Permissions - Cannot retrieve SMB user/group list from Win 10 client

C

Cornholio

Cadet
Joined
Mar 31, 2017
Messages
5
I have an SMB share and some groups and users set up in FreeNAS. I'd like to set user/group permissions on some folders in the shares via Windows clients.

I can do this fine from a Win7 client, via right click -> Properties -> Security -> Edit -> Add -> Find Now. The list of my FreeNAS users and groups is retrieved from the server and I can set permissions accordingly.

However, if I go through the same process with a Win10 client, the user/group lists are not pulled from the FreeNAS server and none are shown.

I'm running FreeNAS 9.10.2, which includes Samba 4.5.5 and have set the maximum SMB protocol to SMB3_11, which I think is necessary for Win10? Also, I'm not running Active Directory - just a simple mixed network of Windows/Linux desktops.

Are there known issues with Win10? (Other than the obvious...)

Any advice would be gratefully received!
 
Ericloewe

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
Works fine here with max=3.00.

Cornholio said:
maximum SMB protocol to SMB3_11, which I think is necessary for Win10?
Click to expand...
Definitely not.

Hey, @anodos, how stable are the higher 3.x protocols in Samba right now?
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
@Cornholio, try adding the auxiliary parameter ntlm auth = yes to the auxiliary parameters under "services" -> "cifs". If that works, then it indicates that your LM / NTLM settings on your W10 clients is wrong. In this case, don't leave your auth downgraded. Check LmCompatibilityLevel via regedit on the W10 machines. It should probably be set to 3. Also check Network security: LAN Manager authentication level GPO and make sure it is set to "Send NTLMv2 response only\refuse LM and NTLM"
 
C

Cornholio

Cadet
Joined
Mar 31, 2017
Messages
5
@anodos @Ericloewe, thanks for the advice.

I've reverted to max=SMB3. Originally this was set to max=SMB2 and all of the observations above/below also hold for that setting.

Settting 'ntlm auth = yes' had no effect - the Win10 client is still unable to pull user/group lists from the server (but works ok on Win7).

LmCompatibilityLevel was not actually set in regedit (these are Win7p->Win10p updgraded machines - perhaps that is why?). I added a LmCompatibilityLevel=3 DWORD to HKLM\SYSTEM\CurrentControlSet\Control\Lsa, but still no luck.

One other observation regarding the Win10 machines is that following right click -> Properties -> Security on the Win10 client, under "Group or user names" the correct user/group names ARE pulled from the FreeNAS server to show the current user/group properties (the SIDs are briefly visible then are converted to the user/group names after some communication with the server). It is only when trying to Edit and Add additional user/group permissions to the folder that the user/group lists do not seem to be being pulled. i.e. it seems that, for Win10 clients, when given an SID the server can be queried to convert this to a name, but it can't be queried to provide a full list of names (but for Win7 clients both are possible). Not sure if this helps at all with diagnosing the problem?
 
Last edited:
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Cornholio said:
@anodos @Ericloewe, thanks for the advice.

I've reverted to max=SMB3. Originally this was set to max=SMB2 and all of the observations above/below also hold for that setting.

Settting 'ntlm auth = yes' had no effect - the Win10 client is still unable to pull user/group lists from the server (but works ok on Win7).

LmCompatibilityLevel was not actually set in regedit (these are Win7p->Win10p updgraded machines - perhaps that is why?). I added a LmCompatibilityLevel=3 DWORD to HKLM\SYSTEM\CurrentControlSet\Control\Lsa, but still no luck.

One other observation regarding the Win10 machines is that following right click -> Properties -> Security on the Win10 client, under "Group or user names" the correct user/group names ARE pulled from the FreeNAS server to show the current user/group properties (the SIDs are briefly visible then are converted to the user/group names after some communication with the server). It is only when trying to Edit and Add additional user/group permissions to the folder that the user/group lists do not seem to be being pulled. i.e. it seems that, for Win10 clients, when given an SID the server can be queried to convert this to a name, but it can't be queried to provide a full list of names (but for Win7 clients both are possible). Not sure if this helps at all with diagnosing the problem?
Click to expand...
Remove the registry setting. I got ahead of myself regarding ntlm author. Send a debug file to me and I'll look to see if anything stands out. I don't have this problem in W10.
 
Last edited:
C

Cornholio

Cadet
Joined
Mar 31, 2017
Messages
5
Thanks for the feedback @anodos.

On further investigation I've found that the Win10 issue relates only to non-Administrator accounts. If I sign in as Administrator then the fill list of users/groups from the FreeNAS are retrieved using 'Find Now'. (The Win7 sessions that worked were probably also as Administrator, since these were on test VMs, but I'm unable to check that today.)

So my issue seems to be related to Windows user privileges on the client machine. Do you happen to know how I would give a non-Administrator user sufficient privileges in Windows to allow them to access the list of users/groups from a remote server, while not giving them full admin rights? I've tried googling, but lack the Windows terminology it seems...
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Cornholio said:
Thanks for the feedback @anodos.

