CIFS fails after 9.3 201501301837 update

[TheFlow]

Hi,
I've been trying for 10 hours to solve this problem.
After updating from 201501241715 to 201501301837 CIFS doesn't function as before. Shares are visible but not browseable due to incorrect credentials. Using the credentials with WinScp for instance, is not a problem.
Rolling back to 201501241715 solves it but i need the latest update. I'm not using AD or NFS.
Tried:
Changing password and then back to the same one.
Created new account, deleted share and added again.
Reboot, cold start.
Updating to latest 201502142001.
Switching to SMB2.

Smb4.conf:

server max protocol = SMB3

encrypt passwords = yes

dns proxy = no

strict locking = no

oplocks = yes

deadtime = 15

max log size = 51200

max open files = 1884926

load printers = no

printing = bsd

printcap name = /dev/null

disable spoolss = yes

getwd cache = yes

guest account = nobody

map to guest = Bad User

obey pam restrictions = yes

directory name cache size = 0

kernel change notify = no

panic action = /usr/local/libexec/samba/samba-backtrace

nsupdate command = /usr/local/bin/samba-nsupdate -g

server string = FreeNAS Server

ea support = yes

store dos attributes = yes

hostname lookups = yes

time server = yes

acl allow execute always = true

acl check permissions = true

dos filemode = yes

domain logons = no

local master = yes

idmap config *: backend = tdb

idmap config *: range = 90000001-100000000

server role = standalone

netbios name = SEBJ-FREENAS-BACKUP

workgroup = WORKGROUP

security = user

pid directory = /var/run/samba

smb passwd file = /var/etc/private/smbpasswd

private dir = /var/etc/private

create mask = 0666

directory mask = 0777

client ntlmv2 auth = yes



[Volume1]

path = /mnt/backup/Volume1

printable = no

veto files = /.snapshot/.windows/.mac/.zfs/

writeable = yes

browseable = yes

recycle:repository = .recycle/%U

recycle:keeptree = yes

recycle:versions = yes

recycle:touch = yes

recycle:directory_mode = 0777

recycle:subdir_mode = 0700

vfs objects = zfsacl aio_pthread audit extd_audit fake_perms netatalk streams_depot streams_xattr

hide dot files = yes

guest ok = no

nfs4:mode = special

nfs4:acedup = merge

nfs4:chown = true

zfsacl:acesort = dontcare

 

[dlavigne]

There has been 6 updates since that one. Please update to the latest STABLE and let us know if that fixes the issue.

 

[TheFlow]

Ok thanks, I updated to latest version. Same problem.
This is from samba4/smbd.log when trying to connect from Win7:
_______
[2015/02/23 14:46:22.584351, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [veeambackup] -> [veeambackup] FAILED with error NT_STATUS_NO_SUCH_USER
[2015/02/23 14:46:22.585480, 2] ../source3/smbd/service.c:407(create_connection_session_info)
guest user (from session setup) not permitted to access this share (Volume1)
[2015/02/23 14:46:22.585506, 1] ../source3/smbd/service.c:550(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2015/02/23 14:47:03.574434, 2] ../source3/smbd/server.c:419(remove_child_pid)
Could not find child 4134 -- ignoring
[2015/02/23 14:48:03.576438, 2] ../source3/smbd/server.c:419(remove_child_pid)
Could not find child 4180 -- ignoring
[2015/02/23 14:49:03.578415, 2] ../source3/smbd/server.c:419(remove_child_pid)
Could not find child 4209 -- ignoring
[2015/02/23 14:50:03.580425, 2] ../source3/smbd/server.c:419(remove_child_pid)
Could not find child 4239 -- ignoring
________
Do you know where to find information about the changes from 201501241715 to 201501301837? I've looked around but found nothing.

 

[anodos]

Ok thanks, I updated to latest version. Same problem.
This is from samba4/smbd.log when trying to connect from Win7:
_______
[2015/02/23 14:46:22.584351, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [veeambackup] -> [veeambackup] FAILED with error NT_STATUS_NO_SUCH_USER
[2015/02/23 14:46:22.585480, 2] ../source3/smbd/service.c:407(create_connection_session_info)
guest user (from session setup) not permitted to access this share (Volume1)
[2015/02/23 14:46:22.585506, 1] ../source3/smbd/service.c:550(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2015/02/23 14:47:03.574434, 2] ../source3/smbd/server.c:419(remove_child_pid)
Could not find child 4134 -- ignoring
[2015/02/23 14:48:03.576438, 2] ../source3/smbd/server.c:419(remove_child_pid)
Could not find child 4180 -- ignoring
[2015/02/23 14:49:03.578415, 2] ../source3/smbd/server.c:419(remove_child_pid)
Could not find child 4209 -- ignoring
[2015/02/23 14:50:03.580425, 2] ../source3/smbd/server.c:419(remove_child_pid)
Could not find child 4239 -- ignoring
________
Do you know where to find information about the changes from 201501241715 to 201501301837? I've looked around but found nothing.

Change logs can be found here: http://download.freenas.org/9.3/STABLE/

The fundamental problem is that you don't appear to have the user 'veeambackup' in samba's passdb file. "Authentication for user [veeambackup] -> [veeambackup] FAILED with error NT_STATUS_NO_SUCH_USER"

You can verify this by typing "pdbedit -L" you should see your user there. If you don't then, in the GUI change the password for your user "veeambackup". Then restart CIFS. This will force an update of credentials in samba's passdb.

 

[TheFlow]

Thanks for the link.

The user does exist in the passdb file. pdbedit -L gives:
veeambackup:1002:veeambackup

Anyway I did as you said but still unable to authenticate to the shares.

 

[TheFlow]

Just a wild guess, does NT_STATUS_NO_SUCH_USER have anything to do with domain accounts and why it can't find this user? I have no use for AD, just want the old local linux account to work with samba.

 

[cyberjock]

No such user means your username didn't exist for the given authentication mechanism (which *should* be local for you unless your server is misconfigured).

Access denied means your credentials were accepted but you didn't have permission to access that location.

Just to ask a stupid question, you aren't trying to create/change user accounts from the CLI are you? If so that's gonna be a major problem because doing those changes from the CLI *isn't* supposed to work.

 

[anodos]

Just an FYI. NetBIOS standard only allows for a 15 character name. Your smb4.conf indicates that you have 19 characters in your NetBIOS name. That may be causing some problems. Shorten the server's name then increase logging verbosity and reproduce the problem and attach the output here or enclose it in code tags.

 

[cyberjock]

https://bugs.freenas.org/issues/8188

 

[TheFlow]

Ok I shorted the Netbios name and now it works after setting new password / stopping cifs / revert to old password.

Thanks for all the help guys :)

 

[anodos]

That's interesting. For testing purposes: try changing your password to something different and simple (no special characters). If that doesn't work, try disabling all vfs objects except zfsacl.

Post the following:

• getfacl output for share "getfacl /mnt/backup/Volume1"
• Relevant log entries from winbind log. /var/log/samba/log.wb*

 

[Nick McCloud]

This thread saved my sanity. I went round the houses several times trying to get the Windows workstations in the office working until pdbedit -L told me that my login wasn't in the CIFS authentication database. Very unscientifically changed my password, stopped CIFS, changed password back, restarted CIFS and I was back on the list!

FreeNAS-9.3-STABLE-201503270027 - once the dust has settled on migrating the old file storage systems to FreeNAS I'll use one of the old servers to do a bit of testing / replay of events so I can be more useful. Big thanks to cyberjock for his presentation - took the edge off the learning curve in Jan/Feb.