Time Machine issue on 11.3

[danb35]

I'm also having trouble with Time Machine on my Mac clients (OS versions 10.14.6 and 10.12.6). I can't confirm that they started exactly when I upgraded to 11.3, but it was at least close. Of note, I'm still on 11.3--if -U1 would be likely to have resolved this, let me know, but I'd rather not down the server right now if I don't have to. For right now, I'm trying to use the dan-tm2 share. The error shown on the screen is:

On the Mac:

Code:

 dan@Dan-MacBook-Pro-2453  /etc  dns-sd -B _adisk._tcp.
Browsing for _adisk._tcp.
DATE: ---Fri 20 Mar 2020---
10:31:52.470  ...STARTING...
Timestamp     A/R    Flags  if Domain               Service Type         Instance Name
10:31:52.666  Add        2   5 local.               _adisk._tcp.         freenas2
10:31:52.781  Add        2   6 local.               _adisk._tcp.         freenas2
^C
 dan@Dan-MacBook-Pro-2453  /etc  dns-sd -L freenas2 _adisk._tcp.
Lookup freenas2._adisk._tcp..local
DATE: ---Fri 20 Mar 2020---
10:33:12.611  ...STARTING...
10:33:12.782  freenas2._adisk._tcp.local. can be reached at freenas2.local.:9 (interface 6)
 sys=waMa=0,adVF=0x100 dk0=adVN=dan-tm2,adVF=0x82,adVU=6181d9b8-d126-4616-a3a0-eb4e7e273f54 dk1=adVN=emily-tm,adVF=0x81,adVU=fa71a85c-f3a4-4878-a110-8d9ce854693a dk2=adVN=dan-tm,adVF=0x81,adVU=657cea92-aa9c-4f57-a236-600adab54ba8 dk3=adVN=charlie-tm,adVF=0x81,adVU=965a2137-138a-4726-8314-7120f19e707a

On the NAS:

Code:

root@freenas2[~]# testparm -s
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

# Global parameters
[global]
    aio max threads = 2
    bind interfaces only = Yes
    disable spoolss = Yes
    dns proxy = No
    enable web service discovery = Yes
    kernel change notify = No
    load printers = No
    logging = file
    map to guest = Bad User
    max log size = 51200
    netbios name = FREENAS
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    obey pam restrictions = Yes
    server min protocol = SMB2_02
    server role = standalone server
    server string = FreeNAS Server
    unix extensions = No
    username map = /usr/local/etc/smbusername.map
    username map cache time = 60
    workgroup = FAMILYBROWN
    idmap config *: range = 90000001-100000000
    fruit:nfs_aces = No
    idmap config * : backend = tdb
    allocation roundup size = 0
    directory name cache size = 0
    dos filemode = Yes
    include = /usr/local/etc/smb4_share.conf


[Documents]
    aio write size = 0
    ea support = No
    guest ok = Yes
    hide dot files = No
    mangled names = illegal
    path = /mnt/tank/Documents
    read only = No
    vfs objects = shadow_copy_zfs zfs_space zfsacl fruit streams_xattr
    nfs4:acedup = merge
    nfs4:chown = true
    fruit:resource = stream
    fruit:metadata = stream


[Houdini Backup]
    aio write size = 0
    ea support = No
    mangled names = illegal
    path = /mnt/tank/houdini
    read only = No
    vfs objects = shadow_copy_zfs fruit streams_xattr
    nfs4:acedup = merge
    nfs4:chown = true
    fruit:resource = stream
    fruit:metadata = stream


[Torrents]
    aio write size = 0
    ea support = No
    mangled names = illegal
    path = /mnt/tank/torrents
    read only = No
    vfs objects = zfs_space zfsacl fruit streams_xattr
    nfs4:acedup = merge
    nfs4:chown = true
    fruit:resource = stream
    fruit:metadata = stream


[Transmission]
    aio write size = 0
    ea support = No
    guest ok = Yes
    mangled names = illegal
    path = /mnt/tank/transmission
    read only = No
    vfs objects = zfs_space zfsacl fruit streams_xattr
    nfs4:acedup = merge
    nfs4:chown = true
    fruit:resource = stream
    fruit:metadata = stream


