am playing around with FN.
I've got everything setup for users and shares, but as celcius describes, I'm able to see all the other user's shares and am also able to browse those shares w/o being prompted for a login. In fact, NONE of the share are prompting me, even the one that I setup for myself.

 

[russoj88]

I am having the same issue. I have not been able to set up a password protected share in 9.3.

EDIT: I am nuking my current FreeNAS and starting from scratch, will update with directions I used and results when its done.

 

[russoj88]

Steps I followed:
Install OS
Exit wizard
Update OS
create user john
defaults except password and full name create volume jnas
create dataset share-john
share type windows
update permissions
set group to john
create share sharejohn
click yes to enable service

Now I'm getting "\\FREENAS\sharejohn is not accessible..."

Any ideas?

Windows (7) says it can't display security of share.

 

[dlavigne]

Any headway with this?

 

[russoj88]

Dru, I'm not sure about the OP, but I was able to get my system the way I had originally planned.

I was having multiple issues with what I think was caching. I set up a windows backup with my user, and then that user was being used to login to the FreeNAS system on startup. This is I think why I could not access other shares as other users.

Most relative to this post, at least one of the other issues I was having was understanding the defaults with CIFS. When I created the windows shares, I was expecting the defaults to remove read from "Everyone" when the Allow Guest Access checkbox was unchecked. This was a wrong assumption on my part. By default, "Everyone" can read and traverse directories, but cannot modify.

I should also mention the new video on YouTube was a help!

 

[Gen8 Runner]

Hello together,
anything new about it? Any solution?

Having the same issue.
On using "Add Network-Harddrive", entering \\xxx.xxx.xxx.xx\NAS i am prompted for a user/password.

BUT
Entering in explorer directly \\xxx.xxx.xxx.xx i get directly shown the CIFS share (in my case called NAS), can access it, read and edit ALL data without entering a user/password. No passwords stored and no guest access activated.
So, nothing to be proud on, to protect the data.

 

[cyberjock]

Hello together,
anything new about it? Any solution?

Having the same issue.
On using "Add Network-Harddrive", entering \\xxx.xxx.xxx.xx\NAS i am prompted for a user/password.

BUT
Entering in explorer directly \\xxx.xxx.xxx.xx i get directly shown the CIFS share (in my case called NAS), can access it, read and edit ALL data without entering a user/password. No passwords stored and no guest access activated.
So, nothing to be proud on, to protect the data.

Well, you are using Windows.

Windows will try to connect with the user credentials it has. Samba will either accept them, accept them as a guest, or deny them based on various settings and such.

But I can tell you that Windows Explorer will certainly attempt to gain access via guest.

So this is clearly a situation where your user credentials, your permissions, Window's lame attempts to grant any access it can get without your permissions or consent, or a combination of them is responsible.

I can tell you that if things are properly configured you should be able to get whatever behavior you want. It's just a matter of configuring it.

 

[Gen8 Runner]

Hey,
ya, that is right, i have one client (my own laptop) that is using windows 8 and there is just another raspberry pi powered by openelec KODI isengard in my network.

I added a few screenshots, how i tried to get the right CIFS Shares.

The situation is following:
4 Users 1. Martin 2. LaptopBackup 3. BackupDesktop 4. Public
User 1. 2. 3. should have their own dataset and noone should have access to it. Just user 1,2,3 should have access to the public dataset,
All Accounts have a password, so even the public one should have to enter a passphrase to enter the public database.

But anyway, it is possible to enter on the microsoft explorer all datasets (e.g. i connect the network storage device public, enter the ip adress of my nas server and can even access martin, laptopbackup etc., that normally should be saved by passphrase).

Any ideas?
Tried so many solutions, tried the official youtube tutorial to 9.3 cifs shares....

 

[Gen8 Runner]

Hey together,
just found the solution for my problem, not being prompted for usr/pwd on a CIFS share.

I added in the field "Additional parameters" under the cifs share "valid users = xyz" or "valid users = @xyz" (without quotation marks).
The first one without the @is for single user sharing, the one with the @ for group users, who should be allowed, to access the cifs share.

With that simple command, my cifs shares do now work how they should and i am prompted for usr / pwd.

 

[cyberjock]

LOL. Then I have news for you.. you didn't fix the problem... you worked around it. I'll try to explain.

Windows, by default, tries to connect to a server with the credentials of the user you are logged in as. Samba, depending on how you configured it, will either say "eh, he meant guest" (and then grant guest permissions if guest has any permissions) or will reject your credentials. If you are rejected, then Windows tries to connect as a guest. If the guest account is rejected, then credentials are simply asked for (which you then must provide).

It sounds like all you did was force the logged in Windows user to fail, and for guest to fail, thereby forcing Windows to require authentication.

What you did will work, so long as you are okay with the implications of setting those values. Personally, I don't manage my servers in this fashion, so I would not want to do this on my setups. :)