Access Private/Secure SMB shares from Windows workstations

[IamSpartacus]

How does one access an SMB share on UnRAID (not domain joined) if that share is set to private/secure?  I've got a user account on UnRAID setup with read/write access but no combination of COMPUTERNAME\USERNAME will work when presented with a login to access said share from my Windows machines.

 

P.S.  My PCs are domain joined.

[JonathanM]

First guess would be that you have already established a connection to the server using a different username and password, and are being granted guest privileges. Try removing all windows cached credentials and connecting first to the secure share. If windows has a valid connection to the server in general, it won't allow a second set of credentials to be used, so unraid denies access.

[IamSpartacus]

Just now, jonathanm said:

First guess would be that you have already established a connection to the server using a different username and password, and are being granted guest privileges. Try removing all windows cached credentials and connecting first to the secure share. If windows has a valid connection to the server in general, it won't allow a second set of credentials to be used, so unraid denies access.

 

So there is no way for me to have guest access to some shares and private access to others?  I currently map many of my UnRAID shares as mapped drives during login using guest access so does that preclude me from accessing other shares privately?

 

EDIT:  I just tested access after disconnecting my mapped drives and it did work after that.  And then running a gpupdate re-mapped the drives and it still works.  I even tried logging off and back in and still I can access the private share (and I know it's private because logging in with a different domain user doesn't allow access).

 

The question is though, is the user session just cached and will this stick after a server reboot?

[IamSpartacus]

I guess I'll just make all the shares private and just create user accounts in UnRAID that match my domain accounts to delegate access that way.

[JonathanM]

Any shares designated public will have guest access as well as being usable by all valid users. Not sure why you feel you can't have public guest access to some shares.

[Frank1940]

You might want to read this thread and look at the link:

  

Be sure to follow the links as this thread is dedicated to assembling solutions and explanations of Windows networking issues in one place. 

[trurl]

This is basically a limitation of Windows and not really anything to do with unRAID. Windows will not allow you to have more than one login to another computer at the same time, and it remembers the last login you used and tries to use it. So you have to clear credentials if you want to be another user.

[geekazoid]

Old thread but first page hit on google, so I'll comment.

This is not a limitation of Windows, but a security feature of SMB/CIFS protocol. You'll have the exact same behavior from a Linux or Mac OS SMB client.

SMB is single session, multi-stream. What this means is that you can only authenticate once per session. To connect as a different user, you need to close the session to reconnect with different credentials.

You can reset all open session by restarting the Workstation service on your Windows client.

It is best practice to never have guest access to any Windows share. Many users conflate the Share privileges (e.g. Everyone can read the share) with the file privileges (only authenticated users can read the files). These are separate things.

[trurl]

6 hours ago, geekazoid said:

Old thread but first page hit on google, so I'll comment.

 

Since you have done 2 necro posts about these topics, I just thought I would point you to a more current thread. The sticky at the top of this subforum : 

 

https://lime-technology.com/forums/topic/53172-windows-issues-with-unraid/

 

Feel free to contribute.

[geekazoid]

I don't get into threads with no clear topic. I prefer a more surgical approach.

[JonathanM]

23 hours ago, geekazoid said:

I don't get into threads with no clear topic. I prefer a more surgical approach.

The suggestion was made so that your contributions would stay top of mind and easily referenced when others need assistance with the same topic. If you haven't noticed, most people can't be bothered to search for themselves, they want to be spoon fed answers. If you add your knowledge to the "FAQ" on the topic, then when someone asks, and is pointed to that thread, your answer will be there. If you choose to only post in old obscure threads that only pop up via google searches, then your answers will probably never be read by others.

 

Your call. <shrug>

[Frank1940]

23 hours ago, geekazoid said:

I prefer a more surgical approach.

 

There is nothing 'neat' and 'clean' about SMB issues!!!  SMB is a Kludge and what works for one person doesn't for another.   Having all (or at least most) of the things that folks have found that work in one place saves a lot of time for both the folks who try to help and those with problems.  

[geekazoid]

Quote

If you choose to only post in old obscure threads that only pop up via google searches, then your answers will probably never be read by others.

Actually they will be read by people who google the topic. Since the search engine on here doesn't even let you search threads, that's the best way to find info on this forum.

I guess I will have better luck on the subreddit.