[Video]
    aio write size = 0
    ea support = No
    guest ok = Yes
    level2 oplocks = No
    mangled names = illegal
    oplocks = No
    path = /mnt/tank/Video
    read only = No
    strict locking = Yes
    vfs objects = shadow_copy_zfs zfs_space zfsacl fruit streams_xattr
    nfs4:acedup = merge
    nfs4:chown = true
    fruit:resource = stream
    fruit:metadata = stream


[homes]
    aio write size = 0
    ea support = No
    mangled names = illegal
    path = /mnt/tank/dan/%U
    read only = No
    vfs objects = zfs_space zfsacl fruit streams_xattr
    nfs4:acedup = merge
    nfs4:chown = true
    fruit:resource = stream
    fruit:metadata = stream


[dan-tm2]
    aio write size = 0
    ea support = No
    mangled names = illegal
    path = /mnt/tank/dan-tm2
    read only = No
    vfs objects = shadow_copy_zfs ixnas fruit streams_xattr
    nfs4:acedup = merge
    nfs4:chown = true
    fruit:volume_uuid = 6181d9b8-d126-4616-a3a0-eb4e7e273f54
    fruit:time machine = yes
    fruit:resource = stream
    fruit:metadata = stream


[media]
    aio write size = 0
    comment = Non-video media
    ea support = No
    guest ok = Yes
    mangled names = illegal
    path = /mnt/tank/media
    read only = No
    vfs objects = shadow_copy_zfs zfs_space zfsacl fruit streams_xattr
    nfs4:acedup = merge
    nfs4:chown = true
    fruit:resource = stream
    fruit:metadata = stream


[scripts]
    aio write size = 0
    ea support = No
    guest ok = Yes
    mangled names = illegal
    path = /mnt/ssdpool/scripts
    read only = No
    vfs objects = shadow_copy_zfs zfs_space zfsacl fruit streams_xattr
    nfs4:acedup = merge
    nfs4:chown = true
    fruit:resource = stream
    fruit:metadata = stream


[ubuntu-backup]
    aio write size = 0
    ea support = No
    mangled names = illegal
    path = /mnt/tank/ubuntu-backup
    read only = No
    vfs objects = shadow_copy_zfs zfs_space zfsacl fruit streams_xattr
    nfs4:acedup = merge
    nfs4:chown = true
    fruit:resource = stream
    fruit:metadata = stream
root@freenas2[~]# 

 

[anodos]

I see that you're advertising three time machine shares, but only have one SMB one configured in your smb4.conf file. Try running midclt call mdnsadvertise.restart to regenerate your mDNS advertisement.

Also set "log level =1 auth_audit:5" as an auxiliary parameter under Services->SMB. Try kick off a new backup task (you can use tmutil on the mac to do this), and watch the auth attempt in /var/log/samba4/log.smbd to see what's happening.

 

[danb35]

Strangely, those other shares were Time Machine shares I'd previously configured via AFP--but the AFP service is turned off at this time. Deleting those shares results in my only seeing the one (dan-tm2) share I was trying to use, but I'm still getting the same error when trying to back up.

After setting the log level, it appears that my Mac is trying to authenticate as the wrong user. The underlying dataset had been owned by a unique user (creatively enough, "dan-tm") with its own password, which had worked for years with TM over AFP on prior versions (back to the 8.something days). But when trying to do TM over SMB, I can successfully connect to the share:

Code:

  Successful AuthZ: [SMB2,NTLMSSP] user [FREENAS]\[dan-tm] [S-1-5-21-2413538992-2029167151-3841831621-3006] at [Fri, 20 Mar 2020 15:05:23.921969 EDT] Remote host [ipv4:192.168.1.199:52394] local host [ipv4:192.168.1.10:445]
[2020/03/20 15:05:24.070538,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [lsarpc,ncacn_np] user [FREENAS]\[dan-tm] [S-1-5-21-2413538992-2029167151-3841831621-3006] at [Fri, 20 Mar 2020 15:05:24.070517 EDT] Remote host [ipv4:192.168.1.199:52394] local host [ipv4:192.168.1.10:445]
[2020/03/20 15:05:42.101242,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)

...but when I kick off the backup, I get this:

Code:

  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:05:42.101168 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52481] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445] 
[2020/03/20 15:05:42.107702,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:05:42.107693 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52481] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445] 
[2020/03/20 15:05:42.114969,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:05:42.114960 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52481] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445] 
[2020/03/20 15:07:24.155092,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:07:24.155020 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52894] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445] 
[2020/03/20 15:07:24.161115,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:07:24.161106 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52894] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445] 
[2020/03/20 15:07:24.168298,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:07:24.168285 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52894] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445] 

It looks like it's trying to authenticate as dan (which is my login user on my client computer) rather than dan-tm, and I can't even begin to speculate what password it might be using.

I figured that if I can't beat them, join them, and changed the ownership (using the shiny new ACL editor) on the underlying dataset to dan rather than dan-tm. It's making progress, it authenticates, but now I get:

Thinking this could still be a ACL problem, I went back into the ACL editor and gave the owner (me) "full control". Kicking off the backup again, I get the same error. The Samba log shows nothing but a successful authentication.

I'm getting tempted to chuck the whole thing in the bin and start over. Is there a good, current soup-to-nuts guide on TM under SMB? Because it clearly isn't as simple as "create dataset, share dataset, check the Time Machine box".

 

[anodos]

Strangely, those other shares were Time Machine shares I'd previously configured via AFP--but the AFP service is turned off at this time. Deleting those shares results in my only seeing the one (dan-tm2) share I was trying to use, but I'm still getting the same error when trying to back up.

After setting the log level, it appears that my Mac is trying to authenticate as the wrong user. The underlying dataset had been owned by a unique user (creatively enough, "dan-tm") with its own password, which had worked for years with TM over AFP on prior versions (back to the 8.something days). But when trying to do TM over SMB, I can successfully connect to the share:

Code:

  Successful AuthZ: [SMB2,NTLMSSP] user [FREENAS]\[dan-tm] [S-1-5-21-2413538992-2029167151-3841831621-3006] at [Fri, 20 Mar 2020 15:05:23.921969 EDT] Remote host [ipv4:192.168.1.199:52394] local host [ipv4:192.168.1.10:445]
[2020/03/20 15:05:24.070538,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [lsarpc,ncacn_np] user [FREENAS]\[dan-tm] [S-1-5-21-2413538992-2029167151-3841831621-3006] at [Fri, 20 Mar 2020 15:05:24.070517 EDT] Remote host [ipv4:192.168.1.199:52394] local host [ipv4:192.168.1.10:445]
[2020/03/20 15:05:42.101242,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)

...but when I kick off the backup, I get this:

Code:

  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:05:42.101168 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52481] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445]
[2020/03/20 15:05:42.107702,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:05:42.107693 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52481] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445]
[2020/03/20 15:05:42.114969,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:05:42.114960 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52481] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445]
[2020/03/20 15:07:24.155092,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:07:24.155020 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52894] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445]
[2020/03/20 15:07:24.161115,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:07:24.161106 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52894] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445]
[2020/03/20 15:07:24.168298,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [FREENAS]\[dan] at [Fri, 20 Mar 2020 15:07:24.168285 EDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MACBOOKPRO-DCDC] remote host [ipv4:192.168.1.199:52894] mapped to [FREENAS]\[dan]. local host [ipv4:192.168.1.10:445]

It looks like it's trying to authenticate as dan (which is my login user on my client computer) rather than dan-tm, and I can't even begin to speculate what password it might be using.

Yes, it looks like it was the wrong password. Time machine prompts you credentials when you set up the backup. Something must have between then and now (possibly credentials).

I figured that if I can't beat them, join them, and changed the ownership (using the shiny new ACL editor) on the underlying dataset to dan rather than dan-tm. It's making progress, it authenticates, but now I get:
View attachment 36734

Thinking this could still be a ACL problem, I went back into the ACL editor and gave the owner (me) "full control". Kicking off the backup again, I get the same error. The Samba log shows nothing but a successful authentication.

Did you apply the change recursively? You can use getfacl to check on the ACL of the sparsebundle volume in the share.

 

[danb35]

Did you apply the change recursively?

