SMB shares - acces denied when connecting from Win10

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
Consult "man mount" in your linux distro. Command order is:
mount -vvv -t cifs -o ......
 

avalon60

Guru
Joined
Jan 15, 2014
Messages
597
It is correct now.

rob@rob-Z97:~$ sudo mount -vvv -t cifs -o username=root,password=2Sm4k5,uid=rob,gid=rob //192.168.0.22/WinShare/Media/Music /mnt/WinShare/Media/Music
mount.cifs kernel mount options: ip=192.168.0.22,unc=\\192.168.0.22\WinShare,uid=1000,gid=1000,user=root,prefixpath=Media/Music,pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
 

avalon60

Guru
Joined
Jan 15, 2014
Messages
597
After I removed the ip addresses from host allow in samba, I tried:

sudo mount -t cifs -o username=*****,password=*******,uid=rob,gid=rob //192.168.0.22/WinShare/Media/Music /mnt/WinShare/Media/Music
mount error(13): Permission denied

then this:
tail -f /var/log/kern.log

Feb 22 17:43:00 rob-Z97 kernel: [85934.231301] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
Feb 22 17:43:00 rob-Z97 kernel: [85934.232097] CIFS VFS: cifs_mount failed w/return code = -13

Now I am at a complete loss why I'm getting permission denied.
Just a thought: After you ttold me that my samba file is corrupt, should I have one anything else.

Now I'm getting this when I try to mount the Music folder:

mount error(2): No such file or directory

Thanks
 
Last edited:

ethylowy

Cadet
Joined
Feb 22, 2019
Messages
9
I've managed to find some work-arounds for my jails, so they work for now.
But still no-go for Samba shares :/
I even grabbed some official tutorials, and followed them to the letter, but still i cant access any (newly created or one which was working before upgrade to U2) share, with exact same error as before...
 

avalon60

Guru
Joined
Jan 15, 2014
Messages
597
I eventually got my Music folder mounted on my ubuntu machine. The problem was that many moons ago I put in my pc's ip address at that time in hosts allow of samba. Since I removed that ip address, my music folder is mounted.
 

ethylowy

Cadet
Joined
Feb 22, 2019
Messages
9
I kinda' gave up...
Still can't get into the share, getting NT_STATUS_ACCESS_DENIED.

But today, while trying to play with config file, one thing caught my eye - after restarting samba_server i get different output of resolved_name param in log.smbd right after any access attempt.
For couple tries it cycled between resolved_name=/ and resolved_name=/var/tmp after every service restart (without further config changes, just restarting the service) - i have no idea, why this path is cycling that way...

I've even tried to use param allow insecure wide links = yes but sadly it didn't changed a thing...
If anyone could provide any follow-up to fix this issue, i would be gratefull, because for now my only way to get into the share, is via FTP.....
 

TGM

Dabbler
Joined
May 22, 2017
Messages
17
I don't think it's you, I'm struggling with it as well for the past 2 days. follow symlinks or allow insecure wide links didn't helped.

Code:
==> /var/log/samba4/log.smbd <==
[2019/03/05 17:12:30.974291,  0] ../source3/smbd/uid.c:386(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2019/03/05 17:12:30.974915,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:30.975606,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:30.976144,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:30.976680,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:30.977070,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:30.977523,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.061992,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.067955,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.070314,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.070712,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.071098,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.071635,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
 

ethylowy

Cadet
Joined
Feb 22, 2019
Messages
9
I start to regret any updates... After one described to fix some issues, now im getting the following error
Code:
Mar 26 21:55:13 STS1NAS uwsgi: [freenasOS.Update:848] Could not find latest manifest due to ('Connection aborted.', ConnectionResetError(54, 'Connection reset by peer'))

Is there any way to safely downgrade without loosing data?
 
Joined
Jan 4, 2014
Messages
1,644
Is there any way to safely downgrade without loosing data?
As long as you haven't upgraded the pool, you should be able to downgrade the OS from 11.2 to 11.1.
 

Andrew Barnes

Dabbler
Joined
Dec 4, 2014
Messages
21
Seeing similar issues here.
I upgraded to 11.2 recently, and I have also upgraded the pool. So I will not be able to downgrade.

