Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

FreeNAS stops recognizing me as a user over SMB.

Windows7ge

Member
Joined
Sep 26, 2017
Messages
124
This has been ongoing for quite a while and it's incredibly annoying. Everything will be working fine for weeks, then for no apparent reason when I login over SMB like any other day it takes my credentials but instead of showing me the root share directory it shows me this:

Screenshot_1.png


Why? I can assure you I touched nothing in the WebUI or CLI because there's no reason for me to touch it if it's working. For no explainable reason it just quits.

Troubleshooting steps I've done that have yielded mixed results are:
Restart the server: Sometimes this fixes the error, sometimes not. As of late if it does fix it the fix doesn't last it errors again in a couple days.
Restart the SMB service: This worked once but hasn't worked since.

The only real "fix" that works for any extended period of time is deleting my user account and recreating it. This user owns the pool set to 700 permissions. So it's like the server takes the credentials because it knows them but it no longer recognizes my sessions as being part of that user so it won't let me in the pool.

On the other end in terms of access SSH/SFTP are completely unaffected. I can remote in with absolutely no trouble. It's just SMB.

Has anyone experienced this before? Any luck solving it?

I'm on FreeNAS 11.1-U6
 

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,250
Need a context. What client are you using when this happens? Have you tried from a different client? Did you make any network changes around the time you first noticed the issue? What is your FreeNAS hardware?
 
Last edited:

Windows7ge

Member
Joined
Sep 26, 2017
Messages
124
What client are you using when this happens?
Windows. 10 specifically.

Have you tried from a different client?
Not via SMB no.

What is your FreeNAS hardware?
Motherboard: ASRock EP2C602-4L/D16
CPUs: Intel Xeon E5-2670's
RAM: 16x8GB ECC UDIMM from Kingston
HBAs: 3x LSI 9207-8i
NIC: Broadcom BCM57810S
SSDs: 12x 960GB Intel DC S4500
HDDs: 8x WD gold 2TB

Did you make any network changes around the time you first noticed the issue?
I can verify no. I've actually done a clean install a few months ago due to unrelated issues. So unless Auxiliary Parameters have anything to do with it or SMB3 multichannel, or a 9000 mtu then I can't say anything else is the cause.
 

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,250
Might be worth trying logging in over SMB from a different client. If the issue persists, then at least we know the client is probably not the issue. If it disappears, then it could be something like a network driver on the first client that's causing the intermittent issues.
 

Windows7ge

Member
Joined
Sep 26, 2017
Messages
124
Might be worth trying logging in over SMB from a different client. If the issue persists, then at least we know the client is probably not the issue. If it disappears, then it could be something like a network driver on the first client that's causing the intermittent issues.
I'll have to wait for the issue to appear again before I can test that. I don't know of any way to induce it and I already applied my "fix".
 

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,250
A couple of other things to try when the problem resurfaces:
1. If it does turn out to be the client, try accessing the FreeNAS share via wireless and then the LAN port (assuming there is a LAN port on the client). If one works and not the other, that gets you a step closer to identifying the culprit on the client.
2. To eliminate the network being the issue, try a more direct connection to the server eg. a simple wired hub between the client and server. If the problem disappears, then it's almost certainly a network issue, which you will have to resolve. If the problem persists, then you'll need to seek further help from the brains trust on this forum to figure out what's going on in FreeNAS.
 
Last edited:

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,762

Windows7ge

Member
Joined
Sep 26, 2017
Messages
124
A couple of other things to try when the problem resurfaces:
1. If it does turn out to be the client, try accessing the FreeNAS share via wireless and then the LAN port (assuming there is a LAN port on the client). If one works and not the other, that gets you a step closer to identifying the culprit on the client.
2. To eliminate the network being the issue, try a more direct connection to the server eg. a simple wired hub between the client and server. If the problem disappears, then it's almost certainly a network issue, which you will have to resolve. If the problem persists, then you'll need to seek further help from the brains trust on this forum to figure out what's going on in FreeNAS.
Well as the network stands right now it goes Server 10Gbit SFP+ NIC > 10Gbit switch > SFP+ 10Gbit client. I was previously doing P2P which I could test again. I am open to the idea of the issue being client side driver related as I haven't actually sourced a driver for my NIC. Just using whatever was pre-included with windows. It's not a normal NIC though so I didn't find W10 drivers.

That sounds very wrong. You should explain what you're doing there, exactly.
I'm the servers only user. I setup the pool owner as myself then configured the SMB service to have the guest account be myself. So locally only my credentials will get you into the share. Then any other service or account can't access it unless I give express permission to. That's the logic behind that.

