[6.11.0] SMB passwords do not work anymore after upgrade from 6.10

I just have set up a new, clean (and userfree 🙂 ) server with 6.11, added one user, created one private share, and... TADAAAAH!

Same fault! password is not accepted via SMB (works for local access).

The only difference for now is that no nginx errors show up (but this test machine has no plugins, no dockers, no vms, so there maybe many other reasons for the nginx complains, for now we can concentrate on SMB access)

 

I also have set up a new windows (10) client which is NOT part of the domain. It CAN access the private shares just using Username+Password!!!

 

So the bug is limited to Domain Members only. They cannot prevent to send <domain>\<username> + <password> but UNRAID does not strip the domain part before it compares the password!

So it never will work.

FIX IT

I supply diagnostics from the new 6.11 Box, but it wont show much I fear...

 

g-diagnostics-20220925-0915.zip

further testing from FreeBSD (better control than windows what is send to UNRAID):

NO GO 😞

First of all, you need to enable Netbios in Unraid before anything can happen.

 

Then you can try any combination of usernames / workgroups(or left out), even for public shares it asks for a password and this is always wrong.

 

....

still have to find out why libreelec (10) is working....

 

You are using AD?

19 minutes ago, dlandon said:

You are using AD?

the windows machines are parte of an AD, the unraid server and the freebsd server are NOT.

 

Changed Priority to Urgent

for more infos: I have read the samba release notes and found a setting that may affect this behaviour. "nt hash store" sounds promising, but sadly changing it to "always" or "never" did not fix the problem 😞

 

30 minutes ago, MAM59 said:

for more infos: I have read the samba release notes and found a setting that may affect this behaviour. "nt hash store" sounds promising, but sadly changing it to "always" or "never" did not fix the problem 😞

 

Where did you enter that parameter?

into the smb extra settings

(and, of course, I did an smb restart / reboot afterwards)

 

BTW; to complete my list, I forgot to mention: Windows Clients that are NOT Part of the AD DO WORK!

 

Edited September 25, 2022 by MAM59

next info: forget about the FreeBSD-can't-mount problem (for now).

I found out that FBSD only is capable of doing SMB1 protocol which is considered outdated by now and has been dropped in 6.11. (There was no need to drop it, its recommended to drop, but it still exists and can be included. So Limetech might consider to repackage it and continue to support old client).

 

So, this is NOT really an error, but the remaining Windows problems still exist 😞

 

Got the same problem. Updated from 6.10 to 6.11. Normally I connect via my mobile and Total Commander over SMB. Now I get an error : STATUS_ACCESS_DENIED.

In the options it doesn't matter if I select SMB2 or SMB3. With 6.10 the problem doesn't occur. I will test tomorrow with my Windows clients, but I have not much hope... 

Same problem here with the upgrade to 6.11

 

Cannot access shares from windows vm and windows machines on lan or through my vpn.

Will not accept user/password for private shares - won't load even public shares.

 

No custom smb.conf file.

 

Repair permissions didn't work either.

 

Rolled back to 6.10 and everything works as it should.

7 hours ago, MAM59 said:

next info: forget about the FreeBSD-can't-mount problem (for now).

I found out that FBSD only is capable of doing SMB1 protocol which is considered outdated by now and has been dropped in 6.11. (There was no need to drop it, its recommended to drop, but it still exists and can be included. So Limetech might consider to repackage it and continue to support old client).

 

So, this is NOT really an error, but the remaining Windows problems still exist 😞

 

SMB1 is still supported in Unraid.  You enable it by turning on NetBIOS.

7 hours ago, dlandon said:

SMB1 is still supported in Unraid.  You enable it by turning on NetBIOS.

Yes and no. The general SMB1 module still exists, but they have dropped support for specific cyphers that are now considered insecure. An old client can connect, but not log in anymore.

 

Anyway, it does not work anymore 😞

 

But, this is just an unimportant side of the battlefield. The main question is why windows clients cannot connect anymore. Lets clear out this first.

 

I've set all GPOs concerning network security back to "not set", so the clients will revert to their default behaviour during the next hours/days. I will see if something changes (had some restrictions about digitally signed communication was necessary and so on I bet UNRAID has no trustworthy signature for signing, maybe relaxing this helos)

 

 

i found something! (but, dont applaude too loud, it is still not working 😞 )

 

Different windows editions come with different lan settings.

Home and Pro are left "normal", but all above have set the default to "DoNotAllowtheUseOfGuestShares" now.

This will result in a total refusal when trying to access a public share on UNRAID.

 

You can turn it off by setting (from w7 on, you have to create the key manually)

Path=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters

Key=AllowInsecureGuestAuth

Value=1

 

(the Admin can create a GPO for it of course)

 

The defaults are 1 for Home/Pro and 0 for all other Editions.

 

Now it tries to use a public share, but still it asks for username and password and says that they dont match... 😞

 

Is there any way to increase the samba log level on unraid? Currently there is NOTHING, so I am totally out of clues where to search next...

