SOLVED FreeNAS-11.3-U5 --> TrueNAS CORE 12.0-U4: Can't access to my SMB shares as "root" anymore... Can't access at all actually!

[PépéDansLesOrties]

Hi,
Titles have to be precise and explicit, so...
Here it is:
I used FreeNAS-11.3-U5 on a TrueNAS Mini XL+ (with some disks, volumes and configuration from a previous DIY NAS under FreeNAS too);
I use my NAS only as a personal and local NAS with (forced) SMB(1) shares (for both Windows 10 & SparkyLinux) that I access as "root";
then today, I upgraded to TrueNAS CORE 12.0-U4 and since, I can't access to my shares anymore, neither from Windows 10 nor SparkyLinux.
Password is declined (on Windows 10) or just ignored (on SparkyLinux), period.
I know that connecting as "root" is not recommended, but it's convenient and easy to manage for a personal and strictly local NAS.
However, I can't find out why it doesn't work anymore, pools have been updated, configuration (user, network & SMB service) doesn't seem to have been modified...
May someone help me?
Thanks in advance.
PS: I'm European, please don't give up on me because of the time difference...
Pépé

 

[X3n0n]

It's not a bug it's a feature, described on the release notes of U3 :

/archive/corereleasenotes/12.0/12.0u3/

TrueNAS "root" user account cannot be an SMB user.

This is an intentional change to improve software security and suitability for deployment in a variety of environments. Update the SMB configuration to use a different user account.

 

[PépéDansLesOrties]

Thanks X3n0n.
So I guess I have 2 options:
- downgrade to 12.0-U2, but it sounds like a bad idea;
- "just" create a new SMB user BUT I always had "root" user only, and for years! Can I safely create a new user, and dataset, and ACL, etc. (how convenient!) without any loss of data?? And make these "root" data accessible for that new user? That "intentional change" is really not friendly!

 

[PépéDansLesOrties]

...In the second case scenario, I would have to:
- Accounts --> New user
- Storage --> Pools --> Edit permissions --> Let "root" as user and set the new user as group? With Full Control options?
No need to create a new dataset, no loss of data either, right?

 

[X3n0n]

The second option is the way to go.
You are right you need to create a new user, give thé user thé correct permission on the dataset and it should be enough.
Depending if you are using ACL or not applying new permission can vary slightly.

But don’t worry, worst case scénario your permissions are not well configured and you can’t access your samba share. Applying correct permission will fix it.

You will not lose any data.

 

[PépéDansLesOrties]

Hi X3n0n,
well, thank you for your support, 'cause I'm living a nightmare:
- I did create a new user with the right permissions (almost everything but delete)
- I can't modify the current dataset 'cause it's root!
- I can create a new dataset (empty) on the pool, link it to that new user, and create a new SMB share path: it appears on both Windows 10 & SparkyLinux BUT can't be accessed...
+
New incongruity: I got 4 pools, all with the same config: 2 of them are still accessible through SparkyLinux with my "root" account...
-
Is there any way you post me a detailed procedure for:
- creating a new user with full control;
- creating a new dataset linked to that user;
- creating the SMB share;
- making the "root" data accessible through that dataset...
??
I may have been wrong somewhere, but I can't find out where?
Thanks in advance,
Pépé

 

[X3n0n]

Let's see what you need to do.

1) Create user
Accout -> Users -> Add and check that "Samba Authetication" is checked at the bottom of the page.

2) Give the new user permission to the dataset
This step can be done different ways
2a) Tweaking user and group owner of the dataset (WithOUT ACL)
Default is root/wheel so you can either change user owner or add new user in the group owner. Check if group can read/write/execute if you pick this way.
2b) User ACL
You can let root/wheel user and group owner and tweak ACL to give rights to your newly created user.
Default ACL are :
@owner Allow FullControl
@group Allow FullControl

@owner and @group refer to the owner group and user.

You can add an item to those ACL (Button Add ACL Item)

Here you can specify either a user or a group permission.
To give access to one user, choose "user" (not @user).
In the user field, start typing the name of the newly created user (autocomplete should kick in and you need to select the user from the dropdown list)
Permission : Allow and either FullControl or Modify

Then if you want these permissions to be applied for the existings files and directory, check "Apply permissions recursively".

You shouldn"t have anything to do on the SMB Share side appart from sharing the dataset.

Important for windows machines : Change the credentials to access your share (you used root before, you need to user the new user now).
Clear the old credential in the windows : https://kb.intermedia.net/article/44527

I suggest you to try this on a dummy dataset to test if everything works for you then you can apply on existing dataset recursively.

 

[PépéDansLesOrties]

Testing & failing again and again...

1st step: Accounts --> user -->add:
full name/user name/password
user folder: /nonexistent
permissions: user: read/write/execute + group: read/write/execute + other: read/execute
sudo + Microsoft account + Samba authentification

UID: 1000, builtin: no

Am I right until now?

 

[PépéDansLesOrties]

2nd step: Pools --> modify permissions: "root dataset permissions cannot be edited"
BUT I can add a new dataset:
user: root / apply user
group: (new user primary group) / apply group
+
ACL:
1: owner@ / authorise / basic / Full control / basic / heritage
2: group@ / authorise / basic / Full control / basic / heritage
3: user / (new user name) / authorise / basic / Full control / basic / heritage
+
apply permissions recursively
apply permissions to children datasets

I guess I'm doing something wrong here, 'cause I can't access it via samba (neither Windows 10 nor SparkyLinux), but what?