Then there's this other issue that the users (just me really) are in the pool and I cant set permissions outside of 700 (like the usual 744) because when done so recursively it edits the permissions on the users .ssh file which unless set to 700 bricks public/private key authentication. I tried going in logged in as the user and editing that specific file with chmod and even though it takes effect attempts to authenticate continue to fail. So that's another reason permissions are 700.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,762
I setup the pool owner as myself
I'm not saying it's impossible to make that work, but it's an expressway to permissions hell, with all sorts of things breaking.

configured the SMB service to have the guest account be myself
In other words, you told Samba that unauthenticated users will use your user account.

I could spend some time trying to figure out what exactly went wrong here, but it seems wasteful. I don't understand why you opted for a rather convoluted permissions setup, but the correct way of doing things is:
  1. Do not touch the top-level dataset or the system dataset.
  2. Set ownership of datasets to be shared (and only those) according to who will be in charge of them.
  3. Set the permissions type (aclmode) on datasets to be shared via SMB to Windows (restricted).
 

Windows7ge

Member
Joined
Sep 26, 2017
Messages
124
I'm not saying it's impossible to make that work, but it's an expressway to permissions hell, with all sorts of things breaking.
agreed.

I could spend some time trying to figure out what exactly went wrong here, but it seems wasteful. I don't understand why you opted for a rather convoluted permissions setup
I can answer that for ya. It's simple. I never learned how to set it up "the right way" so I just messed with settings until I found a config that gave me the result I desired. This happens a lot when I have to figure something out for myself.

Doing it the way you described would I be able to create a dataset specifically for user accounts & information then a second for mass storage? Then I assume restricted would enable the requirement of the user account password on the server? I could see that fixing some issues. Seeing as how a spontaneous loss of permissions is what I'm experiencing maybe that could help. It'd require me to effectively destroy and rebuild the pool though. I need to ensure there's a backup of everything before I go and do that though.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,762
Doing it the way you described would I be able to create a dataset specifically for user accounts & information then a second for mass storage?
You mean a home directory? Sure, it's doable.


It'd require me to effectively destroy and rebuild the pool though. I need to ensure there's a backup of everything before I go and do that though.
It's not quite that drastic, you just have to reset permissions to a sane starting point.
 

Windows7ge

Member
Joined
Sep 26, 2017
Messages
124
You mean a home directory? Sure, it's doable.
Where exactly are their home directories suppose to go? As I said I can't alter the pools permissions due to .ssh issues so they need a dedicated place separate from the main storage. If I only have one pool I'm assuming a sub-dataset would work but maybe that's still not considered "proper"?

It's not quite that drastic, you just have to reset permissions to a sane starting point.
The problem is all the data is in the top dataset. I'd have to remove, create, & relocate it to a sub-dataset. I could probably pull that off without starting fresh but starting fresh sounds like it'd be easier because I'd be libel to screw it up or forget a step during the transfer.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,762
If I only have one pool I'm assuming a sub-dataset would work but maybe that's still not considered "proper"?
Why wouldn't it be? Different data, different datasets. You could even give everyone an individual dataset, but that requires either tedious manual setup or automation.


The problem is all the data is in the top dataset. I'd have to remove, create, & relocate it to a sub-dataset. I could probably pull that off without starting fresh but starting fresh sounds like it'd be easier because I'd be libel to screw it up or forget a step during the transfer
Okay, yeah, that's a crummy starting point. A good rule of thumb is to create more rather than fewer datasets, they're there to help and have very few disadvantages over a plain directory.
 

Windows7ge

Member
Joined
Sep 26, 2017
Messages
124
Why wouldn't it be? Different data, different datasets. You could even give everyone an individual dataset, but that requires either tedious manual setup or automation.
Aright and I don't have many users but I'd probably stick to one dataset for all users. So long as it enables me to set permissions appropriately. What are the disadvantages though to having the entire pool set to 700 if that's all the access that is needed? Besides the error I'm getting as a result of the server not recognizing I am who I logged in as. (I will reconfigure the sharing settings as that sounds like it may fix the problem I'm having)

Okay, yeah, that's a crummy starting point. A good rule of thumb is to create more rather than fewer datasets, they're there to help and have very few disadvantages over a plain directory.
Let's say I have 5 data types; home directories, software (programs), music, videos, pictures. I could create a dataset for each? Is there any real benefit to segregating the datatypes besides better permission controls? Do datasets have a fixed size or do they expand as data is introduced? Would I have to create a share for each individually or would they all be under the same shareable directory?
 