I can't be certain my permissions were ever setup exactly correct. but I certainly used to be able to access my home share on both windows 10 and Linux.

I read in a similar bug report: (don't think it's been linked here yet)
https://redmine.ixsystems.com/issues/83035

that U3 update should have the fix, with 'valid users=' as a aux param in home share.

For me, that has meant that the domain administrator can access their home share.
but I've not been able to get any other user to access their home share - so now i'm unsure if perhaps I've broken something else in trying to get this to work or if there is more fix required in U2.

Before making the 'valid user' change, I would be prompted to enter my credentials on the home share, where as on other shares I would not. (all shares using a dedicated AD server for authentication)
After making that change, i see this from windows 10:
"Theres a problem accessing \\server\homes..."
then
Network error - Windows cannot access \\server\homes"
 

Andrew Barnes

Dabbler
Joined
Dec 4, 2014
Messages
21
with regards to the permission settings.

The dataset for home share is configured with windows acl, user = adminstrator (domain), group = domain admins
- but i'm not really sure that makes any difference?

the share is configured with, "use as home share", name = homes, path = path to home share dataset, "browsable to network clients", aux pam= "valid users=", vfs objects="zfs_space, streams_xattr, zfsacl"

Then i've just followed as closely as possible this guide for configure windows shares:
https://www.faqforge.com/windows-se...ctory-domain-services-windows-server-2012-r2/

the only difference is that I did not create the NTFS folder as they start with, but instead used "computer management" console to connect to Freenas server, and browsed the shares from there.


result is the same. Only domain admin is able to read/write to their home share. Everyone else gets NT_STATUS_ACCESS_DENIED.

Puzzled
 

ethylowy

Cadet
Joined
Feb 22, 2019
Messages
9
@Andrew Barnes
Not sure if it applies to Your case, but i finally fixed (at least partially, cause they are still inaccesible from UNIX machines) my Samba shares.

@TGM
It should fix Your Shares ;)

TBH, it's stupid AF, and im pretty shocked it was so freackin' easy, but tooked so much time and effort lol :D

Had to globally turn off linux shares via smbd.conf
Code:
unix extensions = no

and then add the wide links globally and in each share.
Code:
wide links = yes


Now i can easily access SMB shares without the damn errors :D
BTW, one of my friends at BSD forum said, that issue with symlinks is really old, and he was really surprised i got it. It's a known bug from like 2013 xD

p.s - try to change
Code:
aux pam= "valid users="

to
Code:
aux pam= "valid users=%U"
 

thomisus

Dabbler
Joined
Feb 11, 2020
Messages
14
the share is configured with, "use as home share", name = homes, path = path to home share dataset, "browsable to network clients", aux pam= "valid users=", vfs objects="zfs_space, streams_xattr, zfsacl"

Hi, got the same problem.. set DOMAIN\administrator and DOMAIN\domain users
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
I don't think it's you, I'm struggling with it as well for the past 2 days. follow symlinks or allow insecure wide links didn't helped.

Code:
==> /var/log/samba4/log.smbd <==
[2019/03/05 17:12:30.974291,  0] ../source3/smbd/uid.c:386(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2019/03/05 17:12:30.974915,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:30.975606,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:30.976144,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:30.976680,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:30.977070,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:30.977523,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.061992,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.067955,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.070314,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.070712,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.071098,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
[2019/03/05 17:12:31.071635,  2] ../source3/smbd/vfs.c:1305(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/storage/share/private/test
  resolved_name=/
Under no normal circumstances should symlink checks return that the conn rootdir resolves to /. Please PM me a debug file and exact steps to reproduce the issue. In general, you should never need to enable widelinks.

For proper ACL behavior, the ZFS dataset's aclmode should be set to "restricted". This has been known to cause issues for some SMB users.
 

biosek

Cadet
Joined
Jul 21, 2020
Messages
1
Hi,
I had similar problem.
From this guide to setup raspberry pi to automatically upload tesla videos from car through home wifi to my freenas

I had a problem, that the setup script crashed on verifying that the smb share location is mountable:
Code:
mount -vvv -t cifs -o 'username=tesla,password=some_password' //192.168.66.22/TeslaCam /mnt/test-mount


At first I was getting that IO error, I got through that error via option ver=2.1
Code:
mount -vvv -t cifs -o 'username=tesla,password=some_password,vers=2.1' //192.168.66.22/TeslaCam /mnt/test-mount

But then I got stuck on Permission Denied.

