Windows 10, SMB User Share

[NotYetRated]

Hello,

 

I have unRaid set up and would like to properly configure permissions via SMB for my Windows systems.

 

I had things working with standard user names on Windows 7 Boxes, I.E. "name", but my windows 10 box has a user account tied to my email address. (required for being a windows experience member, i.e. free copy of windows 10), so my user name is "[email protected]". When I RDP in to this box, I specifically have to type my username as "[email protected]".

 

How can I achieve this with unRaid? What are my options for easily allowing SMB sharing to this box?

[mifronte]

On Windows 10, use local account instead of a Microsoft account.  If your Windows 10 local account name and password matches that of your unRAID username and password, then pass-through authentication is perform and you would not need to perform a login to access SMB shares.

 

To switch your Windows 10 login from a Microsoft Live account to a local account:

Start->Settings->Accounts->Disconnect My Microsoft Account

 

I don't know what ramifications this will have for you if you use Microsoft online services like One Drive and Apps since I have always install Windows 8 & 10 with local accounts because none of Microsoft live apps are that useful to me.

 

Edit:

A Microsoft Live account is an e-mail account registered with Microsoft.  A local account is just a username of your choosing.

[trurl]

You might try this.

 

On Windows 10, go to Control Panel - Credential Manager and delete any credentials for unRAID so they can be renegotiated.

 

Make sure the first share you try to access is a Secure or Private share for the unRAID user you want to use and see if Windows will give you a login dialog.

[geekazoid]

Zombie thread but it wasn't answered and I haven't found a current one that does yet. Anyway its first page on google results so here goes. braaaaaains!

 

Quote

A Microsoft Live account is an e-mail account registered with Microsoft.  A local account is just a username of your choosing.

This is unfortunately incorrect, at least in 2018 it is. A Microsoft Account is not an email account. It is a Microsoft Account that is registered to your device and software licenses (for MS products), your Store account, your Skype acct and it links your user profile experience across Windows machines. That is why every time you log in with your MS account on a new PC, you have to authorize that by multi-factor auth and lo and behold you have the same desktop image and other stuff. You can and should use your MS account with your unRAID shares because it's The Right Way and it's easy. But there is no integration to MS directly; you will have to update your password on unRAID when you change it with MS. This is actually how it's done on every NAS on the market that I've seen, because its been supported by Samba for years.

Unfortunately the GUI on unRAID has not caught up with the times. You can use your Microsoft Account with unRAID; you just need to know how to edit a few config files, and you need to restart samba (i.e. stop/start the array).

- In the GUI, create a user with the short name for your account. e.g. in my case I called the account 'dude'. Set a password for dude that matches your MS account. This will create a unix account and a matching samba account

- edit /etc/passwd (and /boot/config/passwd probably - I did) and change "dude" to "[email protected]" to match your MS acct

- edit /etc/shadow (and /boot/config/shadow) likewise

- edit /boot/config/smbpasswd as well, to change the unix username to your MS account

Now when you restart the array its going to restart samba. You can probably bounce samba manually; I've not tried to see if unRAID handles that gracefully yet. Someone else might chime in the confirm. Once samba is restarted, the new account is enabled.

Okay now on the client machine you are connecting from, I'm assuming that you are logging in with a standard Microsoft Account. You should have no drives mapped (especially with credentials saved) and you can always restart the Workstation service to clear any open sessions to the server. Once you've done this, if you navigate to the unRAID server in your Windows Explorer network browser, it should not prompt you for credentials ASSUMING that you configured basic permissions for the user account to access your shares.

This works fine because its TOTALLY SUPPORTED BY SAMBA and standard on almost every NAS product I've seen but unRAID. I'm just going to push a feature request to add the ability for the GUI and the supporting scripts to eat a proper email address for a MS account.


BTW the form of a MS account in SMB protocol is MicrosoftAccount\[email protected]

If the target was a windows box, it would need to have that MS account created locally and have been logged in once before. Samba is not so picky because it has SAVED the password that you gave it. The difference is that real Windows 8 or 10 host knows how to ask Microsoft if the credentials are valid (and it caches it for a time, which you could look up - I've forgotten).

I find it hilarious when people say oh this is not standard or supported when it's a Microsoft protocol so what they say and do is the standard.

Cheers from your friendly neighborhood MCSE.

[Caldorian]

Hi @geekazoid

I tried using your instructions, but to no success. Most of my shares are publicly available, but the one share that I tried to restrict to myself prompts me for credentials. After trying to enter my credentials again, it fails to connect.

Any thoughts on where I can keep trying to troubleshoot this?

[trurl]

7 hours ago, Caldorian said:

Hi @geekazoid

I tried using your instructions, but to no success. Most of my shares are publicly available, but the one share that I tried to restrict to myself prompts me for credentials. After trying to enter my credentials again, it fails to connect.

