SOLVED Open CIFS share to a specific computer

[dpearcefl]

I have a program on a series of Windows servers that needs to put files on my FreeNAS 9.10 box.

The problem: This program can't connect to a CIFS share and provide a username/password.

It looks like I can restrict it specific computers by using "Hosts allow" but I having trouble making a wide-open CIFS share. I saw this post (https://forums.freenas.org/index.php?threads/guest-cif.42150/) but I've got something screwed up.

On the CIFS service settings, what should "Guest account" be set to?

 

[dpearcefl]

 

[anodos]

I have a program on a series of Windows servers that needs to put files on my FreeNAS 9.10 box.

The problem: This program can't connect to a CIFS share and provide a username/password.

It looks like I can restrict it specific computers by using "Hosts allow" but I having trouble making a wide-open CIFS share. I saw this post (https://forums.freenas.org/index.php?threads/guest-cif.42150/) but I've got something screwed up.

On the CIFS service settings, what should "Guest account" be set to?

Have you tried mapping the samba share on the windows server, then pointing the backup program at the mapped drive rather than the UNC path? It's always better to use authentication if you can get it working.

You may want to also try expanding the "advanced" options on the share config and checking the box "Only Allow Guest Access".

 

[dpearcefl]

 

[pirateghost]

View attachment 11432
View attachment 11433

The share config, not the service config

 

[anodos]

Mapping your guest account to 'root' doesn't seem like a great idea. My checklist for creating an insecure samba share is as follows:

(1) Create a user "samba_guest" and set a password for it
(2) make dataset owned by "samba_guest"
(3) create share pointing at the dataset created in (2)
(4) check "allow guest access" and "only allow guest access"
(5) cycle the samba service

 

[dpearcefl]

The share config, not the service config

The share config is at the top of this post.

 

[pirateghost]

The share config is at the top of this post.

And you were told to open the ADVANCED mode of that config for the guest access settings...

 

[dpearcefl]

Sorry, I missed that:

 

[anodos]

If the procedure I listed in post #6 does not work, then you probably have some additional configuration problems.

Post full contents of /usr/local/etc/smb4.conf.

 

[dpearcefl]

Tried #6; no joy. Even rebooted my workstation (windows after all); no joy.

As requested:

Code:

[global]
    server max protocol = SMB2
    interfaces = 127.0.0.1 172.18.1.37
    bind interfaces only = yes
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 1885583
    logging = file
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    hostname lookups = yes
    null passwords = yes
    acl allow execute always = false
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    local master = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = standalone
    netbios name = ORL-JOSHUA
    workgroup = WORKGROUP
    security = user
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1

[SQLDumps]
    path = /mnt/tank2/Storage2/SQLDumps
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    vfs objects = zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = yes
    guest only = yes
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

 

[anodos]

Are you able to access the share outside of the application by navigating to \\172.18.1.37\SQLDumps from Windows Explorer?
Is this the only samba share on your freenas server?
Post output of the following command "getfacl /mnt/tank2/Storage2"
Post output of the following command "getfacl /mnt/tank2/Storage2/SQLDumps"
Post any relevant messages generated in /var/log/samba4/log.smbd when trying to access your share through your application.

 

[dpearcefl]

I have been working on this on and off for a few days and not getting anywhere. I don't know why this is not working for me. Authenticated logins work.

Anytime I hit the server name (\\192.168.0.1) or the share and server name (\\192.168.0.1\sharename), it throws up an authenication prompt. I tried a second FreeNAS box and it's doing the same thing.

Is it possible FreeNAs doesn't allow open, insecure CIFS shares?

I'm going to set up a clean environment and do what anodos suggested.

 

[pirateghost]

Is it possible FreeNAs doesn't allow open, insecure CIFS shares?

Nope. It works fine here

 

[dpearcefl]

Thanks for that valuable bit of information.

 

[dpearcefl]

"Are you able to access the share outside of the application by navigating to \\172.18.1.37\SQLDumps from Windows Explorer?"
Not without getting an authentication prompt. If I supply samba_guest and it's password, I get read access and no write.

"Is this the only samba share on your freenas server?"
So far.

getfacl /mnt/tank2/Storage2
# file: /mnt/tank2/Storage2
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow

getfacl /mnt/tank2/Storage2/SQLDumps
# file: /mnt/tank2/Storage2/SQLDumps
# owner: samba_guest
# group: wheel
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow

If I execute this on the FreeNAS box itself (sudo -u samba_guest touch /mnt/tank2/Storage2/SQLDumps/me) it works! Windows Explorer on the share says samba_guest has Full Control. Windows Explorer says the file I created samba_user has full control. Yet I can't edit the file through CIFS. Argh!

Does this point to a problem with the CIFS service on the FreeNAS box?

 

[anodos]

"Are you able to access the share outside of the application by navigating to \\172.18.1.37\SQLDumps from Windows Explorer?"
Not without getting an authentication prompt. If I supply samba_guest and it's password, I get read access and no write.

"Is this the only samba share on your freenas server?"
So far.

getfacl /mnt/tank2/Storage2
# file: /mnt/tank2/Storage2
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow

getfacl /mnt/tank2/Storage2/SQLDumps
# file: /mnt/tank2/Storage2/SQLDumps
# owner: samba_guest
# group: wheel
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow

If I execute this on the FreeNAS box itself (sudo -u samba_guest touch /mnt/tank2/Storage2/SQLDumps/me) it works! Windows Explorer on the share says samba_guest has Full Control. Windows Explorer says the file I created samba_user has full control. Yet I can't edit the file through CIFS. Argh!

Does this point to a problem with the CIFS service on the FreeNAS box?

Well, your share is owned by "samba_guest", you've configured the share to force guest access, and your guest account is "nobody". The everyone@ ACE grants the 'nobody' user read-only access. Seems pretty clear-cut.

 

[dpearcefl]

your guest account is "nobody"

Where do you see this?

NEVER MIND. I see it now.

 

[dpearcefl]

So guest account = samba_guest is how it is set now.

If I execute "smbstatus" on the FreeNAS box, I get this:
Locked files:
Pid Uid DenyMode Access R/W Oplock SharePath Name Time
--------------------------------------------------------------------------------------------------
43237 1004 DENY_NONE 0x100080 RDONLY NONE /mnt/tank2/Storage2/SQLDumps . Thu Apr 21 15:26:45 2016

samba_guest is UID 1004. So this looks like the share was opened in read-only but by the samba_guest account.

 

[dpearcefl]

Seems this is a problem seen before:
https://forums.freenas.org/index.php?threads/cifs-permissions.28813
https://forums.freenas.org/index.php?threads/cifs-shares-become-read-only-to-windows-clients.34837/

I'll report back when I find a solution.