I googled that the problem is not on the client, but on the server (freenas)
Then I tried to use main admin login which worked. So I narrowed it down to ACL settings.

And the actual fix was to give read-only access to the user which I wanted to create share for.

So my setups were:
1.
Datasets:
Main
all
Shares:
TeslaCam -> /mnt/Main/all/TeslaCam
=> I had to give read-only ACL to "all" to have access to TeslaCam share (I didn't want tesla account to see all my nas)
2.
Datasets:
Main
all
TeslaCam
Shares:
TeslaCam -> /mnt/Main/all/TeslaCam
=> I still had to give read-only ACL to "all" to have access to TeslaCam share (I didn't want tesla account to see all my nas)
So my actual fix was
3.

Datasets:
Main
all
TeslaCam
Shares:
TeslaCam -> /mnt/Main/TeslaCam
=>I just needed to give read + read/write access to tesla account for TeslaCam ACLs and that is it.
Now tesla account doesn't see all my nas, and the mount is mountable now. Even without specifying vers= option
 

simonj

Dabbler
Joined
Feb 28, 2022
Messages
32
Under no normal circumstances should symlink checks return that the conn rootdir resolves to /. Please PM me a debug file and exact steps to reproduce the issue. In general, you should never need to enable widelinks.

For proper ACL behavior, the ZFS dataset's aclmode should be set to "restricted". This has been known to cause issues for some SMB users.
I still have a similar problem when accessing folders with many files from a Mac over SMB. After a while the share disconnects and I see the "Bad access attempt: . is a symlink outside the share path" in the log.
Code:
96.arx fname=A040C005_220625_RNET.0582096.arx (A040C005_220625_RNET.0582096.arx)
[2023/03/25 12:02:57.310219,  3] ../../source3/smbd/dir.c:1034(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found 8Horses-Electric_Child/220625_SD10/Camera_Raw/Video/A040RNET_hde/A040RNET/A040C005_220625_RNET/A040C005_220625_RNET.0581624.arx fname=A040C005_220625_RNET.0581624.arx (A040C005_220625_RNET.0581624.arx)
[2023/03/25 12:02:57.324517,  3] ../../source3/smbd/dir.c:1034(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found 8Horses-Electric_Child/220625_SD10/Camera_Raw/Video/A040RNET_hde/A040RNET/A040C005_220625_RNET/A040C005_220625_RNET.0585203.arx fname=A040C005_220625_RNET.0585203.arx (A040C005_220625_RNET.0585203.arx)
[2023/03/25 12:02:57.342323,  3] ../../source3/smbd/dir.c:1034(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found 8Horses-Electric_Child/220625_SD10/Camera_Raw/Video/A040RNET_hde/A040RNET/A040C005_220625_RNET/A040C005_220625_RNET.0584443.arx fname=A040C005_220625_RNET.0584443.arx (A040C005_220625_RNET.0584443.arx)
[2023/03/25 12:02:57.362548,  3] ../../source3/smbd/dir.c:1034(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found 8Horses-Electric_Child/220625_SD10/Camera_Raw/Video/A040RNET_hde/A040RNET/A040C005_220625_RNET/A040C005_220625_RNET.0584831.arx fname=A040C005_220625_RNET.0584831.arx (A040C005_220625_RNET.0584831.arx)
[2023/03/25 12:02:57.377332,  2] ../../source3/smbd/service.c:1191(close_cnum)
  mac-pro (ipv4:192.168.178.25:59049) closed connection to service ec_backup
[2023/03/25 12:02:57.377413,  3] ../../source3/smbd/vfs.c:1259(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink outside the share path
  conn_rootdir =/mnt/Tank/ec_backup
  resolved_name=/
[2023/03/25 12:02:57.379953,  3] ../../source3/smbd/server_exit.c:240(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_DISCONNECTED)
[2023/03/25 12:03:10.537696,  3] ../../source3/smbd/smb2_server.c:3956(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:3334
[2023/03/25 12:03:29.5


Doing the same over (much slower) afp does work. But would be very glad to get this to work and not having to fallback to afp for certain operations.
 
Top