FreeNAS 9.10.2 STABLE U2 (e1497f2) CIFS mount from fstab no longer working

[Grewterd]

Just updated to FreeNAS 9.10.2 STABLE U2 (e1497f2), after reboot, my Ubuntu clients will no longer mount CIFS shares in fstab, getting mount error(13): permission denied.

My fstab line is:

//servername/sharename /path/tomountto cifs credentials=pathtocredfile,_netdev,rw,user,sec=ntlm,uid=1000,auto 0 0

Credentials file:

username=username
password=password
domain=domain

Trying manually from command line gets same error:

sudo mount -v -t cifs //servername/sharename /path/tomountto -o credentials=pathtocredfile,_netdev,rw,user,uid=1000,auto,sec=ntlm

Removing sec=ntlm resolves the issue. I tried all the other sec=ntlm* arguments, same thing.

Just wondering if something changed to cause this, if it's just me, etc. Thanks.

 

[anodos]

It might be samba finally deprecating an auth method that shouldn't ever be used with a semi-modern OS. :) if it works without the parameter, don't worry.

 

[stoffix]

After upgrading to FreeNAS 9.10.2 STABLE U2 my winXP machine can't access the shares anymore. A downgrade fixes it.

Maybe it's related?

 

[anodos]

After upgrading to FreeNAS 9.10.2 STABLE U2 my winXP machine can't access the shares anymore. A downgrade fixes it.

Maybe it's related?

Probably. You may need to look through the Samba 4.4 release notes and find parameters that basically mean "MITM me, please". I'm not sure what the problem is that people are experiencing. It might be a good idea to file a bug report with as much detail as possible. I think maybe samba started preventing raw old-school ntlm auth (or ntlmssp) by default. Vista+ deprecated ntlmssp in favor of kerberos.

Samba had to make changes to how it handles ntlmssp because of the risk of MITM attacks. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2110

If the "MITM me please" parameters don't fix the problem for your XP box, definitely file a bug report because it's possible that ntlm / ntlmssp is broken in net/samba44. Note that this is not a NT1 (SMB1) problem because my samba 3.6 machines are still able to connect to my FreeNAS shares.

 

[stoffix]

Thank you so much for your pointers!
the key setting for me was "ntlm auth = yes" which makes my winXP computer able to access my shares again.
I do get the impression this is not particularly safe though.

#edit:
By changing the local security policy on the winXP machine to "Send NTLMv2 response only. Refuse LM and NTLM" instead of "Send LM & NTLM responses" I was able to remove the "ntlm auth = yes" and still have access to my shares.

 

[anodos]

Thank you so much for your pointers!
the key setting for me was "ntlm auth = yes" which makes my winXP computer able to access my shares again.
I do get the impression this is not particularly safe though.

#edit:
By changing the local security policy on the winXP machine to "Send NTLMv2 response only. Refuse LM and NTLM" instead of "Send LM & NTLM responses" I was able to remove the "ntlm auth = yes" and still have access to my shares.

Good. I don't think it's something to get too worried about. NTLM isn't as serious of security risk as some other things.... Like using windows xp in 2017. ;)

 

[hbasbay]

I'm dealing with the same problem. Xp client machines can not connect to FreeNAS server.Currently we do not have any other way to use xp on client computers. It will be difficult to make this setting individually for over 20 clients. Is there no other way?

 

[hbasbay]

Thank you so much for your pointers!
the key setting for me was "ntlm auth = yes" which makes my winXP computer able to access my shares again.
I do get the impression this is not particularly safe though.

#edit:
By changing the local security policy on the winXP machine to "Send NTLMv2 response only. Refuse LM and NTLM" instead of "Send LM & NTLM responses" I was able to remove the "ntlm auth = yes" and still have access to my shares.

dear stoffix, Would you please explain exactly how you did it?

 

[anodos]

I'm dealing with the same problem. Xp client machines can not connect to FreeNAS server.Currently we do not have any other way to use xp on client computers. It will be difficult to make this setting individually for over 20 clients. Is there no other way?

If this is an AD environment, you should just push out the settings change via group policy.

Otherwise, add the auxiliary parameter

Code:

ntlm auth = yes 

under 'services' -> 'cifs'.

To be honest, I have mixed feelings about helping you keep this running. Running a network of 20 XP machines in a business capacity is borderline IT malpractice. You should really find a better solution.

