Connecting Windows through SMB - missing something

[linus12]

I'm a N00B at FreeNAS. I am trying to setup access to my FreeNAS Server from my Windows machines. Taking it slowly and trying to setup one access at time to make sure I don't skip anything. But 'something' has gone wrong and I can't figure it out. So many others have posted here in the forums, but the screen shots they show don't match what I see on my screen (Missing fields, or Renamed fields). I am sure I missed something simple along the way, but can't seem to see it. So I am hoping with this post I can get the help needed to get past this and on to actually using my server for its intended purpose.

My systems: (Because I read that people on their phones can't see the signature!)
FreeNAS
FreeNAS Version: 11.3-U1
SuperMicro X11SSH-CTF-O
Intel Xeon E3-1280-V6 3.9 Ghz,
32GB ECC Server Memory (2x Kingston D749E DDR4-2400 16GB)
Boot drives: 2 x Kingston 120GB A400 SATA 3 2.5" Internal SSD SA400S37/120G - HDD
Data drives: 4 x Western Digital Red 8TB - one VDev (ZRAID2), One Pool
Both ix0 and ix1 are configured on static IP addresses, though only ix0 is connected at this time

Windows
Windows 10 Pro - Version 1909
No Active Directory, just a bunch of home users
Features:

Symptom:
When attempting to connect to the server from a Windows machine, I get the following error:
The specified network password is incorrect

What I did:
After taking over 1 week to verify the disks were good (smartctl and bad block testing), I followed a number of tutorials here and on the web to setup my Windows share.

The steps I followed were: (non specified entries were left as default)
1. Create a new user: Users -> Add
Full Name: new user
Username: newuser
Password: xxx
Disable Password: default is No (previous versions seem to have this as Password Required, default Yes)
New Primary Group: default is checked
Microsoft Account: default is not checked
SAVE

2. Create a new Group: Groups -> Add
Name: usernew
SAVE

3. Create Dataset: Storage -> Pools -> Click three dots on the existing pool M1Pool -> Add Dataset
Name: newuser
Share Type: SMB
SAVE

4. Create access to Dataset: Click three dots on the newuser dataset -> Edit Permissions
Received pop-up saying:
Dataset Has Complex ACLs
Clicked on Edit ACL

File Information
Path: /mnt/M1Pool/newuser
User: root
Group: wheel

ACL
Who: owner@
ACL Type: Allow
Permissions Type: Basic
Permissions Flags Type: Full Control
Flags Type: Basic
Flags: Inherit

Who: group@
ACL Type: Allow
Permissions Type: Basic
Permissions Flags Type: Full Control
Flags Type: Basic
Flags: Inherit


Clicked ADD ACL ITEM
Who: User
User: newuser
ACL Type: Allow
Permissions Type: Basic
Permissions Flags Type: Modify -> changed to: Full Control
Flags Type: Basic
Flags: Inherit

SAVE

5. Set Home Directory for user: Accounts -> Users -> Three dots for newuser -> Edit
Directories & Permissions
Selected /mnt/M1Pool/newuser(ACL)
SAVE

6. Restart SMB: Servies -> Turned off SMB from Running -> Pause 30 seconds -> Restart SMB

7. On windows machine:
A. Start Windows Explorer (Now called "This PC")

B. Map nework drive:
Drive: Y:
Folder: \\192.168.123.101\newuser
Finish

C. Briefly a box pops up
Map Network Drive
attempting to connect to \\192.168.123.101\newuser...

D. The above is quickly covered by another pop up asking me to:
Enter network credentials:
User name: newuser
Password: xxx
OK

E. Error message
The specified network password is not correct.

I know I must be forgetting something or something else must be wrong... but I guess I just don't see the forest for the trees right now.

From the windows box we can Ping the server, and we can connect via SSH.

If you need more info, let me know and I'll provide it! I just want to get this thing solved so I can move forward!

 

[anodos]

Can you double-check the ACL on the share? Your step 5 may have stripped it.

 

[linus12]

You are correct... Looks like I skipped a step . I wanted to document my steps so I set up a new share... turns out I forgot to actually add the share!

