Revan335 Posted February 16, 2023 Share Posted February 16, 2023 Hello, I have Problems with the Access to Protected SMB Shares. For example Secure and Private Shares with User Credentials. On the German Area I have found no Solution. Maybe have a anybody here a Idea. On Clients like a PC or Mobile Device its doesn't work. On the Linux client like Manjaro with Arch or Ubuntu gets when mounting by fstab, mount .... permission denied as error returned. If I tried via the file manager, like Nemo/Thunar, Nautilus, the login window showed again after typing the Credentials on it. On the Android phone I become in the FolderSync Pro App a Access Denied message. If the share allows guests like Public or Secure and does it without credentials/anonym or with the user Nobody, then it works. (Tested on PC) Including write access by Public Shares. With Secure Shares guests have only read access. IP or Servername is the same Situation. Many Thanks! Greetings! Revan335 Quote Link to comment
Frank1940 Posted February 16, 2023 Share Posted February 16, 2023 Look at the PDF file in the first post of this thread: https://forums.unraid.net/topic/110580-security-is-not-a-dirty-word-unraid-windows-10-smb-setup/ One thing to be aware is that the first time you access the server using SMB, a handshaking process starts. If this handshake process does not result in a login of a registered Share access User, Unraid will give you a login with 'guest' credentials. Once logged in, it is almost impossible to log out. So it is very important to log into the server early using a Share access User Credential. Quote Link to comment
Revan335 Posted February 16, 2023 Author Share Posted February 16, 2023 1 hour ago, Frank1940 said: Look at the PDF file in the first post of this thread: https://forums.unraid.net/topic/110580-security-is-not-a-dirty-word-unraid-windows-10-smb-setup/ One thing to be aware is that the first time you access the server using SMB, a handshaking process starts. If this handshake process does not result in a login of a registered Share access User, Unraid will give you a login with 'guest' credentials. Once logged in, it is almost impossible to log out. So it is very important to log into the server early using a Share access User Credential. OK, I'm not tested on a Win System. I will changed the Test Shares to Private and tried on Linux again. The other Shares are Private Shares, that Login doesn't work. Quote Link to comment
Revan335 Posted February 16, 2023 Author Share Posted February 16, 2023 @Frank1940 So, I have only Private Shares, but the login/Access its not working again. Tested on Ubuntu and Android. On the Test Share have all Users Read/Write Permissions. The Share is Exported without invisible. Quote Link to comment
Frank1940 Posted February 16, 2023 Share Posted February 16, 2023 I only have experience with Windows. I will ping @dlandon as I believe that he has some knowledge about setting Linux SMB shares. (I would think that Android would be similiar...) Quote Link to comment
Revan335 Posted February 16, 2023 Author Share Posted February 16, 2023 (edited) 1 hour ago, Frank1940 said: I only have experience with Windows. I will ping @dlandon as I believe that he has some knowledge about setting Linux SMB shares. (I would think that Android would be similiar...) Under Windows its doesn't work again. I'm tested on a Win 10 VM. I can test it on Win 10 Physical Machines too. The same Message you don't have Permissions for Access to \\unraidserver\sharename Edited February 16, 2023 by Revan335 Quote Link to comment
Frank1940 Posted February 16, 2023 Share Posted February 16, 2023 Try running the New Permissions script only on the User Share(s) that you are trying to access. (Tools >>> New Permissions) Do not run it on appdata!!!! Quote Link to comment
Revan335 Posted February 16, 2023 Author Share Posted February 16, 2023 1 hour ago, Frank1940 said: Try running the New Permissions script only on the User Share(s) that you are trying to access. (Tools >>> New Permissions) Do not run it on appdata!!!! No change. I'm tested on the Test Share from Android Device. The Script run over the Test Share. I can tested on other Clients later. Quote Link to comment
trurl Posted February 17, 2023 Share Posted February 17, 2023 For Windows, if it already has a credential for the server, it will use that credential. If that doesn't work, it will pointlessly ask you to login, but it still won't use any other credential. 1 Quote Link to comment
Revan335 Posted February 17, 2023 Author Share Posted February 17, 2023 5 hours ago, trurl said: For Windows, if it already has a credential for the server, it will use that credential. If that doesn't work, it will pointlessly ask you to login, but it still won't use any other credential. Even if you have already logged in to this Win and Win has saved these credentials, it should work, because every user has read/write permissions to the test share. Quote Link to comment
