Update to FreeNAS-9.10.2-U2 broke SMB permissions

[melloa]

Just updated from FreeNAS-9.10.2-U1 (86c7ef5) to FreeNAS-9.10.2-U2 and my owncloud lost access to the smb share where the files are stored.

Share is mounted @ fstab:

Code:

//10.10.10.200/cloud9  /var/www/html/owncloud/data cifs _netdev,uid=apache,username=apache,password=apachepassword,iocharset=utf8,file_mode=0700,dir_mode=0700,sec=ntlm

User apache was created in FreeNAS to allow that access during installation several moons ago.

Back on FreeNAS-9.10.2-U1 (86c7ef5) to get it working again.

Code:

[root@cloud9 ~]# df
Filesystem			  1K-blocks	 Used   Available Use% Mounted on
/dev/mapper/cl-root	  30385668  2646924	27738744   9% /
devtmpfs				   931396		0	  931396   0% /dev
tmpfs					  942060		0	  942060   0% /dev/shm
tmpfs					  942060	 8744	  933316   1% /run
tmpfs					  942060		0	  942060   0% /sys/fs/cgroup
/dev/sda1				 1038336   193488	  844848  19% /boot
//10.10.10.200/cloud9 18471227175 10005877 18461221298   1% /var/www/html/owncloud/data
tmpfs					  188416		0	  188416   0% /run/user/0

Anyone else??

 

[anodos]

Just updated from FreeNAS-9.10.2-U1 (86c7ef5) to FreeNAS-9.10.2-U2 and my owncloud lost access to the smb share where the files are stored.

Share is mounted @ fstab:

Code:

//10.10.10.200/cloud9  /var/www/html/owncloud/data cifs _netdev,uid=apache,username=apache,password=apachepassword,iocharset=utf8,file_mode=0700,dir_mode=0700,sec=ntlm

User apache was created in FreeNAS to allow that access during installation several moons ago.

Back on FreeNAS-9.10.2-U1 (86c7ef5) to get it working again.

Code:

[root@cloud9 ~]# df
Filesystem			  1K-blocks	 Used   Available Use% Mounted on
/dev/mapper/cl-root	  30385668  2646924	27738744   9% /
devtmpfs				   931396		0	  931396   0% /dev
tmpfs					  942060		0	  942060   0% /dev/shm
tmpfs					  942060	 8744	  933316   1% /run
tmpfs					  942060		0	  942060   0% /sys/fs/cgroup
/dev/sda1				 1038336   193488	  844848  19% /boot
//10.10.10.200/cloud9 18471227175 10005877 18461221298   1% /var/www/html/owncloud/data
tmpfs					  188416		0	  188416   0% /run/user/0

Anyone else??

Try removing ,sec=ntlm from your mount.
Is owncloud in a jail a separate system / VM?

I believe Samba 4.3 -> 4.4 was an upgrade that happened in the jump to 9.10.2-U2 and there were quite a few security fixes related to ntlm auth / changed defaults in samba. Perhaps it's related to ntlm being gradually deprecated (and being used in a less horribly insecure way) or perhaps it's a bug. Honestly, I prefer to keep my mount.cifs commands fairly short and sweet. mount.cifs -o credentials=<credentials file> "//server/share" /place/on/local/fs and start adding additional options as I have need. You can probably do something similar with your fstab entry. Use a credentials file (because /etc/fstab is world-readable -- bad practice) and remove unnecessary parameters like sec=ntlm.

 

[melloa]

Try removing ,sec=ntlm from your mount.

Let me test that when I have the chance to reboot the server with the new build.

Is owncloud in a jail a separate system / VM?

ESXi

(because /etc/fstab is world-readable -- bad practice)

Yeap, I know.

Thanks for the tips :)

 

[melloa]

Solved. Thanks @anodos.

Code:

[root@cloud9 ~]# df
Filesystem			  1K-blocks	 Used   Available Use% Mounted on
/dev/mapper/cl-root	  30385668  2646088	27739580   9% /
devtmpfs				   931396		0	  931396   0% /dev
tmpfs					  942060		0	  942060   0% /dev/shm
tmpfs					  942060	 8752	  933308   1% /run
tmpfs					  942060		0	  942060   0% /sys/fs/cgroup
/dev/sda1				 1038336   193496	  844840  19% /boot
//10.10.10.200/cloud9 18471265492 10011955 18461253537   1% /var/www/html/owncloud/data
tmpfs					  188416		0	  188416   0% /run/user/0
[root@cloud9 ~]#

 

[Helio Tadao Goto]

After last update to FreeNAS-9.10.2-U2 (e1497f2) in Mar-08-2017, the windows share stopped to log-in via local authentication. Any account gets refused, but testing the accounts via SSH logins correctly. I've created others accounts with a home directory so I can login via SSH.
But if I activate a former boot environment, such as 9.10.2-U1 ou earlier, the windows share accepts login from my local accounts (including the one I've created with a home directory) and works perfectly.

Rebooting again with the FreeNAS-9.10.2-U2 (e1497f2) boot environment, it stops accepting my local authentication from any account.

Trying to setup unauthenticated access, it works IF I set username to nobody and gives no password to the prompt that shows (I think that if we've setup guest access, such request should never show up!)

My fstab didn't have sec=ntlm and mounts from my Windows 10 notebook does get refused login in that last update, but works perfectly when I reboot FreeNAS to a older 9.10.2-U1 boot environment.