Yes, I did. Even created a new empty dataset and applied the changes recursively there. Not sure what this output indicates:

Code:

root@freenas2[/mnt/tank/dan-tm2]# ll
total 18
drwxr-xr-x+  3 dan   wheel  uarch  3 Mar 21 06:45 ./
drwxrwxrwx  37 root  wheel  uarch 40 Mar 20 15:11 ../
d---------+  2 dan   wheel  uarch  2 Mar 20 15:12 2B7D4240-ADB4-5174-8F3A-60B83690680E.sparsebundle/
root@freenas2[/mnt/tank/dan-tm2]# getfacl 2B7D4240-ADB4-5174-8F3A-60B83690680E.sparsebundle 
# file: 2B7D4240-ADB4-5174-8F3A-60B83690680E.sparsebundle
# owner: dan
# group: wheel
         everyone@:--------------:fd----I:allow

 

[anodos]

Yes, I did. Even created a new empty dataset and applied the changes recursively there. Not sure what this output indicates:

Code:

root@freenas2[/mnt/tank/dan-tm2]# ll
total 18
drwxr-xr-x+  3 dan   wheel  uarch  3 Mar 21 06:45 ./
drwxrwxrwx  37 root  wheel  uarch 40 Mar 20 15:11 ../
d---------+  2 dan   wheel  uarch  2 Mar 20 15:12 2B7D4240-ADB4-5174-8F3A-60B83690680E.sparsebundle/
root@freenas2[/mnt/tank/dan-tm2]# getfacl 2B7D4240-ADB4-5174-8F3A-60B83690680E.sparsebundle
# file: 2B7D4240-ADB4-5174-8F3A-60B83690680E.sparsebundle
# owner: dan
# group: wheel
         everyone@:--------------:fd----I:allow

This indicates that you didn't set the "inherit" flag on any of the permissions in the ACL editor. In U2 we're adding a safeguard to prevent this. Go back in, select "full_control", and then "inherit" for the flags (it will be a basic option).

 

[ChristianGrebe]

this is my current situation:

• I am running FreeNAS 11.2-U7 and use it as a Time Machine backup and file server using SMB only.
• My clients are running macOS 10.15.3.
• I used AFP before (since FreeNAS 9) and datasets were setup as Mac share types initially.
• I switched from AFP to SMB with this release (11.2-U7).
• I set "fruit:time machine = yes" on all SMB shares.
• Time Machine backups and file serving do work currently.
• I had to mount the Time Machine share manually once on the clients to make Time Machine backups work.

I am pondering over the update from 11.2 to 11.3.

I updated to 11.2-U8 and then to 11.3-U1 and everything runs nicely.

I have a normal file sharing share and a Time Machine share which use different users.

In 11.2-U7 I had to mount the Time Machine share in Finder manually once and it did the trick with Time Machine. Otherwise Time Machine would not connect to the server come backup time and threw an error with wrong username and password although I entered the correct credentials in Time Machine when connecting the share.

Cheers from Germany and keep safe and healthy during COVID-19 times!

 

[danb35]

This indicates that you didn't set the "inherit" flag on any of the permissions in the ACL editor.

I could have sworn I'd posted of success, but it appears I was premature; now the share isn't appearing at all. Is it possible to have multiple time machine shares? And is there anything special that needs to be done to make that configuration work?

 

[anodos]

I could have sworn I'd posted of success, but it appears I was premature; now the share isn't appearing at all. Is it possible to have multiple time machine shares? And is there anything special that needs to be done to make that configuration work?

Multiple time machine shares are possible. Nothing special needs to be done there. That said, you may need to toggle the SMB service after creating them.

 

[danb35]

Stopped and restarted SMB, and now the two shares show as available targets in Time Machine. But when I pick one, I get:

 

[anodos]

Stopped and restarted SMB, and now the two shares show as available targets in Time Machine. But when I pick one, I get:
View attachment 36796

This can happen if the same path is shared out via multiple filesharing protocols. In some cases we have to disable features like oplocks for data integrity reasons, which time machine requires. What does `testparm -s` show now?

 

[danb35]

Ah, that sparked a memory--I'd shared out those datasets via NFS long ago to work with a Crashplan VM (long since defunct). That also explains why I wasn't seeing the issue earlier, as I was working with a newly-created dataset for testing purposes. Deleting those exports lets me connect to the share and complete a backup. It seems to be running very slowly (my computer's giving an ETA of 5 hours to complete a 1.8 GB backup), but it's running without errors.

