SMB not working on single windows device

HuffAndStuff

Cadet
Joined
Feb 11, 2024
Messages
7
Hey folks, I'm having an issue with one single device hitting my new NAS Scale SMB share. This almost definitely is a windows issue, so this may not be the appropriate place, but figured I'd start here. Yesterday, I setup a new NAS, built out all the datasets, shares, groups and users. Then setup the SMB share.

I have 3 windows boxes. They all can ping the IP, both can access the TrueNAS UI. But only 2 of them can access the SMB share. The only difference between them (that I can tell) is that the working device is Win10 Home. And the other device is Win10 Pro / Win11 Pro.

I think ACL / permissions are good, because I can use that account on the one device perfectly fine. So its got to be something specific to these other devices. Here's a list of things I've tried based on suggestions found in the forum, that unfortunately haven't resolved the issue:
Tried both \\HOSTNAME\, \\HOSTNAME\SMB, \\IPADDR, \\IPADDR\SMB
Disabled Windows Firewall
Set the IP of the nas in the hosts file to match the device name
Made sure to delete anything related to the nas / ip in the credential manager
Enabled the optional features SMB 1.0/CIFS File Sharing Support
Verified that SMB Direct was enabled
Set the group policy object "Network Security: LAN Manager authentication level" to the value "Send NTLMv2 response only. Refuse LM & NTLM"
Verified I dont have IP allow/bans listed
Tried with both Guest Access Enabled, and Disabled


Here's a screenshot of the error I get:
1707694027203.png

Ping and tracert come back correct:
1707694102284.png
1707694119849.png


Running out of ideas to check, if anyone has some ideas I'm all ears. Thanks!
 

HuffAndStuff

Cadet
Joined
Feb 11, 2024
Messages
7
Apologies for the double post, but wanted to mention I've also now tried
Setting the reg key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\AllowInsecureGuestAuth to 1 (and rebooted)

And found some pretty generic SMBClient logs in the event viewer:
1707702186736.png


With that, I verified that the nic had the correct DNS server. And that NetBIOS Over Tcpip set to enabled.
 

HuffAndStuff

Cadet
Joined
Feb 11, 2024
Messages
7
Hey thanks for the reply, yup, I setup both the dataset and shares, using those steps. And tried following a video (since I assumed I was missing something the first time)

The odd thing, is since the other boxes work. Then I'd think the ACLs / datasets should be correct, since I'd assume its an all or nothing situation with that user. Either way here's a list of my settings, dataset / user / share, just in case I"m missing anything obvious
1707763548683.png
1707763376903.png
1707763476255.png
1707763702713.png
 

ABain

Bug Conductor
iXsystems
Joined
Aug 18, 2023
Messages
138
Thanks for confirming; given the info above it looks like a credentials issue.
1. Do you have guest access enabled on the shares - if so try disabling this.
2. You could check output of the following to check the correct username is being sent :
midclt call smb.status AUTH_LOG | jq
 

HuffAndStuff

Cadet
Joined
Feb 11, 2024
Messages
7
Thanks for the info, guest access is turned off. As for the output of the log, here's the desktop (which isnt working)

Code:
{
    "timestamp": "2024-02-10T21:18:26.843520-0800",
    "type": "Authentication",
    "Authentication": {
      "version": {
        "major": 1,
        "minor": 2
      },
      "eventId": 4624,
      "logonId": "0",
      "logonType": 3,
      "status": "NT_STATUS_OK",
      "localAddress": "ipv4:192.168.200.8:445",
      "remoteAddress": "ipv4:192.168.0.10:52395",
      "serviceDescription": "SMB2",
      "authDescription": null,
      "clientDomain": "MicrosoftAccount",
      "clientAccount": "huffandstuff",
      "workstation": "DESKTOP-Q3TLOV6",
      "becameAccount": "huffandstuff",
      "becameDomain": "TRUENAS",
      "becameSid": "S-1-5-21-2845439616-3747630170-764160844-20071",
      "mappedAccount": "huffandstuff",
      "mappedDomain": "MicrosoftAccount",
      "netlogonComputer": null,
      "netlogonTrustAccount": null,
      "netlogonNegotiateFlags": "0x00000000",
      "netlogonSecureChannelType": 0,
      "netlogonTrustAccountSid": null,
      "passwordType": "NTLMv2",
      "duration": 7670
    },
    "timestamp_tval": {
      "tv_sec": 1707628706,
      "tv_usec": 843520
    }
  },


