Connect Using Different Credentials to SMB's Doesn't Work

[Wozza J]

Hi.

This is driving me crazy!

I've set up a NAS for a family using an old tower PC with some drives and using 11.3. I've been using FreeNAS for a few years, but I feel I should have seen this problem before and I haven't.

Four family members each have a dataset (using their names). I've then created the SMB shares as their names too to match the Shared folder names and for the ACL's I've done as per the attached so you'll see their are explicit permissions with the users and groups with the parents being in the same groups as the children.

The problem occurs when trying to map to each drive as using the 'Connect using different credentials keeps remembering the first login, even when I choose the correct username and using the format \\xxx.xxx.xxx.xxx\username and then the password. a couple of seconds after entering the password, the login box just reappears.

I have had a browse through the threads here and have seen similarities, but is there something solid I can do to resolve this? The main issue is one parent has access to all folders, the other parent has access to hers and the children and the children only have access to their own.

Thanks.

 

[winnielinnie]

I hate to be the bearer of bad news, but what you described is an inherent and long-standing known issue with Windows. There have been complaints on Reddit and Microsoft forums, with the only official explanation that this is (somehow) a "security" feature.

It's nonsense, and other users correctly called this out: It's not a security feature, it's just laziness on Microsoft's side.

The real irony is that SMB is a Microsoft technology, yet I have the best experience using it with a FreeBSD server (TrueNAS) and Linux clients (Linux Mint and Manjaro KDE, using Smb4K to manage all my network shares / credentials.)

You did everything correctly. Unfortunately, in my opinion, Windows for the longest time (and even still today) provides an incomplete implementation of managing shares and mapped network drives. At one point I tried to find something comparable to Smb4K, but for Windows instead of Linux; with no luck.

If someone knows of such an alternative, please share!

One way to "bypass" this inherent limitation is to use the server's IP address for one share (e.g, \\192.168.2.101\linda), and the domain name for the other share (e.g, \\homenas.local\freddy). This is still not considered a "true solution" since it is limited to two different shares (will not work for three or more), and it does not address the core issue.

 

[Wozza J]

Thanks for the response there. I feel better knowing I was not doing something wrong. I had not tried the two different authentication methods in the same session so I'll give it a go and see.

I won't have access to the NAS for a few day now, but if that 'workaround' works, would it also work for Groups? By this I mean If one user authenticates to map to their own shared folder (e.g, \\192.168.2.101\linda) and they are also in a group that has permissions to other shared folders, once the drive mapping is complete, they would then be able to browse and access the folders that have group permissions assigned to them that that user is a member of and possibly map to to those drives too? Then, if they need to map to another share using different credentials because they have no permissions of their own or not in a group with permissions to that share and use the 'other' authentication method using local domain name (e.g, \\homenas.local\freddy), it will work and they will also be able to browse to shares that that user is a group member of?

Hope that makes sense?!?!

Cheers,
Woz.

 

[winnielinnie]

By this I mean If one user authenticates to map to their own shared folder (e.g, \\192.168.2.101\linda) and they are also in a group that has permissions to other shared folders, once the drive mapping is complete, they would then be able to browse and access the folders that have group permissions assigned to them that that user is a member of and possibly map to to those drives too? Then, if they need to map to another share using different credentials because they have no permissions of their own or not in a group with permissions to that share and use the 'other' authentication method using local domain name (e.g, \\homenas.local\freddy), it will work and they will also be able to browse to shares that that user is a group member of?

Hope that makes sense?!?!

I think it is possible, how you described. The reason being when "linda" authenticates to the "server" 192.168.2.101, the user "linda" will be able to access other shares (via 192.168.2.101) as long as she has permission because of the group she is in. You can even use ACLs to more fine-tune permissions for different users and groups for each share / dataset.

Then "freddy" comes along, and does the same thing, but this time the "server" is homenas.local. The same applies to "freddy" as it did to linda in the previous example. The other users would have access based on their group.

I hadn't really dove into this so much on a Windows client. For my Windows PC, I only have one user access a server.

For my Linux PCs, it's much more intuitive:

1. Either prepend the address with username@, such as freddy@homenas.local/mediafiles (GNOME, Cinnamon, Xfce, MATE desktops)
2. Or manage separate shares with different credentials using Smb4K (KDE desktop only)

All the best! There may even be more sensible solutions that I haven't tried out myself.