 

[anodos]

After last update to FreeNAS-9.10.2-U2 (e1497f2) in Mar-08-2017, the windows share stopped to log-in via local authentication. Any account gets refused, but testing the accounts via SSH logins correctly. I've created others accounts with a home directory so I can login via SSH.
But if I activate a former boot environment, such as 9.10.2-U1 ou earlier, the windows share accepts login from my local accounts (including the one I've created with a home directory) and works perfectly.

Rebooting again with the FreeNAS-9.10.2-U2 (e1497f2) boot environment, it stops accepting my local authentication from any account.

Trying to setup unauthenticated access, it works IF I set username to nobody and gives no password to the prompt that shows (I think that if we've setup guest access, such request should never show up!)

My fstab didn't have sec=ntlm and mounts from my Windows 10 notebook does get refused login in that last update, but works perfectly when I reboot FreeNAS to a older 9.10.2-U1 boot environment.

1) under "services" -> "SMB", set "Log level" to "Full"
2) reproduce the problem
3) PM me a debug file "system" -> "advanced" -> "save debug"

 

[Helio Tadao Goto]

1) under "services" -> "SMB", set "Log level" to "Full"
2) reproduce the problem
3) PM me a debug file "system" -> "advanced" -> "save debug"

I already saved the debug file, where I can find it to send to you?

 

[anodos]

I already saved the debug file, where I can find it to send to you?

Private message via forum.

 

[Helio Tadao Goto]

Private message via forum.

Sorry, I mean where I can find the Debug logs in the freenas server?

 

[anodos]

Sorry, I mean where I can find the Debug logs in the freenas server?

In the webui generate a debug tarball by clicking 'system' -> 'advanced' -> 'save debug'

 

[anodos]

After last update to FreeNAS-9.10.2-U2 (e1497f2) in Mar-08-2017, the windows share stopped to log-in via local authentication. Any account gets refused, but testing the accounts via SSH logins correctly. I've created others accounts with a home directory so I can login via SSH.
But if I activate a former boot environment, such as 9.10.2-U1 ou earlier, the windows share accepts login from my local accounts (including the one I've created with a home directory) and works perfectly.

Rebooting again with the FreeNAS-9.10.2-U2 (e1497f2) boot environment, it stops accepting my local authentication from any account.

Trying to setup unauthenticated access, it works IF I set username to nobody and gives no password to the prompt that shows (I think that if we've setup guest access, such request should never show up!)

My fstab didn't have sec=ntlm and mounts from my Windows 10 notebook does get refused login in that last update, but works perfectly when I reboot FreeNAS to a older 9.10.2-U1 boot environment.

Have you tried rebooting your windows 10 notebook after the update?

 

[Helio Tadao Goto]

Have you tried rebooting your windows 10 notebook after the update?

Yes, for 3 times at 3 times after going back to 9.10.2-U1 .

When 9.10.2-U1 turns on, the W10 notebook and linux server mounting the share by cifs connects instantly (without any reboot).

In the 3 times I've tried to get back, even with reboot in both (W10 and linux server Debian) does not connect, gives an INVALID PASSWORD error.

I've tried to remove the boot environment, and Upgrade again from 9.10.2-U1, but with the same results.

 

[anodos]

Yes, for 3 times at 3 times after going back to 9.10.2-U1 .

When 9.10.2-U1 turns on, the W10 notebook and linux server mounting the share by cifs connects instantly (without any reboot).

In the 3 times I've tried to get back, even with reboot in both (W10 and linux server Debian) does not connect, gives an INVALID PASSWORD error.

I've tried to remove the boot environment, and Upgrade again from 9.10.2-U1, but with the same results.

Have you verified that this affects other users (apart from "Administrator")?
Was this FreeNAS server originally a domain member, then reconfigured to be a standalone server?

 

[Helio Tadao Goto]

Yes, it's the same error (PASSWORD_INVALID) for all 4 others users in my home office, and it was always configured as a standalone server.

 

[anodos]

Yes, it's the same error (PASSWORD_INVALID) for all 4 others users in my home office, and it was always configured as a standalone server.

Try adding the auxiliary parameter ntlm auth = yes via the FreeNAS webui under "services" - > "SMB".

FYI, enabling "acl_xattr" on FreeNAS isn't really a great idea (because FreeNAS already has "zfsacl" enabled).

 

[Helio Tadao Goto]

Thanks, anodos! It worked perfectly in the W10 notebook and the Debian Linux server via CIFS.

I didn't knew until now about the zfsacl parameter, tks for the tip!

 

[Vihren Todorov]

same problem after the 9.10.2-U2 Update

same solution : ntlm auth = yes via the FreeNAS webui under "services" - > "SMB".

 

[anodos]

same problem after the 9.10.2-U2 Update

same solution : ntlm auth = yes via the FreeNAS webui under "services" - > "SMB".

What client? It would be interesting to know why clients are downgrading to NTLMv1. I manage quite a few different windows clients (windows 7, 8.1, 10) and linux clients (Centos 6, 7, Debian (various versions). None required downgrading to NTLMv1, which makes me wonder if there is something going on with client systems that are forcing insecure auth.

 

[Vihren Todorov]

windows server 2012 r2 + veeam backup
both reported no access after the update.

 

[anodos]

windows server 2012 r2 + veeam backup
both reported no access after the update.

That's interesting. Is this an AD environment? If so, what's the AD functional level? I believe Windows should be using kerberos for auth in an AD environment (NTLMv2, etc) is a fall-back.