 

[George Kyriazis]

It looks like your time machine share may also be an NFS export. In 11.3 we re-configure the SMB shares in this case for safer behavior. If it's being exported by NFS, remove the NFS export and restart the SMB service through the GUI (to force an SMB re-configuration).

Is there a way to keep the same share exported via nfs? I have a similar problem on 11.2-U8, but I do want to keep the share exported, since (like some other person mentioned) I use this share from Crashplan running on a VM.

It may not be related to nfs, since I've created another (test) volume and share, and I'm seeing the saying behavior. I've set

log level = 3 passdb:9 auth:9 auth_audit:9

on smb4.conf and I've noticed that while when I select the SMB share on Time Machine the authentication works fine as shown below

[2020/04/04 20:18:41.680539, 3] ../source3/passdb/lookup_sid.c:1577(get_primary_group_sid)
Forcing Primary Group to 'Domain Users' for guest
[2020/04/04 20:18:41.680748, 4] ../source3/auth/check_samsec.c:183(sam_account_ok)
sam_account_ok: Checking SMB password for user guest
[2020/04/04 20:18:41.680827, 5] ../source3/auth/check_samsec.c:165(logon_hours_ok)
logon_hours_ok: user guest allowed to logon at this time (Sun Apr 5 01:18:41 2020
)
[2020/04/04 20:18:41.681312, 5] ../source3/auth/server_info_sam.c:122(make_server_info_sam)
make_server_info_sam: made server info for user guest -> guest
[2020/04/04 20:18:41.681377, 3] ../source3/auth/auth.c:256(auth_check_ntlm_password)
auth_check_ntlm_password: sam_ignoredomain authentication for user [guest] succeeded
[2020/04/04 20:18:41.681435, 4] ../source3/auth/pampass.c:483(smb_pam_start)
smb_pam_start: PAM: Init user: guest
[2020/04/04 20:18:41.686715, 4] ../source3/auth/pampass.c:492(smb_pam_start)
smb_pam_start: PAM: setting rhost to: 192.168.1.103
[2020/04/04 20:18:41.686781, 4] ../source3/auth/pampass.c:501(smb_pam_start)
smb_pam_start: PAM: setting tty
[2020/04/04 20:18:41.686825, 4] ../source3/auth/pampass.c:509(smb_pam_start)
smb_pam_start: PAM: Init passed for user: guest
[2020/04/04 20:18:41.686860, 4] ../source3/auth/pampass.c:567(smb_pam_account)
smb_pam_account: PAM: Account Management for User: guest
[2020/04/04 20:18:41.687230, 4] ../source3/auth/pampass.c:586(smb_pam_account)
smb_pam_account: PAM: Account OK for User: guest
[2020/04/04 20:18:41.687548, 4] ../source3/auth/pampass.c:465(smb_pam_end)
smb_pam_end: PAM: PAM_END OK.
[2020/04/04 20:18:41.687603, 5] ../source3/auth/auth.c:283(auth_check_ntlm_password)
check_ntlm_password: PAM Account for user [guest] succeeded
[2020/04/04 20:18:41.687666, 3] ../auth/auth_log.c:610(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [ZODIAC]\[guest] at [Sat, 04 Apr 2020 20:18:41.687648 CDT] with [NTLMv2] status [NT_STATUS_OK] workstation [LIBRA] remote host [ipv4:192.168.1.103:59537] became [ZODIAC]\[guest] [S-1-5-21-3130175524-438334350-4176454937-501]. local host [ipv4:192.168.1.10:445]
{"timestamp": "2020-04-04T20:18:41.687862-0500", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "ipv4:192.168.1.10:445", "remoteAddress": "ipv4:192.168.1.103:59537", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ZODIAC", "clientAccount": "guest", "workstation": "LIBRA", "becameAccount": "guest", "becameDomain": "ZODIAC", "becameSid": "S-1-5-21-3130175524-438334350-4176454937-501", "mappedAccount": "guest", "mappedDomain": "ZODIAC", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 13594}}
[2020/04/04 20:18:41.688002, 2] ../source3/auth/auth.c:316(auth_check_ntlm_password)
check_ntlm_password: authentication for user [guest] -> [guest] -> [guest] succeeded

but when the backup starts, the authentication does not go through SMB password authentication, but jumps directly to NTLMv2 and fails, as shown below:

[2020/04/04 20:18:57.667823, 3] ../source3/passdb/lookup_sid.c:1577(get_primary_group_sid)
Forcing Primary Group to 'Domain Users' for guest
[2020/04/04 20:18:57.667938, 3] ../libcli/auth/ntlm_check.c:403(ntlm_password_check)
ntlm_password_check: NTLMv2 password check failed
[2020/04/04 20:18:57.667971, 3] ../libcli/auth/ntlm_check.c:449(ntlm_password_check)
ntlm_password_check: Lanman passwords NOT PERMITTED for user guest
[2020/04/04 20:18:57.668019, 3] ../libcli/auth/ntlm_check.c:595(ntlm_password_check)
ntlm_password_check: LM password and LMv2 failed for user guest, and NT MD4 password in LM field not permitted
[2020/04/04 20:18:57.668084, 9] ../source3/passdb/passdb.c:2238(pdb_increment_bad_password_count)
No lockout policy, don't track bad passwords
[2020/04/04 20:18:57.668222, 5] ../source3/passdb/pdb_tdb.c:813(tdb_update_samacct_only)
Storing account guest with RID 501
[2020/04/04 20:18:57.668271, 5] ../source3/auth/auth.c:251(auth_check_ntlm_password)
auth_check_ntlm_password: sam_ignoredomain authentication for user [guest] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2020/04/04 20:18:57.668303, 2] ../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [guest] -> [guest] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2020/04/04 20:18:57.668347, 2] ../auth/auth_log.c:610(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user []\[guest] at [Sat, 04 Apr 2020 20:18:57.668333 CDT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [LIBRA] remote host [ipv4:192.168.1.103:59551] mapped to []\[guest]. local host [ipv4:192.168.1.10:445]
{"timestamp": "2020-04-04T20:18:57.668395-0500", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:192.168.1.10:445", "remoteAddress": "ipv4:192.168.1.103:59551", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "", "clientAccount": "guest", "workstation": "LIBRA", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "guest", "mappedDomain": "", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 5523}}
[2020/04/04 20:18:57.668437, 5] ../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
ntlmssp_server_auth_send: Checking NTLMSSP password for \guest failed: NT_STATUS_WRONG_PASSWORD
[2020/04/04 20:18:57.668494, 5] ../auth/gensec/gensec.c:492(gensec_update_done)
gensec_update_done: ntlmssp[0x813f3da60]: NT_STATUS_WRONG_PASSWORD

Any ideas?

I'm running Mojave (10.14.6) on the Mac.

 

[solaris04]

I had to create new shares to make time machine work again with 11.3. First backup went through without a hassle. But now time machine does not work anymore. It says that it can't find the share anymore. Although I can still connect to another smb share located on a different pool of the same freenas and a vm running on the same pool of the time machin shares is working.

I never had any issues with 11.2 but since upgrading to 11.3 time machine dos not work all the time.

I'm looking forward to a your hep.
Thx.

freenas 11.3 U1
Macos 10.15.3
2 Time machine shares smb each with his own dataset
No other shares like nfs for this shares

testparm -s

root@freenas:~ # testparm -s
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

# Global parameters
[global]
aio max threads = 2
bind interfaces only = Yes
disable spoolss = Yes
dns proxy = No
enable web service discovery = Yes
kernel change notify = No
load printers = No
logging = file
max log size = 51200
nsupdate command = /usr/local/bin/samba-nsupdate -g
restrict anonymous = 2
server min protocol = SMB2_02
server role = standalone server
server string = FreeNAS Server
unix extensions = No
idmap config *: range = 90000001-100000000
fruit:nfs_aces = No
idmap config * : backend = tdb
allocation roundup size = 0
directory name cache size = 0
dos filemode = Yes
include = /usr/local/etc/smb4_share.conf


[xy]
aio write size = 0
ea support = No
hide dot files = No
mangled names = illegal
path = /mnt/data/xy
read only = No
vfs objects = shadow_copy_zfs zfs_space zfsacl fruit streams_xattr crossrename recycle
nfs4:acedup = merge
nfs4:chown = true
recycle:subdir_mode = 0700
recycle:directory_mode = 0777
recycle:touch = yes
recycle:keepversions = yes
recycle:keeptree = yes
recycle:repository = .recycle/%U
fruit:resource = stream
fruit:metadata = stream