4.5 Setup the SMB Share: Sharing -> Windows Shares (SMB) -> Add
path: /mnt/M1Pool/newuser
name: newuser
Use as home share: unchecked -> checked
Time machine: unchecked
Allow Guest access: unchecked
Enable Shadow Copies: checked -> unchecked
Save
Popup: Configure ACL -> CONFIGURE NOW
File Information
Path: /mnt/M1Pool/newuser
User: root
Group: wheel
ACL
Who: owner@
ACL Type: Allow
Permissions Type: Advanced
Permissions Flags Type: Read Data, Write Data, Append Data, Read Named Attributes, Write Named Attributes, Execute, Read Attributes, Write Attributes, Read ACL, Write ACL, Write Owner, Synchronize
Flags Type: Basic
Flags: Inherit

Who: group@
ACL Type: Allow
Permissions Type: Advanced
Permissions Flags Type: Read Data, Read Named Attributes, Execute, Read Attributes, Read ACL, Synchronize
Flags Type: Basic
Flags: Inherit

Who: everyone@
ACL Type: Allow
Permissions Type: Advanced
Permissions Flags Type: Read Data, Read Named Attributes, Execute, Read Attributes, Read ACL, Synchronize
Flags Type: Basic
Flags: Inherit
DELETE - Because it should just be for that user

Clicked ADD ACL ITEM
Who: User
User: newuser
ACL Type: Allow
Permissions Type: Basic
Permissions Flags Type: Modify -> changed to: Full Control
Flags Type: Basic
Flags: Inherit

SAVE

Substitute 5. Checked Home Directory for user: Accounts -> Users -> Three dots for newuser -> Edit
Directories & Permissions
Current value: /mnt/M1Pool/newuser(ACL)
CANCEL

Continued at Step 6.
Exact same results! :(

 

[anodos]

When you set a path to be a home directory, we have to apply a very specific set of permissions to it. Since your user is not the owner of the dataset this is probably causing problems. That's why I asked you to check the ACL on it. Make him the owner.

That said, you could follow the brief instructions I gave here about setting up a "homes" share. It's more suited to a multi-user environment: https://www.ixsystems.com/community/threads/help-with-home-folder-scenario.83173/#post-575509

 

[linus12]

I tried making him the owner, but it still failed.
I did read the post on the link, but it didn't really fix anything. so.... I decided to start over, and I see where I missed something in the previous process. When you go to
Sharing -> Windows Shares (SMB) -> Three dots on share -> Edit ACL
the system takes you to
Storage -> Pools -> dataset from the share -> Edit ACL

I told you I was a N00B! I thought I was setting an ACL for the share!

I had so many datasets/shares/users/groups from all my testing I figured I must have messed something up, so I decided to start over. I deleted all shares, all all users (that I added), all groups (that I added), all datasets. rebooted the server and started the process over. I'll let you know how it goes.

 

[anodos]

I tried making him the owner, but it still failed.
I did read the post on the link, but it didn't really fix anything. so.... I decided to start over, and I see where I missed something in the previous process. When you go to
Sharing -> Windows Shares (SMB) -> Three dots on share -> Edit ACL
the system takes you to
Storage -> Pools -> dataset from the share -> Edit ACL

I told you I was a N00B! I thought I was setting an ACL for the share!

I had so many datasets/shares/users/groups from all my testing I figured I must have messed something up, so I decided to start over. I deleted all shares, all all users (that I added), all groups (that I added), all datasets. rebooted the server and started the process over. I'll let you know how it goes.

Sure. If you get stuck, PM me a debug. It's easier if I can look to see precisely what you're doing. I won't be able to get back to you until some time tomorrow.

 

[linus12]

Just to clarify, I'm trying to set up a "Home Shares" for multiple home users, this is not a business. Users run mostly Windows system (some Pro, others Home). The assumption is that the users will connect to their Home Share once, and then it will just be "another drive on their machine".

The username/password they log on to the server may or may not correspond to their Windows logon (most of us have multiple PCs with different user names, but we would like our personal machines to connect to the same "Home Share"). There is NO Active Directory set up here at home.

I am trying to document the step-by-step instructions for creating these shares so that if I have to do it again, I don't have to post here on the forums and try to remember what I did to get it right. (Is that a reasonable request? I know things will change with each release, but at least I'd like to get them setup on the current release.)

