Issue with logging in to multiple CIFS shares (some private, some guest)

[dew92]

Hello,

I just reinstalled / reconfigured a freenas server. Before we had one share for everything with guest access. What I'm trying to do is have three shares. One "guest" with no login, one "shared" with one (or multiple) logins for all company computers, and one "estimating" with one (or multiple logins) that is only accessed from a couple of computers.

I'm having trouble getting the login to work properly. I get a login prompt for the two, but no user details work that I've created. I've been reading through a ton of the wiki and forum, but haven't been able to find any suggestions that worked for me.

Here is my setup:

FreeNAS-9.2.1.3-RELEASE-x64 (dc0c46b)

CIFS Config:
nebios name: raptor
workgroup: PLSNET
Guest account: guest


Volumes: One volume Main
Owner: root
group: wheel
Location: /mnt/Main

rwx owner / group, rx other
type of ACL: Windows / Mac


Datasets: Three

• Estimating:
  • Location: /mnt/Main/Estimating
  • owner: nobody
  • group: estimating
  • rwx owner / group, rx other
  • Windows ACL
• Shared:
  • Location: /mnt/Main/Shared
  • owner: nobody
  • group: pls
  • rwx owner / group, rx other
  • Windows ACL
• Guest:
  • /mnt/Main/Guest
  • owner: guest
  • group: guest
  • rwx owner / group, rx other
  • Windows ACL

Users:

• pls
  • group: pls
  • Home directory /mnt/Main/Shared
  • password set
• estimating
  • group: estimating
  • Home directory /mnt/Main/Estimating
  • auxiliary groups: pls
  • password set
• guest
  • group: guest
  • no password

Local network info:
multiple workgroups (due to some specific programs). Majority of users are on PLSNET workgroup.
As mentioned, I can acess and write to the Guest share no problem. Each time I try to log in to the password protect shares I am unable to log in with any combination of credentials. I tried the root info, I tried the share user info, I tried other user info.
I have tried restarting the machine and services multiple times after making config changes.
I have to be configuring something wrong, but I can't quite ind out what it is. If anybody can spot what I'm doing wrong, or even point me in the right direction I would be extremely grateful.
If it is allowed, I'm willing to pay a small amount if somebody can help me get set up here.

 

[scurrier]

Are you in Windows? Make sure to log off and then back on because Windows caches samba permissions, to my knowledge.

I have a similar setup and I used windows credentials, which seems to be working fine. I'm having other problems but I don't think they're related to permissions. I could be wrong though.

 

[scurrier]

I should explain the windows credentials thing... do a search for the credential manager, and then add a credential for the user for the server's IP address. It's just a user name/pass. Make sure you add a preceding slash to the user name like "/user" so that the domain is not the computer you are logging in from.

 

[dew92]

All computers are running Windows. I was trying from different computers for a couple of times, but I was not restarting them all the time. I will try restarting those machines again after the changes.

I have an ubuntu machine that I can also test via vpn.

I was wondering how to get part the domain thing. I saw it said I was logging on from the computers name as the domain. I tried multiple things to override that, but never just the slash. I shall try that as well.

Not familiar with the credential manager. It's been a long time since I worked with domains. Would that be server-ip/user I add to the freenas server, or just log in with? Do I need a user set up per computer? This is a workgroup environment, no domain controller as of yet.

These are all machines running Windows 7/8 home premium. The plan is to eventually upgrade to pro, but that will probably be a few months down the road.

Thanks for the info.

 

[scurrier]

For the credential manager, you add a windows credential, then it will ask you for the server IP, username, and pass. When you type the username, use the preceding slash to indicate "no domain".

I'm not an expert in this, just sharing what seemed to work for me. Hope it helps.

 

[scurrier]

One other thing to understand if you are dealing with sharing issues is the "getfacl" and "setfacl" commands. Try doing some searches on those. There is an "issue" (non-issue from a technical standpoint, major issue from a practical/intuitive standpoint) related to these that many people encounter.

 

[anodos]

Have you tried accessing the server via IP address? ie \\192.168.x.x\share
I've seen situations where logins fail when DNS is misbehaving. If this works either fix DNS or modify the windows hosts file.

 

[scurrier]

I use the IP address because I see it as removing one more possible failure point. So I access the share via //server.IP.add.ress/path/to/share

 

[SweetAndLow]

What is the error message in /var/log/messages? If it is something about signing then you need to set the max protocol version for smb to something other that 3. I'm using 2.24 or what ever the next largest is. Smb3 on clients signs ever packet now and isn't usually supported on servers.

 

[dew92]

Thank you all for the answers thus far. Sorry that it's taken me a while to get back.

I tried using the Windows Credential Manager to add a credential for the server (192.168.0.5). I used /user for the username, but it gave me an error that it's invalid (0x8007089A).

