SMB authentication issue - FreeNAS 11.Stable

[Constantin]

Hi Everyone,

This is my first post to this forum and many thanks in advance to anyone who will try to help me solve my SMB access problem. Specifically, I have a mini XL that has been running 9.10 just fine. I recently saw the upgrade opportunity to Corrall and took it. All the shares migrated happily, all services (very modest - AFP and SMB) continued to work fine. Then I saw that Corrall was being discontinued for various reasons and decided to hop on the FreeNAS 11.stable train (making the share upgrade along the way).

Well, everything on the AFP side went great - all users continue to have access as expected, the shares are there, etc. However on the SMB side there is trouble. Specifically, I only run SMB sharing for Sonos, which has worked swimmingly in the past (after setting minimum protocol to CORE). However, after the 11.Stable upgrade, the SMB behavior has gone awry. Specifically, using my Mac I can log into the server with the Sonos login/password credentials and everything works as expected. However, if I try the same thing via the Sonos, the password/user is rejected (same path as with Mac).

I would like to continue to use authenticated accounts for all users as opposed to resorting to a guest account. Any insights or help would be greatly appreciated. Apologies if this was covered previously, I didn't see an entry via search.

 

[Constantin]

Did some more reading and experimented re: authentication. Sonos doesn't just require CORE as the minimum SMB protocol, it also requires "NTLMv1 auth:" to be checked. Not sure how that got unchecked during the transition, but there you go.

 

[anodos]

Did some more reading and experimented re: authentication. Sonos doesn't just require CORE as the minimum SMB protocol, it also requires "NTLMv1 auth:" to be checked. Not sure how that got unchecked during the transition, but there you go.

It doesn't require CORE. Nothing in the real world uses "CORE", which is some vestigal IBM proto-CIFS dinosaur from the early 80s that doesn't even have a concept of user names. It probably requires SMB1 (NT1).

 

[Constantin]

I'm confused. In another thread you expressly advised a user with Sonos issues to use CORE as a minimum. See message #6 here: https://forums.freenas.org/index.php?threads/smbd-no-protocol-supported.22349/

I will try and follow your suggestion to move up the authentication protocols and see where it breaks. Many thanks, Constantin

 

[Constantin]

OK, so moved up the protocol list and Sonos currently breaks at SMB2. So NT1 it is. Many thanks for your help!

Any suggestions re: mitigating potential damage other than making the Sonos user a read/execute-only user for the share?

 

[anodos]

OK, so moved up the protocol list and Sonos currently breaks at SMB2. So NT1 it is. Many thanks for your help!

Any suggestions re: mitigating potential damage other than making the Sonos user a read/execute-only user for the share?

Since this is a home environment, I wouldn't bother with it. The risk of ntlmv1 auth or SMB1 is rather minimal in such an environment.

 

[Constantin]

Yeah, perhaps I am a bit paranoid. But I'm looking towards a future with multiple offspring bringing home who-knows-what on their devices. I am hardening the home infrastructure accordingly. They get their VLAN, I get mine, etc.

I've found that putting the SONOS data set on a portable hard drive and attaching it to a Apple Extreme AP is a good way to allow me to keep SMB secure and also save on my power bill - the FreeNAS gets to sleep a lot more and a portable 2.5" bus-powered USB drive doesn't use much power.