I've finally tracked down the obscure SMB issues that have been plaguing my LAN, but I'm not sure what to do to fix it, or what settings I should be using. The issues relate (I am now sure) to how I'm configure domain names and domain related matters on my LAN, and probably someone experienced would instantly see what I should be doing.
Symptoms that make me believe this is my issue, are that log.smbd was showing various messages of the form "[ ] / [ ] @ CLIENT_MACHINE_NAME", and later on, "check_ntlm_password: Authentication for user [ ] -> [ ] failed with error NT_STATUS_NO_SUCH_USER" and "sam authentication for user [ ] failed", which seemed to be due to the correct data not being supplied by the client devices (Wireshark showed the original SMB request/negotiation packets had empty domain/username fields when sent). But when I added an arbitrary domain in the Windows credential it suddenly started to be able to authenticate to Samba file shares and list them in "NET USE" (although still not discover them in the navigation pane).
But this then seemed to break other things; I couldn't figure what exactly I need to enter in which of these fields to make it all work together. I've tried doing magic random guesses - maybe workgroup here and domain there; maybe domain here and omit it there... but that's not really a great way to troubleshoot.
So my question is, what data do I enter in each of the various fields above so that SMB shares will stand a chance of working properly, including Network Places discovery/lookup? A list of "setting -> value" appropriate for my setup would honestly be good enough.
Some example data to make it easier:
— pfSense host name: set to "router.SOME_DOMAIN_NAME";
— FreeNAS host name, Samba workgroup, and NetBIOS name: set to "filesvr.SOME_DOMAIN_NAME", "WORKGROUP", and "filesvr" respectively;
— SOME_DOMAIN_NAME is arbitrarily set to ".mydomain" (on the assumption .local might cause problems);
— An example user defined in smb.conf, and created in FreeNAS users/groups: "Mike";
— An example client PC's workgroup and NetBIOS name: "WORKGROUP" and "WINPC2" respectively;
— Null-password, unknown password->guest mapping, guest, and unauthenticated logins+enumeration are all disabled in Samba. So are homegroups on PCs. So are $IPC shares (if possible without killing Network Places discovery). The user names and passwords on the PCs are different from those in Samba.
- Platforms and OSes - Simplifying to the 'problem' elements, the LAN has Windows 8.1 clients, a pfSense router, and FreeNAS running Samba. The router and FreeNAS are both latest versions (2.3.4-p1 and 11.0-U2 respectively). FreeNAS has no extensions/VMs/modding and not many services enabled (SSH, SMB, SMART, iSCSI while troubleshooting). It was clean-installed as 9.10.2 and updated to 11.0, and has always been configured through the GUI. The hardware is all stable and reputable (SuperMicro/Chelsio/Intel).
- General LAN setup - The LAN is a small homebrew/homelab LAN on one site; eventually it'll have a TAP VPN link to a second site so I need to allow for that, and also allow for servers offline/unreachable occasionally in my services planning. There is no purchased domain name, and no AD/LDAP. The only times one LAN device accesses another, it uses either the SMB name (for SMB) or its IP (for everything else). The router runs DHCP and Unbound as a DNS resolver, and all devices use the router for DNS lookup. SMB is used both client-server and client-client. Samba is configured to use WINS rather than broadcast (at present there's only one device able to act as a WINS server, and if FreeNAS is offline the clients would revert to broadcast anyway to find each other). If the FreeNAS server needs its NetBIOS names to be available for lookup, it can be added to the router's unbound.conf as a specific host -> IP entry. Packet capture confirms no firewall-related issues or dropped packets.
- Domain name entry issue - There's a number of places where one has to specify names for devices, some of them including domain names, others where a workgroup is needed, a domain is optional, or only a NetBIOS name is required. I'm convinced that my choices of what to enter and which of these to enter a domain in, and the format of the domains, isn't compatibly entered across my devices, and that's the source of my issues.
For example,
— pfSense and FreeNAS both require a name to be given - but pfSense demands a domain of some kind (even if not needed otherwise) and forbids ".local" (it breaks discovery for Apple and other devices using Ahavi/mDNS for discovery which is relevant here), while FreeNAS demands one and says if it no other name exists, ".local" should be used.
— pfSense Unbound has a places to add hosts needing lookup, which could contain a NetBIOS name or FQDN.
— Windows IPv4 config has an optional box to enter a "DNS suffix" which can be filled or left empty and could be used to enter a domain name.
— Client LAN credentials, used for SMB lookup and entered in Windows Credential Manager, require a remote device name (which could be entered as a plain NetBIOS name or a FQDN), and a "user" or "domain\user" where the "domain" element could be a NetBIOS device name, NetBIOS workgroup name, FQDN or omitted.
— Samba and Windows machine name both need a name, but it's unambiguously just the NetBIOS name, not the FQDN here.
— Windows explorer.exe and "NET USE" commands both need a name, which can be a NetBIOS name or FQDN. (But only NetBIOS names will be discovered automatically by Explorer.exe)
— WINS can also (I think) have entries hard-coded through its config in some format or other, but I'd like to avoid this, and avoid using HOSTS files.
Symptoms that make me believe this is my issue, are that log.smbd was showing various messages of the form "[ ] / [ ] @ CLIENT_MACHINE_NAME", and later on, "check_ntlm_password: Authentication for user [ ] -> [ ] failed with error NT_STATUS_NO_SUCH_USER" and "sam authentication for user [ ] failed", which seemed to be due to the correct data not being supplied by the client devices (Wireshark showed the original SMB request/negotiation packets had empty domain/username fields when sent). But when I added an arbitrary domain in the Windows credential it suddenly started to be able to authenticate to Samba file shares and list them in "NET USE" (although still not discover them in the navigation pane).
But this then seemed to break other things; I couldn't figure what exactly I need to enter in which of these fields to make it all work together. I've tried doing magic random guesses - maybe workgroup here and domain there; maybe domain here and omit it there... but that's not really a great way to troubleshoot.
So my question is, what data do I enter in each of the various fields above so that SMB shares will stand a chance of working properly, including Network Places discovery/lookup? A list of "setting -> value" appropriate for my setup would honestly be good enough.
Some example data to make it easier:
— pfSense host name: set to "router.SOME_DOMAIN_NAME";
— FreeNAS host name, Samba workgroup, and NetBIOS name: set to "filesvr.SOME_DOMAIN_NAME", "WORKGROUP", and "filesvr" respectively;
— SOME_DOMAIN_NAME is arbitrarily set to ".mydomain" (on the assumption .local might cause problems);
— An example user defined in smb.conf, and created in FreeNAS users/groups: "Mike";
— An example client PC's workgroup and NetBIOS name: "WORKGROUP" and "WINPC2" respectively;
— Null-password, unknown password->guest mapping, guest, and unauthenticated logins+enumeration are all disabled in Samba. So are homegroups on PCs. So are $IPC shares (if possible without killing Network Places discovery). The user names and passwords on the PCs are different from those in Samba.
Last edited: