Network shares can't be accessedWindows 10 2004

okynnor

Explorer
Joined
Mar 14, 2019
Messages
71
FREENAS Version: FreeNAS-11.3-U4.1
RAM: 32GB


Hi,

I've been dealing with this issue and I have searched high and low on Google to no avail. So I'm turning to the FreeNAS community for assistance.

In prior version of Windows, I have been able to access SMB shares on FreeNAS. But ever since I upgraded to 2004, the network shares can't be accessed at all.

Network Error:
Windows cannot access \\FreeNAS
Check the spelling of the name. Otherwise, there might be problem with your network.

The FreeNAS shares can be accessed without any issues via MacOS.

Most of the shares are setup as Guest access OK.
The user account exists FreeNAS, Windows and Mac -- that is, they are matching with what's on the FreeNAS Account.
I'm not sure if the fact that Windows 10 2004's account is linked to my Microsoft account has anything to do with it.
I have tried to enable "Enable insecure guest logons" by using gpedit.msc >> Computer Configuration >> Administrative Templates >> Network >> Lanman Workstation >> Enable
I have also tried to reinstall SMB1.0/CIFS File Sharing Support under Windows Features

Then, I thought that I should disable SMB1 support on SMB Services on FreeNAS because Windows 10 2004 appears to have deprecated support for SMB1 all together. The thought was may be it needs to connect via SMB2 or SMB3. My question, is SMB3 running in FreeNAS by default? How do I check?

I'd appreciate your help and insights to solve this mystery.
 

firsway

Dabbler
Joined
Oct 20, 2018
Messages
32
What was your version/feature of Windows before the upgrade?
AFAIR the ability for insecure guest login was removed by default in Windows 10 full stop, but as you have pointed out, can be re-enabled in the registry.
If you were previously on Win10 under a different feature version, then that would suggest something else in the Windows config is causing the problem perhaps? The feature upgrade didn't do anything daft to the firewall, did it?
 

Redcoat

MVP
Joined
Feb 18, 2014
Messages
2,925
Are your shares set to use Guest account only?
 

okynnor

Explorer
Joined
Mar 14, 2019
Messages
71
What was your version/feature of Windows before the upgrade?
AFAIR the ability for insecure guest login was removed by default in Windows 10 full stop, but as you have pointed out, can be re-enabled in the registry.
If you were previously on Win10 under a different feature version, then that would suggest something else in the Windows config is causing the problem perhaps? The feature upgrade didn't do anything daft to the firewall, did it?
Thanks for your help.
This affects all the computers that are running Windows. Honestly, no one reported anything until version 2004 of Windows 10

I've turned off Windows Firewall and it has no effect on accessibility to SMB shares
 
Last edited:

okynnor

Explorer
Joined
Mar 14, 2019
Messages
71
Are your shares set to use Guest account only?
We have guest only accounts like Public, which anyone can access and also user accessible accounts tied to their workstation login id. The public access ones are set to user and group nobody.

as I mentioned before, MacOS have no problem— not sure why it’s only Windows.
Thank you.
 

firsway

Dabbler
Joined
Oct 20, 2018
Messages
32
This affects all the computers that are running Windows. Honestly, no one reported anything until version 2004 of Windows 10
But were your users already on Win10 prior to upgrade to Feature 2004, or were they on Win7?
 

okynnor

Explorer
Joined
Mar 14, 2019
Messages
71
I would like to ask the community, how do I access the SMB logs? I would like to check if the Windows 10 machines are even hitting the SMB server on FreeNAS at all. If they are, what is error that's generated.
 

firsway

Dabbler
Joined
Oct 20, 2018
Messages
32
All were on version 1903 and there were no issues. We have no Windows 7 deployments.
Interesting.. I've managed to reproduce this situation on a 2004 workstation, and despite me making the registry change.
It's not domain joined so not something that GPO could potentially affect.
For info, SMB browsing appears to be OK on 1909 as well.
I'll stick Wireshark on, and see if I can see anything unusual.
 

firsway

Dabbler
Joined
Oct 20, 2018
Messages
32
I would like to ask the community, how do I access the SMB logs? I would like to check if the Windows 10 machines are even hitting the SMB server on FreeNAS at all. If they are, what is error that's generated.
OK so it looks like I've found the problem and a potential workaround :)

The problem appears to be in gpedit.msc (Local Group Policy Editor)
Basically, setting the flag value of "Allow insecure guest logon" to "Enabled" in Computer Configuration-Administrative Templates-Network-Lanman Workstation, appears to have no effect on the configuration itself.