On further investigation I've found that the Win10 issue relates only to non-Administrator accounts. If I sign in as Administrator then the fill list of users/groups from the FreeNAS are retrieved using 'Find Now'. (The Win7 sessions that worked were probably also as Administrator, since these were on test VMs, but I'm unable to check that today.)

So my issue seems to be related to Windows user privileges on the client machine. Do you happen to know how I would give a non-Administrator user sufficient privileges in Windows to allow them to access the list of users/groups from a remote server, while not giving them full admin rights? I've tried googling, but lack the Windows terminology it seems...
Click to expand...

There is no need to use an administrator account in the windows client to do this. It sounds like something is kinda broken on your system. Try running the sfc.exe /scannow on the windows client. Maybe also check to see if your security software might be blocking some RPC traffic to the freenas server. Perhaps disable firewall.
 
Ericloewe

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
Ericloewe

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
It's just been quasi-officially confirmed.
 
C

Cornholio

Cadet
Joined
Mar 31, 2017
Messages
5
Thanks again @anodos

I tried disabling firewalls and anti-virus software, but to no avail.

However I think I am stumbling towards the solution. The standard user accounts that I've been using on the Win10 machines do not use usernames/passwords consistent with the FreeNAS, so I have to enter FreeNAS credentials when accessing the shared folders in the windows file explorer (ideally, this is the behaviour that I want because I've not currently got a solution for syncing password updates between the FreeNAS and the windows machines - one step at a time...). Creating a new standard user on the Win10 machine with identical username/password to the FreeNAS user accounts solves the problem - 'Find Now' now lists the users/groups as expected - and of course I don't have to enter credentials at any point.

I've seen various suggestions of using identical usernames/passwords in the past when setting up simple p2p windows desktop file sharing, but hadn't realised that it would be necessary in the setup with SMB sharing via the FreeNAS server. Is it in fact necessary to do this, or is there a workaround? Since FreeNAS has no 'Administrator' account, the Win10 'Administrator' account must be achieving this somehow...

I appreciate any thoughts you might have - I realise I've strayed off topic a little, since this clearly isn't a FreeNAS problem and just relates my Windows file sharing naivety.

(and @Ericloewe - looking forwards to FN11 ;-) )
 
Ericloewe

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
Cornholio said:
The standard user accounts that I've been using on the Win10 machines do not use usernames/passwords consistent with the FreeNAS, so I have to enter FreeNAS credentials when accessing the shared folders in the windows file explorer
Click to expand...
That's not the problem. Works fine for me.
 
E

echelon5

Explorer
Joined
Apr 20, 2016
Messages
79
I've just had this problem as well. I was browsing shares and setting permissions, when all of the sudden, I couldn't find any users. I've tried several things that didn't work and then I've connected with an admin account and it started working again.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
echelon5 said:
I've just had this problem as well. I was browsing shares and setting permissions, when all of the sudden, I couldn't find any users. I've tried several things that didn't work and then I've connected with an admin account and it started working again.
Click to expand...

That's interesting. If you can reliably reproduce, do it with SMB logging set to debug and PM me a debug tarball. Is this over WiFi?
 
D

douglasg14b

Dabbler
Joined
Nov 26, 2017
Messages
26
I also have this problem. It's been a constant issue for at least 2 years for me.

Ever since upgrading everything to Sever 2016 (essentially Windows 10), I can no longer manage permissions for any SAMBA shares (with the dataset share type being set to Windows). None of the FreeNAS users or Groups are findable, and existing ones show up as "Account Unknown".... I can't get it to work on a single Server 2016 device, and only some Windows 10 devices. Even then, only some users and groups are findable, others are not.

Is there something different in how Server 2016 handles SAMBA shares?
 
Last edited:
Basil Hendroff

Basil Hendroff

Wizard
Joined
Jan 4, 2014
Messages
1,644
Cornholio said:
On further investigation I've found that the Win10 issue relates only to non-Administrator accounts. If I sign in as Administrator then the fill list of users/groups from the FreeNAS are retrieved using 'Find Now'.
Click to expand...
Have you checked the Microsoft Account flag and provided the relevant email address for the non-admin FreeNAS accounts?
 
You must log in or register to reply here.

Similar threads

Wallybanger
  • Locked
Permissions - CIFS won't pull user or group from the network.
2
Replies
35
Views
6K
Wallybanger
Wallybanger
S
  • Locked
SOLVED Group permissions not showing up in windows 10 client
Replies
7
Views
3K
schoffman
S
H
  • Locked
Problem with share (Permissions, SMB and Windows 10)
Replies
14
Views
35K
Gen8 Runner
G
DigitalADHD
Windows SMB clients do not seem to recognize Dataset group owner Permissions
Replies
6
Views
1K
DigitalADHD
DigitalADHD
I
LDAP>Samba>SMB share group issue
Replies
1
Views
856
dlavigne
D
Top