Tried accessing \\192.168.0.5\Estimating and it prompted me for a password, then said \\192.168.0.5\Estimating is not accessible. May not have permission, etc etc.

Nothing showed up in /var/log/messages (last thing is a time reset yesterday).

My brain might have been all messed up when I set these up. I'm going to do a fresh setup on a VM and see if I can get it working there, then just replicate my settings on the server.

This company is already rather happy that they even have a share. They didn't have any network shares for years, just passed around flash drives and emails. I finally got sick of it and took a little server I had and set up freenas for them. If I can't get the password protection stuff working yet then it's okay.

Once again, thank you all for your help thus far. If I find out what I was doing wrong I will be certain to post back. If you happen to think of something else, I will definitely try it as well.

 

[anodos]

How are you managing access controls on your shares? In samba there are a few different ways of doing this. Since your shares have windows-style acls the most intuitive is (from a windows client) to navigate to \\SERVER\ , right-click on the share and then properties --> security, and set access controls for it.

Alternatively, you can set share definition access controls by adding parameters in the "additional parameters" area of your share definitions as follows (as an example):

valid users = @group1 @group2 @group3
write list = @group1

The above entries will give groups 2-3 read-only access, group1 read and write access, and any other group no access.

 

[dew92]

Having just the weirdest time with these shares.

Set up a VM on my home network, created all the datasets, shares, users, and groups with all the permissions I wanted. Everything worked fine. Logging in with all the users worked as expected when using the windows credential manager, everything was cool.

Bring the server home to reload it (update OS, start fresh). Get everything configured exactly the same as my VM. The only thing different is the IP address. It doesn't work 100% of the time like the VM did. Really weird. After some tweaking around I got it to work.

Now I take the server back to the business, input all the windows credentials beforehand, also removing the old share. Now it doesn't work. Not a single user I created will work. None have permission. Even the guest share doesn't work, which should allow anybody and everybody to read and write.

So confused. I'm mostly taking users and adding them to a group that owns a dataset. That's how I saw most of the tutorials do it. It worked here, but of course it doesn't work on the actual server.

I say screw it, put all shares as guest owned. Now they can read but not write.

My brain doesn't understand it. I'm going insane.

I'm going to just post a job on a freelancing site for somebody to set this up for me that already knows freenas. Apparently it just doesn't like me. That, or I'll use this to further convince them to get the windows server already.

 

[baummer]

Having just the weirdest time with these shares.

Set up a VM on my home network, created all the datasets, shares, users, and groups with all the permissions I wanted. Everything worked fine. Logging in with all the users worked as expected when using the windows credential manager, everything was cool.

Bring the server home to reload it (update OS, start fresh). Get everything configured exactly the same as my VM. The only thing different is the IP address. It doesn't work 100% of the time like the VM did. Really weird. After some tweaking around I got it to work.

Now I take the server back to the business, input all the windows credentials beforehand, also removing the old share. Now it doesn't work. Not a single user I created will work. None have permission. Even the guest share doesn't work, which should allow anybody and everybody to read and write.

So confused. I'm mostly taking users and adding them to a group that owns a dataset. That's how I saw most of the tutorials do it. It worked here, but of course it doesn't work on the actual server.

I say screw it, put all shares as guest owned. Now they can read but not write.

My brain doesn't understand it. I'm going insane.

I'm going to just post a job on a freelancing site for somebody to set this up for me that already knows freenas. Apparently it just doesn't like me. That, or I'll use this to further convince them to get the windows server already.

Have you tried restarting the CIFS server?

 

[dew92]

Yep, multiple times. As well as the computers, networking equipment, etc.

I ended up just setting them all to guest only shares until we get a windows server in place. Too much headache on a temporary machine.

 

[anodos]

You need to provide more information in order to troubleshoot what is going on.
Please post the following:

• server hardware specs
• log information from /var/log/messages /var/log/samba4/log.smbd /var/log/samba4/log.nmbd (try to collect log information from when you fail to authenticate)
• your smb4.conf file (located at /usr/local/etc/smb4.conf
• details of antivirus, firewall, other security software you might be running on clients.

I assume that you set ACL type to "Windows ACLs" when you created the datasets you are trying to share. I believe by design this will chmod 0777 the dataset and grey out checkboxes. In this case permissions should be handled by ACLs, which are managed from a windows workstation. Did you use chmod to change permissions of your datasets after setting ACL type?

Are you able to connect to the samba share from your FreeNAS computer? You can do this from the command line by typing:

smbclient //ipaddress/share/ -U username​

You will be prompted for a password. This should exclude network problems and Windows client configuration as the source of the problem you are facing. If it fails please report back the exact message along with the aforementioned logs that I requested.