To workaround this, use Regedit, and navigate to HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters.
In my setup, the value of DWORD AllowInsecureGuestAuth was set to 0x00000000 which is wrong considering what I tried to do in GP Edit.
Set the value to 0x00000001 (Hexadecimal 1)
Machine doesn't need a reboot - everything started working for me!

For a more widespread application of this workaround, perhaps the registry change can be rolled out in a GPO

Disclaimer: I have only reproduced this in my environment, which may be different to yours. Please, firstly back up your registry, and/or the machine, before you try this.
 

Yorick

Wizard
Joined
Nov 4, 2018
Messages
1,912
I don’t use guest login and so have never seen your issue :). I mean it works but you have to fiddle with the pc itself. I find it easier to just add a user to FreeNAS and add that user to the “shared” group
 

okynnor

Explorer
Joined
Mar 14, 2019
Messages
71
OK so it looks like I've found the problem and a potential workaround :)

The problem appears to be in gpedit.msc (Local Group Policy Editor)
Basically, setting the flag value of "Allow insecure guest logon" to "Enabled" in Computer Configuration-Administrative Templates-Network-Lanman Workstation, appears to have no effect on the configuration itself.

To workaround this, use Regedit, and navigate to HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters.
In my setup, the value of DWORD AllowInsecureGuestAuth was set to 0x00000000 which is wrong considering what I tried to do in GP Edit.
Set the value to 0x00000001 (Hexadecimal 1)
Machine doesn't need a reboot - everything started working for me!

For a more widespread application of this workaround, perhaps the registry change can be rolled out in a GPO

Disclaimer: I have only reproduced this in my environment, which may be different to yours. Please, firstly back up your registry, and/or the machine, before you try this.
That's amazing work!! I tried it. It works!
 

okynnor

Explorer
Joined
Mar 14, 2019
Messages
71
This is a good way too. A little bit more time consuming.

I don’t use guest login and so have never seen your issue :). I mean it works but you have to fiddle with the pc itself. I find it easier to just add a user to FreeNAS and add that user to the “shared” group
 

firsway

Dabbler
Joined
Oct 20, 2018
Messages
32
Nope, I highly doubt they will fix this. Breaking the guest account is intentional and probably part of the MS Cloud strategy.
See also @anodos post regarding exactly that issue.
They can't even fix the feedback hub app which is supposedly for reporting bugs. Enter an email address that you think is a Microsoft registered one, but turns out not to be? You get a failure message, but then there is no way to backtrack to change the address, it just keeps inviting you to retry..
Worse still, it looks as though the App stores the info before telling you it's an error. Shutting down and restarting the App has no effect - just takes you back to the same "Please Retry" screen :rolleyes:
That's probably a registry hack as well to get working!
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Nope, I highly doubt they will fix this. Breaking the guest account is intentional and probably part of the MS Cloud strategy.
See also @anodos post regarding exactly that issue.
I don't think breaking it is intentional. It's just probably not a high priority. The world has changed and moved on from the days where insecure network shares at a business were okay. Legacy ways of doing things get less attention and eventually they go away.
 

Yorick

Wizard
Joined
Nov 4, 2018
Messages
1,912
This. Here, let me shill my "now what's this MS Account thang in FreeNAS" video. Arguably it'd be better (because more standardized) to do username/username for user/group during creation and then add the user to "shared" group - you do you, either way will work.
 
Top