Frank1940 Posted February 17, 2023 Share Posted February 17, 2023 (edited) 5 hours ago, Revan335 said: Even if you have already logged in to this Win and Win has saved these credentials, it should work, because every user has read/write permissions to the test share. If the login with the stored credential (in Credential Manager) fails on your Unraid server, the computer-client will be ( automatically) logged in with 'guest' credentials which will NOT have access to any share that is not a Public share! There will be no error message that stored credential has failed because a 'guest' login has succeeded! (As I have said for years, SMB is a Kludge and it does not behave the way that most people think it should. Because of this, many, if not most, small businesses have an IT consultant to setup and maintain their SMB networks because these consultants know where the landmines are hidden and how to avoid-- or work around --them.) EDIT: 11 hours ago, trurl said: If that doesn't work, it will pointlessly ask you to login, but it still won't use any other credential. I believe this is only true if you attempt to access a Private share. If it is a Secure share, it will give you read-only access. There is not a convenient way to log out from a SMB server from Windows. (There is a way from the Windows command line prompt, but that is hassle...) Edited February 17, 2023 by Frank1940 Quote Link to comment
Revan335 Posted February 17, 2023 Author Share Posted February 17, 2023 1 hour ago, Frank1940 said: If the login with the stored credential (in Credential Manager) That's not working. With stored in the Credential Manager or without stored there. Can I find Logs or so with more Details that's helping by the solution? In the syslog are no Entry's about SMB Login .... Quote Link to comment
trurl Posted February 17, 2023 Share Posted February 17, 2023 Delete all credentials related to your server in Credential Manager. At the Windows command prompt, do net use * /delete Try to access a private share. Don't try to access any other share. Login as the Unraid user with access to the private share. 1 Quote Link to comment
Frank1940 Posted February 17, 2023 Share Posted February 17, 2023 I am not an expert on the interworkings of SAMBA but I will point you in a couple of directions. (I treat SMB as a black box. From long experience and gleaning information from various sources, I know if one does this to the black box--- One can expect that this will be the results. The "why" is 'black magic' that I don't always understand...) First, the Samba log files are in /var/log/samba Look there to see what you find. Second, having given you that tidbit, I will say I suspect that Samba is not set up (in Unraid) to do much logging. I believe it has to be set in the Global section of the smb.conf file. Here is a link to the various parameters that can be used in that file: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#FORCEGROUP You will be looking for the log level parameter. You can see what the various parameters are currently set with these two commands. The second one is the verbose one... testparm testparm -v I have very little knowledge in this area and thus am being really dangerous in even pointing it out to you. Be careful as you could be entering a minefield. Google will be your only friend! Quote Link to comment
Frank1940 Posted February 17, 2023 Share Posted February 17, 2023 1 hour ago, Revan335 said: That's not working. With stored in the Credential Manager or without stored there. You have to reboot widows to logout from previous login with the Unraid server. Changing the credentials on Credential manager does not use the new credentials until you reboot Windows or you run this command (Thanks to @trurl for locating this): 51 minutes ago, trurl said: net use * /delete Quote Link to comment
Revan335 Posted February 17, 2023 Author Share Posted February 17, 2023 (edited) In log.smbd in the \var\log\samba Directory are for example this Entrys: Copyright Andrew Tridgell and the Samba Team 1992-2022 [2023/02/15 20:15:45.733285, 0] ../../source3/smbd/server.c:1741(main) smbd version 4.17.3 started. Copyright Andrew Tridgell and the Samba Team 1992-2022 [2023/02/15 20:19:43.102987, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1004, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/15 20:19:43.103643, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1004, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/15 20:20:08.602662, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/15 20:20:08.603453, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/15 20:21:37.860313, 0] ../../source3/modules/vfs_extd_audit.c:217(audit_mkdirat) vfs_extd_audit: mkdirat wrust [2023/02/15 20:23:18.184226, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/15 20:23:18.184697, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/15 20:23:32.475372, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/15 20:23:32.477406, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/15 20:24:51.450448, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/15 20:25:16.028134, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test2) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/15 20:27:59.987961, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/17 00:37:31.241094, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/17 00:37:45.429379, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/17 00:37:45.433191, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/17 00:38:07.018111, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/17 00:38:07.029007, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/Test) failed: Permission denied. Current token: uid=1007, gid=100, 4 groups: 100 3003 3004 3006 [2023/02/17 00:59:55.769013, 0] ../../source3/smbd/smb2_service.c:168(chdir_current_service) Edited February 17, 2023 by Revan335 Quote Link to comment
