OSX/iOS Cannot access SMB/CIFS

[mweinmann]

Ok I'm pretty much out of ideas.

I can't explain how this problem started, but suddenly when I try to access any CIFS share from OSX or iOS the client reports access denied. It's been happening for about a week now.

I have tried from 2 different OS X machines.
I have reinstalled one of them to factory.
I have looked through freenas settings and can't find anything wrong.
Accessing from Windows machines works fine.
I can't get OS X to produce any kind of error other than the popup when I try to connect using Finder. The exact message is: Access to your account on the server "xx.xx.xx.xx" has been denied."
I can get into the freenas UI, ssh, etc, fine, from OSX/iOS.
I have guest access only enabled.
I have tried to recusively fix windows ACLs.
I have turned on SMB auditing. There is no connection failure when I try to connect, but not sure if I have this setup right. I see successful connects when windows machines connect.
I can't seem to get either OS X or freenas to show a failure other than the popup on the client side.
The only message I get from OS X when attempting to connect is:
kcm:ntlm v2 request processed for \GUEST flags: NEG_KEYEX, ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM2, NEG_NTLM, NEG_TARGET, NEG_UNICODE

** connecting from osx/ios to a windows share WORKS fine, just connecting to Freenas fails.

I've tried disabling my firewall in case there is some weird rule in the way (i know unlikely).
I'm at a complete loss.

Any ideas?

 

[anodos]

Ok I'm pretty much out of ideas.

I can't explain how this problem started, but suddenly when I try to access any CIFS share from OSX or iOS the client reports access denied. It's been happening for about a week now.

I have tried from 2 different OS X machines.
I have reinstalled one of them to factory.
I have looked through freenas settings and can't find anything wrong.
Accessing from Windows machines works fine.
I can't get OS X to produce any kind of error other than the popup when I try to connect using Finder. The exact message is: Access to your account on the server "xx.xx.xx.xx" has been denied."
I can get into the freenas UI, ssh, etc, fine, from OSX/iOS.
I have guest access only enabled.
I have tried to recusively fix windows ACLs.
I have turned on SMB auditing. There is no connection failure when I try to connect, but not sure if I have this setup right. I see successful connects when windows machines connect.
I can't seem to get either OS X or freenas to show a failure other than the popup on the client side.
The only message I get from OS X when attempting to connect is:
kcm:ntlm v2 request processed for \GUEST flags: NEG_KEYEX, ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM2, NEG_NTLM, NEG_TARGET, NEG_UNICODE

** connecting from osx/ios to a windows share WORKS fine, just connecting to Freenas fails.

I've tried disabling my firewall in case there is some weird rule in the way (i know unlikely).
I'm at a complete loss.

Any ideas?

Post contents of /etc/local/smb4.conf.

Check what user you've configured for "guest access". The default is "nobody". Verify that the guest user has permission to access the server.

 

[L]

What update are you running? I was having this problem all through the May releases, updated and proof it worked

 

[mweinmann]

[global]
server max protocol = SMB3
interfaces = 127.0.0.1 10.1.1.100
bind interfaces only = yes
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 467750
syslog only = yes
syslog = 1
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = guest (I changed to nobody - no change unless I need to reboot first)
map to guest = Bad User
obey pam restrictions = yes
directory name cache size = 0
kernel change notify = no
dfree command = /usr/local/libexec/samba/dfree
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
lm announce = yes
unix extensions = no
time server = yes
null passwords = yes
acl allow execute always = true
acl check permissions = true
dos filemode = yes
multicast dns register = yes
domain logons = no
local master = yes
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = standalone
netbios name = FREENAS
workgroup = WORKGROUP
security = user
pid directory = /var/run/samba
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 10
full_audit:prefix %u|%I|%m|%S
full_audit:success = connect
full_audit:failure = connect
full_audit:facility = LOCAL5
full_audit:priority = NOTICE


[media]
path = /mnt/pool/media
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = yes
guest only = yes
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
vfs objects = recycle full_audit


[subsonic]
path = /mnt/pool/jails/subsonic/home/sonic/music
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = yes
guest only = yes
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[tomato]
path = /mnt/pool/tomato
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfsacl
hide dot files = yes
guest ok = yes
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[usb]
path = /mnt/usb/files
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = yes
guest only = yes
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

 

[mweinmann]

Using the latest update.


Sent from my iPhone using Tapatalk

 

[mweinmann]

Happened to see this during a reboot.. not sure where to change it. See where guest was disabled.

• Jul 26 13:01:47 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: /sbin/sysctl -n 'kern.maxfilesperproc'
• Jul 26 13:01:47 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: zfs list -H -o mountpoint
• Jul 26 13:01:47 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: zfs list -H -o mountpoint
• Jul 26 13:01:47 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: zfs list -H -o mountpoint
• Jul 26 13:01:47 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: zfs list -H -o mountpoint
• Jul 26 13:01:48 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: /usr/local/bin/net getlocalsid
• Jul 26 13:01:48 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: /usr/local/bin/net setlocalsid S
• Jul 26 13:01:48 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: /usr/local/bin/pdbedit -d 0 -i smbpasswd:/tmp/tmps3GALx -s /usr/local/etc/smb4.conf -e tdbsam:/var/etc/private/passdb.tdb
• Jul 26 13:01:48 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: /usr/local/bin/smbpasswd -d 'guest'
• Jul 26 13:01:48 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: /usr/local/bin/smbpasswd -e 'root'
• Jul 26 13:01:48 freenas Importing: account for guest...ok
• Jul 26 13:01:48 freenas Importing: account for root...ok
• Jul 26 13:01:48 freenas Disabled: user guest.
• Jul 26 13:01:48 freenas generate_smb4_conf.py: [middleware.notifier:208] Popen()ing: /usr/local/bin/net groupmap list
• Jul 26 13:01:48 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: /usr/local/bin/pdbedit -L
• Jul 26 13:01:48 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: /usr/local/bin/net sam rights grant INFO SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
• Jul 26 13:01:48 freenas generate_smb4_conf.py: [common.pipesubr:70] Popen()ing: /usr/local/bin/net sam rights grant all SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
• Jul 26 13:01:48 freenas Enabled: user root.

