Jump to content

No Access to Protected SMB Shares

Revan335

By Revan335
in General Support

Go to solution Solved by Frank1940,

Recommended Posts

Revan335 Community Regular

Revan335

Posted
Posted

Hello,

 

I have Problems with the Access to Protected SMB Shares. For example Secure and Private Shares with User Credentials.

 

On the German Area I have found no Solution. Maybe have a anybody here a Idea.

On Clients like a PC or Mobile Device its doesn't work.

 

On the Linux client like Manjaro with Arch or Ubuntu gets when mounting by fstab, mount .... permission denied as error returned.

If I tried via the file manager, like  Nemo/Thunar, Nautilus, the login window showed again after typing the Credentials on it.

 

On the Android phone I become in the FolderSync Pro App a Access Denied message.

 

If the share allows guests like Public or Secure and does it without credentials/anonym or with the user Nobody, then it works. (Tested on PC) Including write access by Public Shares. With Secure Shares guests have only read access.

 

IP or Servername is the same Situation.

 

Many Thanks!

 

Greetings!

 

Revan335

Link to comment
  • Replies 77
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

trurl
trurl

For Windows, if it already has a credential for the server, it will use that credential. If that doesn't work, it will pointlessly ask you to login, but it still won't use any other credential.

trurl
trurl

Delete all credentials related to your server in Credential Manager.   At the Windows command prompt, do net use * /delete   Try to access a private share. Don't try to access an

Frank1940
Frank1940

Those three ticks are your problem.  The permissions should be as shown below:   You have to have rwx permissions for both group and other for SMB to work properly.    I woul

Posted Images

Frank1940 Veteran

Frank1940

Posted
Posted

Look at the PDF file in the first post of this thread:

      https://forums.unraid.net/topic/110580-security-is-not-a-dirty-word-unraid-windows-10-smb-setup/

 

One thing to be aware is that the first time you access the server using SMB, a handshaking process starts.  If this handshake process does not result in a login of a registered Share access User, Unraid will  give you a login with 'guest' credentials.  Once logged in, it is almost impossible to log out.  So it is very important to log into the server early using a Share access User Credential.

Link to comment
Revan335 Community Regular

Revan335

Posted
  • Author
Posted
1 hour ago, Frank1940 said:

Look at the PDF file in the first post of this thread:

      https://forums.unraid.net/topic/110580-security-is-not-a-dirty-word-unraid-windows-10-smb-setup/

 

One thing to be aware is that the first time you access the server using SMB, a handshaking process starts.  If this handshake process does not result in a login of a registered Share access User, Unraid will  give you a login with 'guest' credentials.  Once logged in, it is almost impossible to log out.  So it is very important to log into the server early using a Share access User Credential.

OK, I'm not tested on a Win System.

I will changed the Test Shares to Private and tried on Linux again.

The other Shares are Private Shares, that Login doesn't work.

Link to comment
Revan335 Community Regular

Revan335

Posted
  • Author
Posted (edited)
1 hour ago, Frank1940 said:

I only have experience with Windows.  I will ping @dlandon as I believe that he has some knowledge about setting Linux SMB shares.  (I would think that Android would be similiar...)

Under Windows its doesn't work again. I'm tested on a Win 10 VM. I can test it on Win 10 Physical Machines too.

 

The same Message you don't have Permissions for Access to \\unraidserver\sharename

Edited by Revan335
Link to comment
Revan335 Community Regular

Revan335

Posted
  • Author
Posted
5 hours ago, trurl said:

For Windows, if it already has a credential for the server, it will use that credential. If that doesn't work, it will pointlessly ask you to login, but it still won't use any other credential.

Even if you have already logged in to this Win and Win has saved these credentials, it should work, because every user has read/write permissions to the test share.

Link to comment
Frank1940 Veteran

Frank1940

Posted
Posted (edited)
5 hours ago, Revan335 said:

Even if you have already logged in to this Win and Win has saved these credentials, it should work, because every user has read/write permissions to the test share.

If the login with the stored credential (in Credential Manager) fails on your Unraid server,  the computer-client will be ( automatically)  logged in with 'guest' credentials which will NOT have access to any share that is not a Public share!  There will be no error message that stored credential has failed because a 'guest' login has succeeded!  (As I have said for years, SMB is a Kludge and it does not behave the way that most people think it should.  Because of this, many, if not most, small businesses have an IT consultant to setup and maintain their SMB networks because these consultants know where the landmines are hidden and how to avoid-- or work around --them.) 

 

EDIT:   

11 hours ago, trurl said:

If that doesn't work, it will pointlessly ask you to login, but it still won't use any other credential.

I believe this is only true if you attempt to access a Private share.  If it is a Secure share, it will give you read-only access.  There is not a convenient way to log out from a SMB server from Windows.  (There is a way from the Windows command line prompt, but that is hassle...)

 

Edited by Frank1940
Link to comment
Frank1940 Veteran

Frank1940

Posted
Posted

I am not an expert on the interworkings of SAMBA but I will point you in a couple of directions.   (I treat SMB as a black box.  From long experience and gleaning information from various sources, I know if one does this to the black box--- One can expect that this will be the results.  The "why" is 'black magic' that I don't always understand...)

 

First, the Samba log files are in   /var/log/samba     Look there to see what you find. 

 

Second, having given you that tidbit, I will say I suspect that Samba is not set up (in Unraid) to do much logging.  I believe it has to be set in the Global section of the smb.conf file. 

Here is a link to the various parameters that can be used in that file:

 

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#FORCEGROUP

 

You will be looking for the log level parameter.   You can see what the various parameters are currently set with these two commands.  The second one is the verbose one...