[time-machine-miri]
aio write size = 0
ea support = No
mangled names = illegal
path = /mnt/time-vm/time-machine-miri
read only = No
vfs objects = ixnas fruit streams_xattr
fruit:time machine max size = 345 G
nfs4:acedup = merge
nfs4:chown = true
fruit:volume_uuid = 79ae4c80-c086-41df-8170-a0e80344bcb3
fruit:time machine = yes
fruit:resource = stream
fruit:metadata = stream


[time-machine-st]
aio write size = 0
ea support = No
mangled names = illegal
path = /mnt/time-vm/time-machine-st
read only = No
vfs objects = ixnas fruit streams_xattr
fruit:time machine max size = 345 G
nfs4:acedup = merge
nfs4:chown = true
fruit:volume_uuid = 2e7e406e-0bbe-400c-9c2b-09cd0191ec72
fruit:time machine = yes
fruit:resource = stream
fruit:metadata = stream

smb4conf file

[global]
dns proxy = No
aio max threads = 2
max log size = 51200
allocation roundup size = 0
load printers = No
printing = bsd
disable spoolss = Yes
dos filemode = Yes
kernel change notify = No
directory name cache size = 0
nsupdate command = /usr/local/bin/samba-nsupdate -g
unix charset = UTF-8
log level = 1
obey pam restrictions = False
enable web service discovery = True
logging = file
server min protocol = SMB2_02
unix extensions = No
restrict anonymous = 2
server string = FreeNAS Server
fruit:nfs_aces = No
bind interfaces only = Yes
netbios name = freenas
netbios aliases =
server role = standalone
workgroup = WORKGROUP
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000

include = /usr/local/etc/smb4_share.conf

 

[solaris04]

It was a network issue caused by a high piong / low connection speed of the powerline adapter. If I`m close to the freenas and not using powerline there are no issues...

 

[anodos]

My experience is that time machine is pretty sensitive to network issues. In 12.0 I'm adding a feature to enhance time machine shares so that we snapshot them after each successful backup (samba will maintain a certain amount of these backups). Feature is currently pre-alpha like the rest of 12.0. In FN 12.0 we're also switching from mDNSResponder to avahi, which might end up being more stable.

 

[EGP]

I am also getting this error after updating to 11.3 "the selected network backup disk does not support the required capabilities"

testparm -s

Load smb config files from /usr/local/etc/smb4.conf

Loaded services file OK.

Server role: ROLE_STANDALONE



# Global parameters

[global]

aio max threads = 2

bind interfaces only = Yes

disable spoolss = Yes

dns proxy = No

enable web service discovery = Yes

kernel change notify = No

load printers = No

logging = file

max log size = 51200

nsupdate command = /usr/local/bin/samba-nsupdate -g

restrict anonymous = 2

server min protocol = SMB2_02

server role = standalone server

server string = FreeNAS Server

unix extensions = No

idmap config *: range = 90000001-100000000

idmap config * : backend = tdb

allocation roundup size = 0

directory name cache size = 0

dos filemode = Yes

include = /usr/local/etc/smb4_share.conf

 

[Mark Levitt]

I am also getting this error after updating to 11.3 "the selected network backup disk does not support the required capabilities"

Could be related to this bug:
https://jira.ixsystems.com/browse/NAS-105911

 

[anodos]

Is the SMB share also an NFS export? When an SMB share is also an NFS export we automatically configure the share to be as safe as possible in a mixed-protocol environment. These changes disable features that Time Machine relies on, hence "the selected network backup disk does not support the required capabilities".

 

[EGP]

Is the SMB share also an NFS export? When an SMB share is also an NFS export we automatically configure the share to be as safe as possible in a mixed-protocol environment. These changes disable features that Time Machine relies on, hence "the selected network backup disk does not support the required capabilities".

Hello thank you for the reply. I set this share up as just a Time Machine backup so it is an AFP share. I'll recreate the share and see what happens.
I also tried moving the nsmb.conf file with no resolution.