 

[hbasbay]

dear anodos. Thank you very much for your interest and answer. You say you are right.Because of financial problems, we can not upgrade xp machines.For now we have to continue with xp machines.I will try the solution you mentioned. Again greetings.

 

[anodos]

dear anodos. Thank you very much for your interest and answer. You say you are right.Because of financial problems, we can not upgrade xp machines.For now we have to continue with xp machines.I will try the solution you mentioned. Again greetings.

Bean-counters never initially agree to any sort of necessary maintenance / upgrades if it costs money. That's why it's you're job to advocate for it. Take into consideration the following costs:

• hardware maintenance on aging equipment along with the man-hours lost in event of hardware failure
• power consumption (old XP machines are not efficient)
• cost to business in case of security breach or in case of ransomware infection
• cost to business in terms of man-hours maintaining unsupported operating systems (your time costs money as well)

Also look into productivity-enhancing features of modern operating systems. For most small businesses the largest expense isn't IT, it's paying employees to do things (or redo things).

Buying brand-new computers with a newly-licensed OS isn't always a necessity. Depending on the nature of your business, you may be able to make a business case for using linux. Since you are outside the USA, you can also probably use un-activated Windows 10. I believe your ability to personalize the OS will be limited (no changing background) and you will be occasionally nagged about activating, but you will receive security updates. Some experimentation may be warranted. The point is that running XP indefinitely will eventually bite you or your business in the ass.

 

[stoffix]

dear stoffix, Would you please explain exactly how you did it?

In FreeNas: under Services - SMB I add the line 'ntlm auth = yes' in the box for Auxiliary parameters.
As I mentioned I took away this option, and went for a different solution:

In winXP I change the security policy 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only\refuse LM and NTLM.'

You can use this guide to find the setting: https://www.imss.caltech.edu/node/396
I hope it helps :)

 

[stoffix]

Good. I don't think it's something to get too worried about. NTLM isn't as serious of security risk as some other things.... Like using windows xp in 2017. ;)

I get your point! Running 17 years old software is not the best thing to do! I'm concidering changing this computer to Linux, and all my shares to NFS instead of CIFS, since windows 7 and up seems to support NFS. I just need the time ;)

 

[I-Tech]

ok.. so for us with Win8.1 .. can't seem to connect to SMB shares after U2..
seems to connect from Server2008r2 and Win7 ok.. but not my Win8.1 system.
have tried messing with the min / max protocol settings on the FN box (smb2/smb3/etc..)
have tried messing with the min session security settings on the Win8.1 box (NTLMv2/128-bit)
but always get username or password incorrect.
any ideas?

 

[anodos]

ok.. so for us with Win8.1 .. can't seem to connect to SMB shares after U2..
seems to connect from Server2008r2 and Win7 ok.. but not my Win8.1 system.
have tried messing with the min / max protocol settings on the FN box (smb2/smb3/etc..)
have tried messing with the min session security settings on the Win8.1 box (NTLMv2/128-bit)
but always get username or password incorrect.
any ideas?

1) Disable home groups on Win 8.1
2) Disable firewall on Win 8.1
3) Use ip address to navigate to FreeNAS server "\\server\share"

 

[I-Tech]

1) Disable home groups on Win 8.1
2) Disable firewall on Win 8.1
3) Use ip address to navigate to FreeNAS server "\\server\share"

thanks..
no homegroup (domain workstation) (have tried the .\username as well)
firewall off .. no change
ip address .. no change

 

[I-Tech]

Added "ntlm auth = yes" to "Auxiliary parameters" on SMB service as suggested gave me access .. but am curious why I couldn't get the NTLMv2 setting on Win8.1 to work

 

[anodos]

Added "ntlm auth = yes" to "Auxiliary parameters" on SMB service as suggested gave me access .. but am curious why I couldn't get the NTLMv2 setting on Win8.1 to work

Oh, I misunderstood the gist your post. Some users have been having inexplicable problems with NTLMv2 on FreeNAS servers. I haven't been able to reproduce the issue on any clients I administer.

 

[Alvin]

This is especially an issue on MFC devices who can no longer scan to SMB. So far I've seen this on Canon devices (with or without Fiery Print Server) and Ricoh.

 

[anodos]

This is especially an issue on MFC devices who can no longer scan to SMB. So far I've seen this on Canon devices (with or without Fiery Print Server) and Ricoh.

Indeed. My experience is that printers always have the shittiest SMB implementations around. :D

Huh? I just realized that the forumware changes "shit" to "crap". Bollocks.