  

testparm

testparm -v

 

I have very little knowledge in this area and thus am being really dangerous in even pointing it out to you.  Be careful as you could be entering a minefield.   Google will be your only friend! 

Link to comment
Frank1940 Veteran

Frank1940

Posted
Posted

 

1 hour ago, Revan335 said:

That's not working. With stored in the Credential Manager or without stored there.

 

You have to reboot widows to logout from previous login with the Unraid server.  Changing the credentials on Credential manager does not use the new credentials until you reboot Windows or you run this command (Thanks to @trurl for locating this):

51 minutes ago, trurl said:

  

net use * /delete

 

 

Link to comment
Revan335 Community Regular

Revan335

Posted
  • Author
Posted (edited)

In log.smbd in the \var\log\samba Directory are for example this Entrys:

  

  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/02/15 20:15:45.733285,  0] ../../source3/smbd/server.c:1741(main)
  smbd version 4.17.3 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/02/15 20:19:43.102987,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1004, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/15 20:19:43.103643,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1004, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/15 20:20:08.602662,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/15 20:20:08.603453,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/15 20:21:37.860313,  0] ../../source3/modules/vfs_extd_audit.c:217(audit_mkdirat)
  vfs_extd_audit: mkdirat wrust  
[2023/02/15 20:23:18.184226,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/15 20:23:18.184697,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/15 20:23:32.475372,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/15 20:23:32.477406,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/15 20:24:51.450448,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/15 20:25:16.028134,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/15 20:27:59.987961,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)


  chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/17 00:37:31.241094,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/17 00:37:45.429379,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/17 00:37:45.433191,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/17 00:38:07.018111,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/17 00:38:07.029007,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006
[2023/02/17 00:59:55.769013,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)

 

Edited by Revan335
Link to comment
Revan335 Community Regular

Revan335

Posted
  • Author
Posted
6 hours ago, Frank1940 said: 
testparm
# testparm
Load smb config files from /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The "null passwords" option is deprecated
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
        disable netbios = Yes
        disable spoolss = Yes
        load printers = No
        logging = 0
        map to guest = Bad User
        max log size = 10000
        max open files = 40960
        multicast dns register = No
        ntlm auth = ntlmv1-permitted
        null passwords = Yes
        passdb backend = smbpasswd
        printcap name = /dev/null
        security = USER
        server min protocol = SMB2
        server string = MCP
        show add printer wizard = No
        smb1 unix extensions = No
        syslog = 0
        workgroup = WORKGROUPNAMEWITHÜ
        fruit:nfs_aces = No
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        access based share enum = Yes
        acl allow execute always = Yes
        aio read size = 0
        aio write size = 0
        create mask = 0777
        directory mask = 0777
        hide unreadable = Yes
        include = /etc/samba/smb-shares.conf
        invalid users = root
        map archive = No
        map readonly = yes
        use sendfile = Yes
        wide links = Yes


[Test]
        path = /mnt/user/Test
        valid users = public backup_mobil test
        vfs objects = extd_audit recycle
        write list = public backup_mobil test
        recycle:exclude_dir = .Recycle.Bin
        recycle:exclude = *.tmp
        recycle:versions = Yes
        recycle:minsize = 1
        recycle:touch_mtime = No
        recycle:touch = Yes
        recycle:keeptree = Yes
        recycle:directory_mode = 0777
        recycle:repository = .Recycle.Bin

Show correct for me.

Link to comment
Frank1940 Veteran

Frank1940

Posted
Posted
27 minutes ago, Revan335 said:

In log.smbd in the \var\log\samba Directory are for example this Entrys:

 

 

You can find out what users are assigned to the uid and gid by looking at the contents of the    passwd     file in the   /config    directory of your flash drive.    (Use Notepad to view the contents of what is a database text file.)   Remember that Google will be your friend in figuring out what the error messages mean in the Samba log file and what each field is in the passwd file. 

Link to comment
Revan335 Community Regular

Revan335

Posted
  • Author
Posted (edited)
20 minutes ago, Frank1940 said:

You can find out what users are assigned to the uid and gid by looking at the contents of the    passwd     file in the   /config    directory of your flash drive 

test:x:1007:100::/:/bin/false

Passed with the Entry's of the SMB Log.

Edited by Revan335
Link to comment
Revan335 Community Regular

Revan335

Posted
  • Author
Posted

 If you enable SMB 1 and try to access the path, you get the message the parameter is incorrect.

 

If you specify only the server without the path, the connection works, but no share is displayed. The test share is exported and not hidden. If you try to create something there then it gives, Invalid Operation for workgroups, servers, shares as message.

 

Tested just with the Android cell phone.

 

Is there perhaps the possibility to reset the SMB config, reinstall..... because something is there but murks?

 

Or a Denied list or so, which prevents you can connect / write access / private share access .... gets and that even device-dependent and different.

Link to comment
  • 2 weeks later...
Revan335 Community Regular

Revan335

Posted
  • Author
Posted (edited)
1 hour ago, dlandon said:

Post a screen shot of one of your shares you are trying to share Private.  That would be the 'SMB Share Settings' page of the share.

 

I changed the test User to Read/Write Access and tested the Connection. Same Access Denied Message. I send you a new Diagnostic.Screenshot_20230227-152437_Firefox.thumb.png.072b83a4cf6af94c949c596c892aeac1.png

Edited by Revan335
Link to comment
dlandon Veteran

dlandon

Posted
Posted
2 hours ago, Revan335 said:

I changed the test User to Read/Write Access and tested the Connection. Same Access Denied Message. I send you a new Diagnostic.

That's what I wanted you to figure out.  You didn't have any users defined for any shares.  It should be working now.  Be sure to use the Windows Network to browse to the share, and access it that way.

 

If you are still having issues, post the output of this command: 

testparm -s

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...