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,250
You could group music, videos and pictures in a dataset called media.
 

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,250
I'm not a big fan of home directories. They don't play nicely with the recycle bin and shadow copy features. Separate personal datasets under a home root, I feel, are a better way to go.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,762
So long as it enables me to set permissions appropriately. What are the disadvantages though to having the entire pool set to 700 if that's all the access that is needed?
Well, SMB is going to break if you don't have ACLs enabled. I think it's possible to make it work, but it's a hack. It's also fairly likely to break jails and possibly other things I'm not remembering now.

Do datasets have a fixed size or do they expand as data is introduced?
Nether, there's nothing to expand. They take space from the pool and that's it.

I could create a dataset for each?
Probably should.

You could group music, videos and pictures in a dataset called media.
Yeah, but it's going to depend on everyone's use case. Say, family videos versus media - you might want to replicate the former to an extra place that doesn't really justify the expense for the media that could conceivably be re-acquired.

Would I have to create a share for each individually or would they all be under the same shareable directory?
I'm pretty sure you don't strictly need to, with SMB and NFSv4. You definitely do for NFSv3. Note that it is sometimes beneficial to make them separate shares, to have finer control over what Samba is doing.
 

Windows7ge

Member
Joined
Sep 26, 2017
Messages
124
You could group music, videos and pictures in a dataset called media.
That's an idea. If there's no real benefit outside of permission controls though I'll probably keep them all under the same dataset (media + software).

I'm not a big fan of home directories. They don't play nicely with the recycle bin and shadow copy features. Separate personal datasets under a home root, I feel, are a better way to go.
I'm afraid I don't fully understand what you're saying. When you go to create a new user it prompts you with "Create Home Directory In:" then you have to pick /mnt/I_have_no_idea. I understand when you said personal datasets but I don't know what a/the home root is.
 

Windows7ge

Member
Joined
Sep 26, 2017
Messages
124
Well, SMB is going to break if you don't have ACLs enabled. I think it's possible to make it work, but it's a hack. It's also fairly likely to break jails and possibly other things I'm not remembering now.
Specifically I had(have) the permission type for the pool set to my user/group & UNIX(700). Then sharing SMB/guest acc (already went over that). My concern right now is if I recreate the pool, leave root/wheel in control and create a share with strict windows permissions (I think there's a tick box for that under Share > SMB) it'll change the pools permissions to Windows(767 - I think) and I don't know for sure if .ssh will play friendly with that. Unless permissions on the pool do not affect file/folders within child datasets where the home directories would reside.

Nether, there's nothing to expand. They take space from the pool and that's it.
So datasets ≠ partitions. Got it.

Probably should.
I'll look into it.

Yeah, but it's going to depend on everyone's use case. Say, family videos versus media - you might want to replicate the former to an extra place that doesn't really justify the expense for the media that could conceivably be re-acquired.
I have about 2TB of .mp4 files that I don't want to lose and wouldn't mind being able to backup independently but pictures are meh, music I could conceivably reacquire, 99% of my software I could reacquire (of course I still have at least one backup of them as well) the point being able to backup in select chunks instead of one massive block sounds like a convenient tool. Especially if I ever wanted to send specific information to different servers like music & video specifically to a plex server on one network then backup other things to a server on a different network. I really like the sound of this.

I'm pretty sure you don't strictly need to, with SMB and NFSv4. You definitely do for NFSv3. Note that it is sometimes beneficial to make them separate shares, to have finer control over what Samba is doing.
Via Network Locations they'd all show up like sub-directories under the server. I'd map them to network drives but the only thing I wouldn't like is all of them would show an identical amount of used/free space. I don't think I can link a network location (the server itself being the only directory higher than all the share folders) so I'd have to map each share as it's own network drive. I don't think I have another choice.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,762
Specifically I had(have) the permission type for the pool set to my user/group & UNIX(700). Then sharing SMB/guest acc (already went over that). My concern right now is if I recreate the pool, leave root/wheel in control and create a share with strict windows permissions (I think there's a tick box for that under Share > SMB) it'll change the pools permissions to Windows(767 - I think) and I don't know for sure if .ssh will play friendly with that. Unless permissions on the pool do not affect file/folders within child datasets where the home directories would reside.
You don't touch the top-level dataset's permissions, only the datasets that are being shared.

I don't think I can link a network location
How so? You can pin \\server_hostname and access everything from there. No mappings necessary.
 
Top