And here's the working device:

Code:
{
   "timestamp": "2024-02-12T12:45:07.558251-0800",
    "type": "Authentication",
    "Authentication": {
      "version": {
        "major": 1,
        "minor": 2
      },
      "eventId": 4624,
      "logonId": "0",
      "logonType": 3,
      "status": "NT_STATUS_OK",
      "localAddress": "ipv6:fe80::2e2:69ff:fe79:7ab9:445",
      "remoteAddress": "ipv6:fe80::930b:342b:2d2a:8c02:56263",
      "serviceDescription": "SMB2",
      "authDescription": null,
      "clientDomain": "MicrosoftAccount",
      "clientAccount": "huffandstuff",
      "workstation": "LAPTOP-4QB73L1U",
      "becameAccount": "huffandstuff",
      "becameDomain": "TRUENAS",
      "becameSid": "S-1-5-21-2845439616-3747630170-764160844-20071",
      "mappedAccount": "huffandstuff",
      "mappedDomain": "MicrosoftAccount",
      "netlogonComputer": null,
      "netlogonTrustAccount": null,
      "netlogonNegotiateFlags": "0x00000000",
      "netlogonSecureChannelType": 0,
      "netlogonTrustAccountSid": null,
      "passwordType": "NTLMv2",
      "duration": 4003
    },
    "timestamp_tval": {
      "tv_sec": 1707770707,
      "tv_usec": 558251
    }
  }


The first and really only thing that jumps out to me different, is that the non-working device is using IPv4 instead of IPv6 like the working device. Not sure if a factor here, but its interesting. Maybe I'll go force IPv6 on the non-working device and see how it fairs
 

HuffAndStuff

Cadet
Joined
Feb 11, 2024
Messages
7
Unfortunately all my testing with IPv6 hasn't yielded any results.
Disabled then tested with NetBios-NS, MDNS and WS-Discovery. Then re-enabled
Added WORKGROUP to the domain list
Checked the windows boxes ARP record, and I do see the Nas's correct mac address listed
Enabled NTLMv1 no luck

Everything still works on the laptop, just not the desktop
 

HuffAndStuff

Cadet
Joined
Feb 11, 2024
Messages
7
OK, so its fixed, but I'm honestly not sure exactly what I did to fix it. Some of the things I tried today
  • Added local, workload and MicrosoftAccount to the domain list
  • Set the local security policy for "Network Security: REstrict NTLM: Outgoing NTLM Traffic to remote servers" to "Allow All"
  • Set the reg key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Start = 2
  • Tested connection with a python tool called SMBMap (which succeeded even when windows explorer would not)
  • And rebooted both the desktop and the nas for the Nth time
Somehow throughout that, it started working. I'm thinking it was likely a combo of DNS / Authentication being bugged and maybe local security policies. But I'm going to blame it on the server being haunted.
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,097
But I'm going to blame it on the server being haunted.
You should always have a good exorcist's number ready the same way you do with a plumber and electrician.
 

HuffAndStuff

Cadet
Joined
Feb 11, 2024
Messages
7
You should always have a good exorcist's number ready the same way you do with a plumber and electrician.
Yeah, next on my troubleshooting list was to dip the whole nas in holy water. I dont think it would have fixed it... but the SMB share would at least not be the biggest issue anymore haha
 
Top