 

UPDATE! Lowering the Clientsecurity even more by setting "EnablePlainTextPassword" to 1 and rebooting now allows to connect to public shares!!! Private Shares still refuse username/password combination! But they are mounted at boot time. obviously the windows system account can mount, but users cannot.

 

(But of course, this is NOT A VALID solution, plain text passwords are an absolute No-Go! But it prooves that UNRAID has messed up the en/decryption of the login credentials somehow)

 

Edited September 26, 2022 by MAM59

Same problem for me after upgrade from v6.10.3 to v6.11.0, all Windows SMB clients can't connect anymore.

No error in the log.

I'm really puzzled now, I can't catch the bug...

 

First I thought, it might have something to do with the different windows versions, but that is only half the truth.

 

What I did was to install 2 fresh windows (VMs, but not on UNRAID), one Pro, one Enterprise. For Installation I use a selfmade ISO image, mostly consisting on a stock Microsoft DVD, with private addons for automatically installing some apps like Firefox, Filezilla, Libreoffice, VLC and many more. Of course it also changes some settings, and it deletes a lot of M$ crap stuff like most of the O-so-unuseful-Apps like Edge and so on.

This could potentially break something, so I've better check it out... (works for decades already, the image started once with windows2000 and is only updated now an then).

 

Both installations finished without flaws and after many updates and reboots, I could log in and test the Unraid connection to 6.11.

 

Both worked to either public and private shares!

(thats good, nothing wrong with the installation image!)

 

Then I have joined the domain with both of them, in the hope, the error would show up and connection to unraid would break (could be one of those evil GPOs): MOSTLY NOTHING!

Pro kept on working without any Problems, Enterprise denied access to both public and private share (See my last post about the registry setting to tame it).

After setting the key and rebooting, Enterprise too worked again without Problems.

 

Aah! I thought, it is not a machine GPO that kills it, maybe some (unknown) user setting?

So I created two new users on the affected machine, one local, one domain user and tested both of them: NO GO 😞

 

Now I have many points where the bug is NOT, but not a single idea anymore where it might be.

 

I give up for now, no 6.11 for me

 

mysteriously this morning when I woke up, the bug was gone ?!?!?!?

I don't know what happenend (did not change anything, maybe the changed gpos took 2 days to become active???), so I am not really pleased.

 

I've took off all clients and then updated the main server. And yes, everything is still working now 😁

 

But I am quite sure, the error was produced on the windows side of the connection.

 

Changed Status to Closed

Changed Priority to Other

I still have the problems connecting from Windows or Mobile to my shares. I will move back to 6.10. Hope it will get fixed soon... 

Found a solution for me. My shares had as SMB Security Settings -> Security = "Private". Switched this setting to "Secure" and I have access again. Description says:

Public All users including guests have full read/write access.

Secure All users including guests have read access, you select which of your users have write access.

Private No guest access at all, you select which of your users have read/write, read-only access or no access.

 

So only a workaround, but this means there is no problem with SMB Version but how User & Passwords are handled ?!?

I need to log that I'm also experiencing this, but not on all clients.

Possibly restricted to Windows 11 as a windows 10 VM (not on Unraid) has no problems.

All was fine on 6.10

Changing to "Secure" means I can read, but as Guest, and don't have permission to create a user.

Have tried removing details in Credential Manager, but that makes no difference.

 

Oddly enough in the machine that can access private shares I can't see anything in saved credentials. I think I am using a local account on that one, and a Windows / Microsoft account on the one which is having problems...

Same here I think.  I have two windows 11 clients.  One connects the other does not.  The client that does not connect to unraided share will connect to a windows share.  I will have to try restoring back to 6.10 and see if it works again once a data move operation completes on the unraided server.  This seems to be more than a single user issue with unaided samba why was this thread closed?

Can confirm as well. It still works from my Windows machines. I do not use any domain, just a workgroup.

 

But my FreeBSD VM can not mount the shares over SMB after upgrading to 6.11 from 6.10

 

freebsd ~ # mount_smbfs -I 10.13.37.10 //BETA@UNRAID/test /test
Password:
mount_smbfs: unable to open connection: syserr = Authentication error

 

Please open and mark as urgent again. Seems to be a widespread issue from Googling.

Edited September 28, 2022 by Beta

Confirmed that the issue with authenticated connections from one of my two windows 11 Pro PCs is tied to 6.11 as rolling back to 6.10 works.  Did it twice and just will not work in 6.11.  There clearly is some breaking change in 6.11 samba affecting multiple users.  Guess just have to roll back to 6.10 and monitor for a fix.

12 minutes ago, DrQ said:

Confirmed that the issue with authenticated connections from one of my two windows 11 Pro PCs is tied to 6.11 as rolling back to 6.10 works.

If I understood correctly one of the clients still works with v6.11?