 

[manujava]

I also had the same problem but with a little tweaking. In a TruenasVM(22.12.3.2), virtualbox
(7.0.8) I have three datasets that have the same naming as three groups, and three users. Because this was meant for testing purposes, I added each user to any of the three groups that I created. I installed OpenLDAP in the Ubuntu server in another virtual machine that I now use for authentication. I haven't set up SSL or TLS yet but authentication works fine. I am also in a secure network. In my case, I did set up one user at a time and set up ACLs, repeating the same to other users and their respective groups. The problem comes in when mapping drives. Only one user can mount all drivers, the other two can neither mount nor read the datasets, even though the ACLs are correctly initiated.
Thank you.

 

[sretalla]

I installed OpenLDAP

I think I saw @anodos saying that SMB shares would not work except with Active Directory (or TrueNAS builtin) as the directory service...

 

[anodos]

I think I saw @anodos saying that SMB shares would not work except with Active Directory (or TrueNAS builtin) as the directory service...

The gist of it is that a plain OpenLDAP server doesn't provide any of the authentication methods that are required by SMB protocol. You either need AD or local users. At some point we will work on making FreeIPA support easier (with kerberos AUTH in that case), but the current state of things especially with 13 is as I stated.

 

[manujava]

I think I saw @anodos saying that SMB shares would not work except with Active Directory (or TrueNAS builtin) as the directory service...

OK, I understand but isn't OpenLDAP an AD in itself? Both systems (Active Directory (LDAP) and Ubuntu server are running on a virtual machine). Or what do you mean by "Active Directory (or TrueNAS builtin) as the directory service..."?

 

[manujava]

Or I should preferably create an AD and not LDAP? Wait, does TrueNAS have a built-in AD?

 

[manujava]

The gist of it is that a plain OpenLDAP server doesn't provide any of the authentication methods that are required by SMB protocol. You either need AD or local users. At some point we will work on making FreeIPA support easier (with kerberos AUTH in that case), but the current state of things especially with 13 is as I stated.

So I should prefer building another custom AD and dump OpenLDAP for now?
Thank you.

 

[sretalla]

TrueNAS has built-in functionality to connect to an AD, but the feature once available in FreeNAS to offer Domain Controller functionality is no longer present.

AD is certainly the option to select if you use SMB.

 

[manujava]

That's a bit confusing because one of my users in my custom-built ubuntu OpenLDAP server is authenticating to the TrueNAS. Should I go with Samba AD instead or there are other configurations settings I am missing?
Thanks.

 

[sretalla]

That's a bit confusing because one of my users in my custom-built ubuntu OpenLDAP server is authenticating to the TrueNAS

Do you mean to say that your TrueNAS is authenticating to OpenLDAP? (I don't think the TrueNAS server offers authentication servers as such).

Should I go with Samba AD instead or there are other configurations settings I am missing?

Setting up a SAMBA AD would be a reasonable option to get to what you want.

 

[manujava]

TrueNAS has built-in functionality to connect to an AD, but the feature once available in FreeNAS to offer Domain Controller functionality is no longer present.

AD is certainly the option to select if you use SMB.

Sure, like I said, I am using TrueNAS(22.12.3.2). So that means I can comfortably use AD. In my case, I am using an AD that I installed on Ubuntu Server 22.04. A proof of concept is that one of the users from the AD is authenticating to all the datasets which should not be the case due to set ACLs. The other users however cannot authenticate to their own datasets. I did add groups to have full control over the datasets. Now I need each and every user to authenticate to their respective datasets. That's it.
Thanks.

 

[manujava]

Do you mean to say that your TrueNAS is authenticating to OpenLDAP? (I don't think the TrueNAS server offers authentication servers as such).


Setting up a SAMBA AD would be a reasonable option to get to what you want.

Yeah, sure. I have an OpenLDAP server running on another VM(Ubuntu Server 22.04). I did configure TrueNAS LDAP to use that server for authentication and it worked.
Unless you are talking about something different. I tested and it worked.

 

[manujava]

Yeah, sure. I have an OpenLDAP server running on another VM(Ubuntu Server 22.04). I did configure TrueNAS LDAP to use that server for authentication and it worked.
Unless you are talking about something different. I tested and it worked.

Let me correct myself, I realized that OpenLDAP wasn't actually authenticating. It's only that I had a user in my TrueNAS machine, that had the same username and password. After deleting that user in my TrueNAS VM and reconfiguring my LDAP, I couldn't authenticate.
Sorry for the mess.