 

[X3n0n]

First step seems good, UID 1000 so it's your first user I guess.

Next, it's totally normal to be unable to edit root dataset permission, I have the same behavior, you need to act on the child datasets individually.

Then, on a child dataset what you did seems fine.
It's a new dataset, did you share it with SMB ?

Can you tell how do you connect to your SMB share ? Did you change the credential to use the new user ?

 

[PépéDansLesOrties]

It's a new dataset, did you share it with SMB ?

:) OK, 3rd step: Shares --> SMB --> Add (path of the new dataset)
No presets
Activate
+
activate ACL
browsable (?) par network clients
activate snapshots
activate alternative data flux (?)
-
This new mounting point appears in both Windows 10 & SparkyLinux BUT none of them can access it...
-

Did you change the credential to use the new user ?

: Yes, I did (thanks again btw)
Windows 10: I connect through Explorer, as usual, I can't even enter a name user & a password, Windows answers me "Network error: Windows can"t access to..."
SparkyLinux: I connect through Thunar, as usual, I got a connection window: (anonymous or) registered user --> user name + domain: WORKGROUP (default) + password -->nothing happens
-
... It must be ridiculous but I'm really stuck...

 

[X3n0n]

For my share settings, I have :
- Enable ACL
- Browsable by network client
- Enable Shadow copies
- Enable alternate data stream
- Enable SMB2/3 Durable handshake.

I don't know about SparkyLinux, on my linux machines I use the mount command with cifs type.

In windows, how do you connect in eplorer ? there are many ways to do it.
What if you type in explorer window : \\IP_TRUENAS\ShareName ?

 

[PépéDansLesOrties]

For my share settings, I have :
- Enable ACL
- Browsable by network client
- Enable Shadow copies
- Enable alternate data stream
- Enable SMB2/3 Durable handshake.

--> Did it. Tried with and without "Enable SMB1", tried with and without "Enable SMB2/3 durable handshake" from Apple. Same fail.

What if you type in explorer window : \\IP_TRUENAS\ShareName ?

--> Did it, same pop-up error message, without the possibility to enter a user name and a password. Diagnostic: "Your user account doesn't have permission to access to..."
-
In addition, I'd say I doubt that the way I try to connect to SMB would be the problem, while I did it the same way for years until 2 days with many machines and OS (Windows 10, Xubuntu, SparkyLinux, etc.). The only "known issue" is that XFCE & Thunar "need" SMB1 (forcing SMB3 through samba and smb.conf don't work), that's why I used to force "Enable SMB1".
I'm worried something's wrong about the ACL or something...
Would be screenshots useful?

 

[X3n0n]

I only asked how you did to be sure
1) You used the IP and the share name
2) You cleared the old credential

I think it's time to ask for help to @anodos whom have some experience in this kind of problems.

 

[PépéDansLesOrties]

I only asked how you did to be sure

--> I totally understand! I wasn't complaining!

1) You used the IP and the share name
2) You cleared the old credential

--> Yep, I first cleared the old credential, and then directly type "\\192.168.x.xx\ShareName"
Note that the ShareName mount point "naturally" appears on my network, both in Windows 10 & SparkyLinux.
-
I will carry on with a post with screenshots, who knows?, and invite @anodos to this thread.
Anyway, thank you so much for you help AND your time! Bless you!

 

[PépéDansLesOrties]

New user, non-root, config:

New dataset on my first pool, config:

ACL for this newly created dataset, config:

Pools, the first one with the new dataset, overview:

Mount point of this new dataset, config:

And finally, SMB service config:

 

[Bluegenie]

I was glad to find this same issue today, as I was encountering the same problem. Since I'm very new to FreeNAS and ZFS, I was lost when I upgraded my NAS to 12.0-U4. I had a fully functioning NAS beforehand, then after the upgrade, I could no longer access the SMB share. However, thanks to this thread, I'm now back online again. Thanks All!!

 

[PépéDansLesOrties]

Well, I'm glad for you Bluegenie!
And at least, I know I'm not a total bungler and I've done things right... 'cause I'm still stuck and can't access my data for 4 days now, and I can't figure out where I fail...

 

[PépéDansLesOrties]

Still inexplicably stuck. Even dropped forced SMB1, nothing better.
If it can help to understand where's the issue, here is how Windows 10 reacts:
FreeNAS appears in my network: double-click --> pop-up connection window --> klf (new user) + password --> I can "enter" FreeNAS and see mounting points, including NR--01 (THE dataset linked to the new user klf) --> pop-up error message: "Windows can't access to 192.168.x.xxx\NR--01..."
Please??

 

[morganL]

Still inexplicably stuck. Even dropped forced SMB1, nothing better.
If it can help to understand where's the issue, here is how Windows 10 reacts:
FreeNAS appears in my network: double-click --> pop-up connection window --> klf (new user) + password --> I can "enter" FreeNAS and see mounting points, including NR--01 (THE dataset linked to the new user klf) --> pop-up error message: "Windows can't access to 192.168.x.xxx\NR--01..."
Please??

"root" is still in the ACL of the newly created dataset... isn't that what you are removing?