Any thoughts on where I can keep trying to troubleshoot this?

 

Windows / SMB only allows one connection. If it has already negotiated a connection, it won't use another, even though it prompts for credentials.

 

On 8/27/2015 at 9:48 AM, trurl said:

go to Control Panel - Credential Manager and delete any credentials for unRAID so they can be renegotiated.

 

Make sure the first share you try to access is a Secure or Private share for the unRAID user you want to use and see if Windows will give you a login dialog.

 

[Caldorian]

Already had all my credentials removed, and tried connecting to the secured shares first. Played around with it some more today. I'm wondering if the issue is that my Windows "username" is different from the local-part of my email address. (ie. Windows says via whoami/"echo %username%" my username is "john", but my email address is "[email protected]").

 

I think I'll try clearing all the users off my UnRAID server, and try setting up things up again clean on a VM to see if I can a) Get things working, and b) re-create the failure once it works, which shouldn't be hard

[Caldorian]

Hey @geekazoid,

I finally managed to get this working. Your instructions were pretty good. However, the biggest thing that I had to do was turn off public access to all my exported shares. Once I did this, access seems to work as expected.

And no, I didn't end up having to fix my account on my local system so that the Windows username matches the local-part of my Microsoft Account name. Just make sure those public shares aren't published so that Windows doesn't access UnRAID at all in an unauthenticated manner.

 

Now, if only the Create Users dialog was amended to allow the creation of email-like users so you don't have to manually edit files. Just tried this on a QNAP SAN, and it worked flawlessly (again, having to first disable guest access on all shares).

[Jakosaur]

On 3/17/2018 at 6:04 AM, geekazoid said:

Zombie thread but it wasn't answered and I haven't found a current one that does yet. Anyway its first page on google results so here goes. braaaaaains!

 

This is unfortunately incorrect, at least in 2018 it is. A Microsoft Account is not an email account. It is a Microsoft Account that is registered to your device and software licenses (for MS products), your Store account, your Skype acct and it links your user profile experience across Windows machines. That is why every time you log in with your MS account on a new PC, you have to authorize that by multi-factor auth and lo and behold you have the same desktop image and other stuff. You can and should use your MS account with your unRAID shares because it's The Right Way and it's easy. But there is no integration to MS directly; you will have to update your password on unRAID when you change it with MS. This is actually how it's done on every NAS on the market that I've seen, because its been supported by Samba for years.

Unfortunately the GUI on unRAID has not caught up with the times. You can use your Microsoft Account with unRAID; you just need to know how to edit a few config files, and you need to restart samba (i.e. stop/start the array).

- In the GUI, create a user with the short name for your account. e.g. in my case I called the account 'dude'. Set a password for dude that matches your MS account. This will create a unix account and a matching samba account

- edit /etc/passwd (and /boot/config/passwd probably - I did) and change "dude" to "[email protected]" to match your MS acct

- edit /etc/shadow (and /boot/config/shadow) likewise

- edit /boot/config/smbpasswd as well, to change the unix username to your MS account

Now when you restart the array its going to restart samba. You can probably bounce samba manually; I've not tried to see if unRAID handles that gracefully yet. Someone else might chime in the confirm. Once samba is restarted, the new account is enabled.

Okay now on the client machine you are connecting from, I'm assuming that you are logging in with a standard Microsoft Account. You should have no drives mapped (especially with credentials saved) and you can always restart the Workstation service to clear any open sessions to the server. Once you've done this, if you navigate to the unRAID server in your Windows Explorer network browser, it should not prompt you for credentials ASSUMING that you configured basic permissions for the user account to access your shares.

This works fine because its TOTALLY SUPPORTED BY SAMBA and standard on almost every NAS product I've seen but unRAID. I'm just going to push a feature request to add the ability for the GUI and the supporting scripts to eat a proper email address for a MS account.


BTW the form of a MS account in SMB protocol is MicrosoftAccount\[email protected]

If the target was a windows box, it would need to have that MS account created locally and have been logged in once before. Samba is not so picky because it has SAVED the password that you gave it. The difference is that real Windows 8 or 10 host knows how to ask Microsoft if the credentials are valid (and it caches it for a time, which you could look up - I've forgotten).

I find it hilarious when people say oh this is not standard or supported when it's a Microsoft protocol so what they say and do is the standard.

Cheers from your friendly neighborhood MCSE.

Thanks for these instructions, works perfectly! Only issue I'm having is shares from Unassigned Drives prevents access as the user name has an "@" in it 🙁

[geekazoid]

On 9/18/2019 at 3:25 AM, Jakosaur said:

Only issue I'm having is shares from Unassigned Drives prevents access as the user name has an "@" in it 🙁

Sorry for the late reply. This is an old thread. I can recreate this problem and compare if you still have the issue.