So... after removing all my prior attempts... here's the NEW steps I followed:

1. Create a new user: Users -> Add

Full Name: New User​

Username: newuser​

Password: xxx​

Disable Password: default is No​

New Primary Group: default is checked​

Microsoft Account: default is not checked​

Home Directory: /nonexistent​

SAVE​

2. A new Group is automatically created: newuser

3. Create Dataset: Storage -> Pools -> Click three dots on the existing pool M1Pool -> Add Dataset

Name: newuser​

Share Type: SMB​

SAVE​

4. Create access to Dataset: Click three dots on the newuser dataset -> Edit Permissions

Received pop-up saying:​

Dataset Has Complex ACLs​

EDIT ACL​

File Information​

Path: /mnt/M1Pool/newuser​

User: root -> newuser​

Group: wheel -> newuser​

​

ACL​

Who: owner@​

ACL Type: Allow​

Permissions Type: Basic​

Permissions Flags Type: Full Control​

Flags Type: Basic​

Flags: Inherit​

​

Who: group@​

ACL Type: Allow​

Permissions Type: Basic​

Permissions Flags Type: Full Control​

Flags Type: Basic​

Flags: Inherit​

SAVE​

5. Setup the SMB Share: Sharing -> Windows Shares (SMB) -> Add

Path: /mnt/M1Pool/newuser​

Name: newuser​

Use as home share: unchecked -> checked​

Time machine: unchecked​

Allow Guest access: unchecked​

Enable Shadow Copies: checked -> unchecked​

SAVE​

​

6. Set Home Directory for user: Accounts -> Users -> Three dots for newuser -> Edit

Directories & Permissions​

Select /mnt/M1Pool/newuser(ACL)​

SAVE​

7. Restart SMB: Servies -> Turned off SMB from Running -> Pause 30 seconds -> Restart SMB


Unfortunately, the same error occurs in the Windows system. :(

 

[anodos]

You can set up initial homes share with something like this:

First user:
1) create group "smbusers"
2) create dataset "/mnt/tank/user_homes" with group set to "smbusers"
3) create user "newuser", set path to /mnt/tank/user_homes/newuser, and make member of "smbusers"
4) create share "user_homes" and check box "use as home share"
5) click on ACL editor for the "user_homes" dataset and select the homes preset.

Subsequent users:
1) create user <username>, home dir path: /mnt/tank/user_homes/<username>, and make member of "smbusers"

I was responding from a phone and didn't look at your pictures / first post very carefully. "password is incorrect" sounds like a client attempting to use NTLMv1 authentication.

Try checking the "NTLMv1 Auth" box under Services->SMB, restart the SMB service (this isn't required, but since we're testing it's important to make sure you're starting from a clean slate), then start again.

If this also fails with the same error message, then set "log level = 1 auth_audit:5" as an auxiliary parameter under Services->SMB, repeat the authentication attempt, then run the command "cat /var/log/samba4/log.smbd". The authentication attempt should be one of the last lines in the log file. Copy it here. If this is too difficult, you can click "System->Advanced->Save Debug" and PM me the resulting file.

 

[linus12]

The good news is the above instructions seem to work, once I figured out some of the wording you were using for some of the options. (i.e. where to "select the homes preset")

A. However, I can only connect with the "NTLMv1 Auth" box under Services->SMB . If it is not set then Windows does not even want to connect to the server.

B. Once I do get connected, I now get two shares "homes" and "newuser" which seem to point to the same place.

I know they are the same because any files put in one automatically appear in the other.
The only thing I did differently was when I created the dataset, I set the Share Type to "SMB" rather than "Generic". Could this have caused the problem?

I really do appreciate your help and look forward to your reply.

 

[anodos]

The good news is the above instructions seem to work, once I figured out some of the wording you were using for some of the options. (i.e. where to "select the homes preset")

A. However, I can only connect with the "NTLMv1 Auth" box under Services->SMB . If it is not set then Windows does not even want to connect to the server.

This is a client configuration issue. Possibly an application you installed downgraded your network security (or a GPO you applied did this). You can change it back to the most secure windows defaults

B. Once I do get connected, I now get two shares "homes" and "newuser" which seem to point to the same place.
View attachment 36723

I know they are the same because any files put in one automatically appear in the other.
The only thing I did differently was when I created the dataset, I set the Share Type to "SMB" rather than "Generic". Could this have caused the problem?

This is normal. You can uncheck the "browseable" checkbox in the share configuration to make the "homes" one go away.

 

[linus12]

Sorry for the late reply.... Thanks for all your help... I am getting the users setup.
I even set up a share that seems to be "Read Only" for most, but "Read-Write" access for one user, simply by making them a member of a group that has "Full Control" to the same share. You help in my understanding of groups is greatly appreciated.