 

[Oded Arbel]

For some reason FreeNAS Samba started disabling the guest user by default. I have not yet found a way to get it to stop doing that, but you can run, as root:

smbpasswd -e guest

To re-enable the guest user and get back unauthenticated access. Please note that whenever you restart the CIFS service, the guest user will be disabled again and you will need to run this command again.

 

[mweinmann]

That did it.

Thank you!

Is that something I can include in CIFS startup to automatically re-enable?

Is this some weird quick of my install, or a known problem? What is weird I don't recall this changing after an update or anything, it kind of appeared suddenly and I can't explain why it would have just started without some kind of prompt to do so.

 

[Oded Arbel]

That did it.
Is that something I can include in CIFS startup to automatically re-enable?

I don't know how. I'm not really a FreeNAS expert - more of a Linux user.

Is this some weird quick of my install, or a known problem? What is weird I don't recall this changing after an update or anything, it kind of appeared suddenly and I can't explain why it would have just started without some kind of prompt to do so.

I'm not sure - I have the same issue, so I think this has changed in one of the FreeNAS 9.3 updates. I'm hoping one of the FreeNAS people can chime in on this.

 

[anodos]

I believe the proper way to set a user password in samba is through pdbedit. If the entry is getting erased on boot, then you should file a bug report at bugs.freenas.org.

 

[hungarianhc]

Hey there!

So can I just say THANK YOU to...
- the google
- the posters in this thread

This has been driving me crazy. All of a sudden a few months ago, guest access stopped working for me. I figured it was something I had done wrong, but nope. I logged in as root, pasted in

Code:

smbpasswd -e guest

, and I was good to go - guest access RESTORED!

I'm not sure if there's a way to bind this command to the startup of FreeNAS, but it would be great to have a toggle for this someplace.

 

[cyberjock]

Hey there!

So can I just say THANK YOU to...
- the google
- the posters in this thread

This has been driving me crazy. All of a sudden a few months ago, guest access stopped working for me. I figured it was something I had done wrong, but nope. I logged in as root, pasted in

Code:

smbpasswd -e guest

, and I was good to go - guest access RESTORED!

I'm not sure if there's a way to bind this command to the startup of FreeNAS, but it would be great to have a toggle for this someplace.

I think it's better to figure out *why* it's not working. I'm guessing that something is misconfigured in the WebGUI, or a bug.

 

[hungarianhc]

I think it's better to figure out *why* it's not working. I'm guessing that something is misconfigured in the WebGUI, or a bug.

I wouldn't disagree, but I'm happy that my issue is fixed. But here you go.

 

[jpaetzel]

Did you create a user named guest with password logins disabled? (In Accounts)

 

[hungarianhc]

Did you create a user named guest with password logins disabled? (In Accounts)

Yes - but it was always set this way before, and it just worked in the past until a recent update.

 

[anodos]

Yes - but it was always set this way before, and it just worked in the past until a recent update.

Unfortunately, various how-to guides mistakenly state that you should disable password auth for guest accounts. This is simply wrong and it is somewhat surprising that samba let it work. I believe setting a password is required for samba guest accounts to work properly.

I might be wrong, but I believe the goal of disabling password auth is to force other authentication methods (like key-based authentication).

Edit: documentation explicitly states that disabling password authentication will prevent CIFS access here - http://doc.freenas.org/9.3/freenas_account.html#users

 

[rogerh]

When I first set up my current configuration I think 'guest' was a built in FreeNAS user. AFAICS, it is not built in now, and I inadvertently created a guest user. I think what one has to do is to create a guest user, not disable password log in, but set a nul password. At least that is my recollection, but I am not sure how to test it. The manual is misleading in this respect because it describes the password field as 'mandatory'. Can anyone confirm that the guest user can be created with a nul password? If not, I am not sure why my setup works!

I think the bug reported should end up being turned into a documentation bug.

 

[hungarianhc]

I'm not sure which is / isn't the right behavior, but based on the thread, something in FreeNAS changed. Can we at least get documentation clear on how to have a guest account w/ no password? I think that's what the common use-case is... I have a share that I want anyone to be able to see w/out a password, but in this way, it's read-only. Log in w/ a password if you want to modify.

 

[segfaultex]

I think there is a bigger issue.
I can no longer connect to shares from my android phone after taking the latest updates even with domain authentication enabled.
Everything previously worked but now it cant even find the server unless it has anonymous login enabled which shows the folders but permission denied because of needing auth.
Adding credentials cant even see the shares.

 

[cyberjock]

Everything previously worked but now it cant even find the server unless it has anonymous login enabled which shows the folders but permission denied because of needing auth.

Uhh, you are more confused than you think. If you can show folders but get permission denied, you do not need authentication.

If you can show folders but get permission denied, you were denied because of permissions.

If you cannot show folders then you failed to authenticate.

Do not confuse being able to see a share with being able to see a folder either. ;)