[tkohhh]

Have there been any updates to Unraid pertaining to this issue? 

 

I'm trying to make my shares Private/Secure, but I cannot for the life of me get Windows to allow me in.  I'm using a Microsoft account on my windows machine, and I followed the instructions posted by geekazoid to change the user name to the email address of my Microsoft account.  The password on the Unraid user matches the password on my Microsoft account.  Still, I am always prompted for credentials and denied access.  I deleted the credentials in Credential Manager per turl's suggestion, I restarted the Workstation service, but I still am not able to authenticate.

 

Any insight is appreciated.  Thank you!

[JonathanM]

On 5/31/2020 at 5:27 PM, tkohhh said:

I'm trying to make my shares Private/Secure, but I cannot for the life of me get Windows to allow me in.

When troubleshooting, make sure ALL of your shares that have export yes are set private. Not just the ones you are trying to make permanently private.

 

Windows has a nasty feature of only allowing one set of credentials per server, so if any of your shares allow access without correct credentials, it won't even try any other credentials, even when manually entered.

[tkohhh]

I did have one hidden share that was still Public, so I made that private as well.  I went through the whole dance again of adding the user to Unraid, changing the passwd, shadow, and smbpasswd files to use my Microsoft Account email, clearing the connections in Windows, but I am still prompted for credentials.  No matter what I put in the credentials, I cannot access the shares.

 

What could I be missing?

[JonathanM]

Instead of trying to force the microsoft account, try just adding a user, put it in the allowed list for your shares, and enter those credentials to see if it works.

[tkohhh]

It does work when I create a separate user and enter those credentials when accessing the share from Windows.

[tkohhh]

I came back to it after a little bit and decided to re-enter the password in Unraid.  Sure enough, my shares are working now without prompting for credentials.

 

However, I can report the same issue that @Jakosaur mentioned above.  In the Unassigned Devices settings, the email address user shows as one of the users, however when I change the access to Read/Write and hit Apply, it just reverts back to No Access.

 

I'd prefer it if I could get that working, but it's not the end of the world.

[cadds21]

I followed geekazoid's instructions and they worked like a charm! From a Windows box, that is. However, I now can't connect to those same shares from a Linux (Mint 19) machine using Samba and I think I've tried every combination of username, domain, workgroup. Anyone have any recommendations? I don't think this is an Unraid-specific issue but I also haven't been able to find much information about it elsewhere.

 

I'm also running into the Unassigned Devices Samba share issue like everyone else but not going to worry about that for the time being.

[schuu]

windows 10, check c:\users\user <- and remember this folder name.

unraid 6.9.2, go to users add a new user with the same name of the folder in c:\users\

give your shares the correct permissions, 

restart the unraid array and restart win 10 for good measure.

 

the first time you access a share it will ask for username and password,

these should match the user you created on unraid.

 

you may also need to remove any creds from the credential manager on windows 10 relating to unraid.

 

this is what worked for me.

[Temerif]

I can confirm the method above by Schuu, it worked perfectly. I added a remote SMB Share in the main tab of Unraid.

 

Created on Unraid the same user/pwd as the account on my Windows which btw is an administrator account.

I didn't have any previous shared folders on Windows.

Windows credentials were empty. Windows 10 Pro 20H2

 

Spaceinvader One made a video moving data with krusader https://youtu.be/MVSxiN2hr4I?t=660 , from what I could read the "Home Group Connection" doesn't exist in Windows anymore.

 

For those like me who may need step by step guidance, on Windows side :

"Network and Sharing Center" settings : Private network

"Network and Sharing Center" settings -> "Change advanced sharing settings" :

- Private :

       - Network discovery On with automatic setup

       - File and printer sharing On

- All Networks :

      - Public folder sharing Off

      - Password protected sharing On

 

Here are the steps to share the folder that worked for me :

- Right click the folder

- Give access to -> Specific People

- From the drop down menu type the name of the user account then Share

- Right click again the folder

- Properties -> Sharing tab -> Advanced sharing -> Tick the "Share this folder" box -> Apply

 

 

 

[DaKarli]

 

Attention! Don't make the a.m. changes to the shadow / passwd files!

Even though it will work, it is only a bad workaround.... 😉

 

There is a better, officially supported way of adding a Microsoft @ account to a SAMBA server.

 

Go to this thread/message where I described it in more detail:

 

 

Have fun and with best regards

DaKarli.

[geekazoid]

I agree with DaKarli. Samba usermap is the right way.

 

On 4/27/2022 at 10:58 AM, DaKarli said:

Attention! Don't make the a.m. changes to the shadow / passwd files!

Even though it will work, it is only a bad workaround.... 😉

 

There is a better, officially supported way of adding a Microsoft @ account to a SAMBA server.

 

Go to this thread/message where I described it in more detail:

 

 

Have fun and with best regards

DaKarli.