SMB not working on single windows device

[HuffAndStuff]

Hey folks, I'm having an issue with one single device hitting my new NAS Scale SMB share. This almost definitely is a windows issue, so this may not be the appropriate place, but figured I'd start here. Yesterday, I setup a new NAS, built out all the datasets, shares, groups and users. Then setup the SMB share.

I have 3 windows boxes. They all can ping the IP, both can access the TrueNAS UI. But only 2 of them can access the SMB share. The only difference between them (that I can tell) is that the working device is Win10 Home. And the other device is Win10 Pro / Win11 Pro.

I think ACL / permissions are good, because I can use that account on the one device perfectly fine. So its got to be something specific to these other devices. Here's a list of things I've tried based on suggestions found in the forum, that unfortunately haven't resolved the issue:
Tried both \\HOSTNAME\, \\HOSTNAME\SMB, \\IPADDR, \\IPADDR\SMB
Disabled Windows Firewall
Set the IP of the nas in the hosts file to match the device name
Made sure to delete anything related to the nas / ip in the credential manager
Enabled the optional features SMB 1.0/CIFS File Sharing Support
Verified that SMB Direct was enabled
Set the group policy object "Network Security: LAN Manager authentication level" to the value "Send NTLMv2 response only. Refuse LM & NTLM"
Verified I dont have IP allow/bans listed
Tried with both Guest Access Enabled, and Disabled


Here's a screenshot of the error I get:

Ping and tracert come back correct:

Running out of ideas to check, if anyone has some ideas I'm all ears. Thanks!

 

[HuffAndStuff]

Apologies for the double post, but wanted to mention I've also now tried
Setting the reg key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\AllowInsecureGuestAuth to 1 (and rebooted)

And found some pretty generic SMBClient logs in the event viewer:

With that, I verified that the nic had the correct DNS server. And that NetBIOS Over Tcpip set to enabled.

 

[ABain]

When you say you have setup the shares, did you configure both the dataset and share ACLs?
I assume you were using the guide on the docs website? https://www.truenas.com/docs/scale/23.10/scaletutorials/shares/smb/

 

[HuffAndStuff]

Hey thanks for the reply, yup, I setup both the dataset and shares, using those steps. And tried following a video (since I assumed I was missing something the first time)

The odd thing, is since the other boxes work. Then I'd think the ACLs / datasets should be correct, since I'd assume its an all or nothing situation with that user. Either way here's a list of my settings, dataset / user / share, just in case I"m missing anything obvious

 

[ABain]

Thanks for confirming; given the info above it looks like a credentials issue.
1. Do you have guest access enabled on the shares - if so try disabling this.
2. You could check output of the following to check the correct username is being sent :
midclt call smb.status AUTH_LOG | jq

 

[HuffAndStuff]

Thanks for the info, guest access is turned off. As for the output of the log, here's the desktop (which isnt working)

Code:

{
    "timestamp": "2024-02-10T21:18:26.843520-0800",
    "type": "Authentication",
    "Authentication": {
      "version": {
        "major": 1,
        "minor": 2
      },
      "eventId": 4624,
      "logonId": "0",
      "logonType": 3,
      "status": "NT_STATUS_OK",
      "localAddress": "ipv4:192.168.200.8:445",
      "remoteAddress": "ipv4:192.168.0.10:52395",
      "serviceDescription": "SMB2",
      "authDescription": null,
      "clientDomain": "MicrosoftAccount",
      "clientAccount": "huffandstuff",
      "workstation": "DESKTOP-Q3TLOV6",
      "becameAccount": "huffandstuff",
      "becameDomain": "TRUENAS",
      "becameSid": "S-1-5-21-2845439616-3747630170-764160844-20071",
      "mappedAccount": "huffandstuff",
      "mappedDomain": "MicrosoftAccount",
      "netlogonComputer": null,
      "netlogonTrustAccount": null,
      "netlogonNegotiateFlags": "0x00000000",
      "netlogonSecureChannelType": 0,
      "netlogonTrustAccountSid": null,
      "passwordType": "NTLMv2",
      "duration": 7670
    },
    "timestamp_tval": {
      "tv_sec": 1707628706,
      "tv_usec": 843520
    }
  },

And here's the working device:

Code:

{
   "timestamp": "2024-02-12T12:45:07.558251-0800",
    "type": "Authentication",
    "Authentication": {
      "version": {
        "major": 1,
        "minor": 2
      },
      "eventId": 4624,
      "logonId": "0",
      "logonType": 3,
      "status": "NT_STATUS_OK",
      "localAddress": "ipv6:fe80::2e2:69ff:fe79:7ab9:445",
      "remoteAddress": "ipv6:fe80::930b:342b:2d2a:8c02:56263",
      "serviceDescription": "SMB2",
      "authDescription": null,
      "clientDomain": "MicrosoftAccount",
      "clientAccount": "huffandstuff",
      "workstation": "LAPTOP-4QB73L1U",
      "becameAccount": "huffandstuff",
      "becameDomain": "TRUENAS",
      "becameSid": "S-1-5-21-2845439616-3747630170-764160844-20071",
      "mappedAccount": "huffandstuff",
      "mappedDomain": "MicrosoftAccount",
      "netlogonComputer": null,
      "netlogonTrustAccount": null,
      "netlogonNegotiateFlags": "0x00000000",
      "netlogonSecureChannelType": 0,
      "netlogonTrustAccountSid": null,
      "passwordType": "NTLMv2",
      "duration": 4003
    },
    "timestamp_tval": {
      "tv_sec": 1707770707,
      "tv_usec": 558251
    }
  }

The first and really only thing that jumps out to me different, is that the non-working device is using IPv4 instead of IPv6 like the working device. Not sure if a factor here, but its interesting. Maybe I'll go force IPv6 on the non-working device and see how it fairs

 

[HuffAndStuff]

Unfortunately all my testing with IPv6 hasn't yielded any results.
Disabled then tested with NetBios-NS, MDNS and WS-Discovery. Then re-enabled
Added WORKGROUP to the domain list
Checked the windows boxes ARP record, and I do see the Nas's correct mac address listed
Enabled NTLMv1 no luck

Everything still works on the laptop, just not the desktop

 

[HuffAndStuff]

OK, so its fixed, but I'm honestly not sure exactly what I did to fix it. Some of the things I tried today

• Added local, workload and MicrosoftAccount to the domain list
• Set the local security policy for "Network Security: REstrict NTLM: Outgoing NTLM Traffic to remote servers" to "Allow All"
• Set the reg key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Start = 2
• Tested connection with a python tool called SMBMap (which succeeded even when windows explorer would not)
• And rebooted both the desktop and the nas for the Nth time

Somehow throughout that, it started working. I'm thinking it was likely a combo of DNS / Authentication being bugged and maybe local security policies. But I'm going to blame it on the server being haunted.

 

[Ericloewe]

But I'm going to blame it on the server being haunted.

You should always have a good exorcist's number ready the same way you do with a plumber and electrician.

 

[HuffAndStuff]

You should always have a good exorcist's number ready the same way you do with a plumber and electrician.

Yeah, next on my troubleshooting list was to dip the whole nas in holy water. I dont think it would have fixed it... but the SMB share would at least not be the biggest issue anymore haha