Revan335 Posted February 17, 2023 Author Share Posted February 17, 2023 6 hours ago, Frank1940 said: testparm # testparm Load smb config files from /etc/samba/smb.conf lpcfg_do_global_parameter: WARNING: The "null passwords" option is deprecated lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] disable netbios = Yes disable spoolss = Yes load printers = No logging = 0 map to guest = Bad User max log size = 10000 max open files = 40960 multicast dns register = No ntlm auth = ntlmv1-permitted null passwords = Yes passdb backend = smbpasswd printcap name = /dev/null security = USER server min protocol = SMB2 server string = MCP show add printer wizard = No smb1 unix extensions = No syslog = 0 workgroup = WORKGROUPNAMEWITHÜ fruit:nfs_aces = No idmap config * : range = 3000-7999 idmap config * : backend = tdb access based share enum = Yes acl allow execute always = Yes aio read size = 0 aio write size = 0 create mask = 0777 directory mask = 0777 hide unreadable = Yes include = /etc/samba/smb-shares.conf invalid users = root map archive = No map readonly = yes use sendfile = Yes wide links = Yes [Test] path = /mnt/user/Test valid users = public backup_mobil test vfs objects = extd_audit recycle write list = public backup_mobil test recycle:exclude_dir = .Recycle.Bin recycle:exclude = *.tmp recycle:versions = Yes recycle:minsize = 1 recycle:touch_mtime = No recycle:touch = Yes recycle:keeptree = Yes recycle:directory_mode = 0777 recycle:repository = .Recycle.Bin Show correct for me. Quote Link to comment
Frank1940 Posted February 17, 2023 Share Posted February 17, 2023 27 minutes ago, Revan335 said: In log.smbd in the \var\log\samba Directory are for example this Entrys: You can find out what users are assigned to the uid and gid by looking at the contents of the passwd file in the /config directory of your flash drive. (Use Notepad to view the contents of what is a database text file.) Remember that Google will be your friend in figuring out what the error messages mean in the Samba log file and what each field is in the passwd file. Quote Link to comment
Revan335 Posted February 17, 2023 Author Share Posted February 17, 2023 (edited) 20 minutes ago, Frank1940 said: You can find out what users are assigned to the uid and gid by looking at the contents of the passwd file in the /config directory of your flash drive test:x:1007:100::/:/bin/false Passed with the Entry's of the SMB Log. Edited February 17, 2023 by Revan335 Quote Link to comment
Revan335 Posted February 18, 2023 Author Share Posted February 18, 2023 If you enable SMB 1 and try to access the path, you get the message the parameter is incorrect. If you specify only the server without the path, the connection works, but no share is displayed. The test share is exported and not hidden. If you try to create something there then it gives, Invalid Operation for workgroups, servers, shares as message. Tested just with the Android cell phone. Is there perhaps the possibility to reset the SMB config, reinstall..... because something is there but murks? Or a Denied list or so, which prevents you can connect / write access / private share access .... gets and that even device-dependent and different. Quote Link to comment
dlandon Posted February 27, 2023 Share Posted February 27, 2023 Post diagnostics.. Quote Link to comment
Revan335 Posted February 27, 2023 Author Share Posted February 27, 2023 10 hours ago, dlandon said: Post diagnostics.. I have send you the Diagnostic for more Privacy. Many Thanks! Greetings Revan335 Quote Link to comment
dlandon Posted February 27, 2023 Share Posted February 27, 2023 21 minutes ago, Revan335 said: I have send you the Diagnostic for more Privacy. Many Thanks! Greetings Revan335 Post a screen shot of one of your shares you are trying to share Private. That would be the 'SMB Share Settings' page of the share. Quote Link to comment
Revan335 Posted February 27, 2023 Author Share Posted February 27, 2023 (edited) 1 hour ago, dlandon said: Post a screen shot of one of your shares you are trying to share Private. That would be the 'SMB Share Settings' page of the share. I changed the test User to Read/Write Access and tested the Connection. Same Access Denied Message. I send you a new Diagnostic. Edited February 27, 2023 by Revan335 Quote Link to comment
dlandon Posted February 27, 2023 Share Posted February 27, 2023 2 hours ago, Revan335 said: I changed the test User to Read/Write Access and tested the Connection. Same Access Denied Message. I send you a new Diagnostic. That's what I wanted you to figure out. You didn't have any users defined for any shares. It should be working now. Be sure to use the Windows Network to browse to the share, and access it that way. If you are still having issues, post the output of this command: testparm -s Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.