SOLVED CIFS Authentication with AD

[Elegant]

Hi, I've currently set up a few shares for Windows and given permission to my groups (see attach). Unfortunately, I can never seem to authenticate the user (guest access works). I am using Samba 4.1 as my AD DC.

I can see the share folders just fine but am unable to enter the folder if I click on them. It asks me to login saying my credentials are invalid. I've since tried every set of credentials for every user (including the administrator) to no avail. I can access FreeNAS through Computer Management and see that all shares are marked as Full Control for Everyone which is fine until I can get in the share. I've also gone into the shell and used wbinfo and all it's variations and can see the users, groups, user authentication and trust all return successfully.

Errors I've seen thus far are:
freenas mountd[2643]: mount request from 10.0.0.10 for non existent path /Test
freenas mountd[2643]: mount request denied from 10.0.0.10 for /Test

To be clear, this EXACT same share works when guests are allowed so for it to say it's non-existent really stumps me. If anyone has any insight on why I can't access these shares after specifying the permissions it would be greatly appreciated.

 

[cyberjock]

Well, the first message is saying that you are trying to mount /Test. There is no /Test... there is a /mnt/tank/Test.

The second message basically says you are denied permission to /Test. I'm not 100% sure of this, but my guess is you failed authentication so the system hadn't gotten far enough to even realize that there is no /Test (again, there is a /mnt/tank/Test).

 

[Elegant]

I thought it was refering to /Test as in the CIFS share, which would be accessible from \\freenas\Test. The attached screenshots might explain it a bit better. The \\freenas\Test location should be pointing to /mnt/tank/Test. At least that's my understanding of how this works and how guides around here have said to add CIFS shares. Is my thought process wrong?

Also, when I connect for the first time, I get the following:
freenas smbd[4116]: ../source3/smbd/server.c:545(smbd_accept_connection)
freenas smbd[4116]: accept: Software caused connection abort

 

[cyberjock]

Ok.. I suddenly feel totally retarded. I swear you were talking about NFS shares. Yes, you are correct and I am totally fubarred. I don't drink, but I must be drunk tonight!

I'm pretty confused on why those messages are from mountd though. I think that's where my confusion came from.

Keep in mind that it is possible to have 775 permissions (which is what you have in the very first screenshot) and still not have true "full permissions" because Unix permissions don't translated directly to NFSv4 (Windows ACL) permissions..

So I think you need to look into permissions and how those are setup for your system (read up on getfacl and setfacl). But, I also don't get why mountd is saying what it is saying. mountd should not be saying anything when accessing cifs shares.

 

[Elegant]

I checked the permissions and Everyone is not set the same as the others (as it should be). I did change that however (attached) and am still unable to access the folder. I get the permissions don't translate directly but it just seems like it's not wanting allow me access regardless.

 

[cyberjock]

What's the ACLs on /mnt/tank?

 

[Elegant]

See attached. I messed with them once or twice (matched them to the Test permissions then reverted) but yielded no results. Maybe I am doing it wrong?

 

[cyberjock]

Permissions look okay. Not sure why you can't authenticate. You providing the domain name with the username?

 

[Elegant]

Yep, generally it'll time out and ask me for my credentials since they're "wrong" according it. After I provided my credentials it gives me an error (see attached for both).

 

[cyberjock]

Ahh.. the "multiple connections" thing means you're trying to connect to the same server with two different credentials.

Backstory...

Say you connect to \\freenas\movies as a guest. Windows now assumes all connections to \\freenas will be as guest. You cannot decide you want to connect to \\freenas as another user without disconnecting all network shares. I'm not talking simply closing the windows and unmounting any drive letters mapped. I'm talking clearing them with 'net' commands. In this case, those Windows messages are telling you "you're already connected as a user... you can't choose someone else to connect as".

To make matters worse for you, when you first connect to a server (\\freenas\whatever\ in this case) Windows, by default, tries to connect using your login credentials for your account, then others that you have entered since you logged in, and then as a guest account. This is entirely automatic, but if any of those succeed, you've just connected as those credentials and you are now stuck with them until you clear/close all of the connections to \\freenas.

So permissions may be correct, but you need to understand how Windows appears to be screwing you over, but you don't know it's screwing you over. I also use a script to mount my shares because of this nasty behavior and I hate this behavior because its not well understood by many people

So when Mr Elegant thinks he's going to learn how to use FreeNAS and get all this new super-cool stuff working, during the experimenting if you don't fully understand how Windows behaves and understand the expected behavior for conditions, when you get errors like you're getting you're assuming that FreeNAS sucks, FreeNAS is doing weird stuff, or that you are simply failing to do things properly. The reality- Windows is screwing you over. :/

 

[anodos]

Ahh.. the "multiple connections" thing means you're trying to connect to the same server with two different credentials.

Backstory...

Say you connect to \\freenas\movies as a guest. Windows now assumes all connections to \\freenas will be as guest. You cannot decide you want to connect to \\freenas as another user without disconnecting all network shares. I'm not talking simply closing the windows and unmounting any drive letters mapped. I'm talking clearing them with 'net' commands. In this case, those Windows messages are telling you "you're already connected as a user... you can't choose someone else to connect as".

To make matters worse for you, when you first connect to a server (\\freenas\whatever\ in this case) Windows, by default, tries to connect using your login credentials for your account, then others that you have entered since you logged in, and then as a guest account. This is entirely automatic, but if any of those succeed, you've just connected as those credentials and you are now stuck with them until you clear/close all of the connections to \\freenas.

So permissions may be correct, but you need to understand how Windows appears to be screwing you over, but you don't know it's screwing you over. I also use a script to mount my shares because of this nasty behavior and I hate this behavior because its not well understood by many people

So when Mr Elegant thinks he's going to learn how to use FreeNAS and get all this new super-cool stuff working, during the experimenting if you don't fully understand how Windows behaves and understand the expected behavior for conditions, when you get errors like you're getting you're assuming that FreeNAS sucks, FreeNAS is doing weird stuff, or that you are simply failing to do things properly. The reality- Windows is screwing you over. :/

My personal favorite is when you do everything right (net use, specify correct user, etc), and then wonder why your access to the 'guest' shares is read-only, which happens because only 'bad users' get mapped to the guest account and other properly authenticated users fall under the default "everyone - read-only" ACE.

 

[Elegant]

Alright cyberjock, looks like that was it. I typed "net use" and saw that "\\freenas\IPC$" was mapped to nothing. Cleared that sucker out and BAM all good. Thanks a lot, I doubt I would've ever figured it out otherwise.