FreeNAS 11.1 U4 samba issue with old clients, lanman?

[lowlytech]

Yes to adding aux param, and log.nmbd and a log.smbd are the relevant logs. Beware, raising log level in smb.conf can produce large amounts of output. Don't follow a change in log level in smb.conf with a testparm command, as I've read this sets the SAMBA log level back to 2.

Is the problem shown when you simply stop and start the SAMBA service? You want to save wear and tear on your hardware by avoiding repeated re-boots. Also, are all the changes you've made to your smb.conf presistent - i.e. you've added them as "auxillary parameters" in the service config?

When you do make a successful samba connection, what is the output of smbstatus at the FreeNAS CLI?

But I came across this old post on the net which may be related:



In the case of FreeNAS I think that equates to get the smb.conf right first, then (re)create your windows shares and then check if LANMAN hash is in the samba password db.

I had a chance to clear the logs and capture me coping a file over to a DOS client, then restarting the SMB service and then loosing access. So your right just restarting the SMB service turns my connection on the vintage machine to access denied until I rerun SMBPASSWD. Even capturing for 40 seconds, the log files came to about 1.5MB so I will upload those separately.


SMBSTATUS

Code:

root@lcars:/var/log/samba4 # smbpasswd -a jamie
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
doing parameter client ntlmv2 auth = no
doing parameter client ipc signing = auto
doing parameter allow dcerpc auth level connect = yes
doing parameter lanman auth = yes
doing parameter client lanman auth = yes
doing parameter client plaintext auth = yes
doing parameter server signing = disabled
doing parameter ldap server require strong auth = no
doing parameter server min protocol = CORE
doing parameter log level = 3 passdb:5 auth:5
Attempting to find a passdb backend to match tdbsam (tdbsam)
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/local/lib/shared-modules/pdb/tdbsam.so'														   loaded
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
New SMB password:
Retype new SMB password:
tdbsam_open: successfully opened /var/db/samba4/private/passdb.tdb
Forcing Primary Group to 'Domain Users' for jamie
Storing account jamie with RID 3002
root@lcars:/var/log/samba4 # smbpasswd -a jamie
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
doing parameter client ntlmv2 auth = no
doing parameter client ipc signing = auto
doing parameter allow dcerpc auth level connect = yes
doing parameter lanman auth = yes
doing parameter client lanman auth = yes
doing parameter client plaintext auth = yes
doing parameter server signing = disabled
doing parameter ldap server require strong auth = no
doing parameter server min protocol = CORE
doing parameter log level = 3 passdb:5 auth:5
Attempting to find a passdb backend to match tdbsam (tdbsam)
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/local/lib/shared-modules/pdb/tdbsam.so'														   loaded
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
New SMB password:
Retype new SMB password:
tdbsam_open: successfully opened /var/db/samba4/private/passdb.tdb
Forcing Primary Group to 'Domain Users' for jamie
Storing account jamie with RID 3002
root@lcars:/var/log/samba4 # smbstatus

Samba version 4.7.0
PID	 Username	 Group		Machine								   Prot														  ocol Version  Encryption		   Signing
--------------------------------------------------------------------------------														  --------------------------------------------------------
709	 jamie		jamie		172.16.2.2 (ipv4:172.16.2.2:57649)		SMB2														  _10		   -					-
902	 jamie		jamie		jamie (ipv4:172.16.2.50:33598)			NT1																		 -					-
645	 jamie		jamie		172.16.1.4 (ipv4:172.16.1.4:54360)		SMB3														  _00		   -					partial(HMAC-SHA256)

Service	  pid	 Machine	   Connected at					 Encryption															 Signing
--------------------------------------------------------------------------------														  -------------
shared	   709	 172.16.2.2	Fri Jun  1 07:43:49 2018 CDT	 -																	  -
plexmedia	709	 172.16.2.2	Fri Jun  1 07:43:49 2018 CDT	 -																	  -
shared	   645	 172.16.1.4	Fri Jun  1 07:41:44 2018 CDT	 -																	  HMAC-SHA256
IPC$		 645	 172.16.1.4	Fri Jun  1 07:41:44 2018 CDT	 -																	  HMAC-SHA256
shared	   902	 jamie		 Fri Jun  1 07:44:32 2018 CDT	 -																	  -

Locked files:
Pid		  Uid		DenyMode   Access	  R/W		Oplock		   Share														  Path   Name   Time
--------------------------------------------------------------------------------														  ------------------
709		  1001	   DENY_NONE  0x80		RDONLY	 NONE			 /mnt/														  NAS/plexmedia   .   Fri Jun  1 07:43:49 2018
709		  1001	   DENY_NONE  0x80		RDONLY	 NONE			 /mnt/														  NAS/shared   .   Fri Jun  1 07:43:49 2018

root@lcars:/var/log/samba4 #

 

[lowlytech]

Brain not in gear yesterday. Firstly, AFAIK FreeNAS creates entries in the SAMBA password DB when and if you add user accounts to the system, irrespective of any SMB share set up or even starting the SMB service. So are LANMAN hashes ever created by FreeNAS? The command pdbedit -L -vw shows the LM and NT hashes ( I left of the "w" switch previously ) and man(5) smbpasswd will tell you what a string of 32 "X" means.

If you're having to use the smbpasswd command at the CLI to enable a connection then this workaround is not going persist on a re-boot if the LANMAN hash is lost.

pdbedit -L -vw

Code:

root@lcars:~ # pdbedit -L -vw
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
doing parameter client ntlmv2 auth = no
doing parameter client ipc signing = auto
doing parameter allow dcerpc auth level connect = yes
doing parameter lanman auth = yes
doing parameter client lanman auth = yes
doing parameter client plaintext auth = yes
doing parameter server signing = disabled
doing parameter ldap server require strong auth = no
doing parameter server min protocol = CORE
doing parameter log level = 3 passdb:5 auth:5
Attempting to find a passdb backend to match tdbsam (tdbsam)
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/local/lib/shared-modules/pdb/tdbsam.so'														 loaded
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
tdbsam_open: successfully opened /var/db/samba4/private/passdb.tdb
---------------
Unix username:		test
NT username:
Account Flags:		[U		  ]
User SID:			 S-1-5-21-1881563143-3349900363-1681061685-1004
Failed to find a Unix account for test
Primary Group SID:	(NULL SID)
Full Name:			test
Home Directory:	   \\lcars\test
HomeDir Drive:
Logon Script:
Profile Path:		 \\lcars\test\profile
Domain:			   LCARS
Account desc:
Workstations:
Munged dial:
Logon time:		   0
Logoff time:		  9223372036854775807 seconds since the Epoch
Kickoff time:		 9223372036854775807 seconds since the Epoch
Password last set:	Sat, 26 May 2018 16:11:31 CDT
Password can change:  Sat, 26 May 2018 16:11:31 CDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours		 : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
LM hash			 : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
NT hash			 : 2D20D252A479F485CDF5E171D93985BF
---------------
Unix username:		jamie
NT username:
Account Flags:		[U		  ]
User SID:			 S-1-5-21-1881563143-3349900363-1681061685-3002
Forcing Primary Group to 'Domain Users' for jamie
Primary Group SID:	S-1-5-21-1881563143-3349900363-1681061685-513
Full Name:			Jamie
Home Directory:	   \\lcars\jamie
HomeDir Drive:
Logon Script:
Profile Path:		 \\lcars\jamie\profile
Domain:			   LCARS
Account desc:
Workstations:
Munged dial:
Logon time:		   0
Logoff time:		  9223372036854775807 seconds since the Epoch
Kickoff time:		 9223372036854775807 seconds since the Epoch
Password last set:	Fri, 01 Jun 2018 07:44:25 CDT
Password can change:  Fri, 01 Jun 2018 07:44:25 CDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours		 : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
LM hash			 : E995E37AB0E1A406AAD3B435B51404EE
NT hash			 : 312C2700D6C69346BE65F2B15E1D959F
---------------
Unix username:		plex
NT username:
Account Flags:		[U		  ]
User SID:			 S-1-5-21-1881563143-3349900363-1681061685-3000
lookup_global_sam_rid: looking up RID 1003.
pdb_getsampwrid (TDB): error looking up RID 1003 by key RID_000003eb.
lookup_rids: plex:4
Primary group S-1-5-21-1881563143-3349900363-1681061685-1003 for user plex is a														 Local Group and not a domain group
Forcing Primary Group to 'Domain Users' for plex
Primary Group SID:	S-1-5-21-1881563143-3349900363-1681061685-513
Full Name:			plex
Home Directory:	   \\lcars\plex
HomeDir Drive:
Logon Script:
Profile Path:		 \\lcars\plex\profile
Domain:			   LCARS
Account desc:
Workstations:
Munged dial:
Logon time:		   0
Logoff time:		  9223372036854775807 seconds since the Epoch
Kickoff time:		 9223372036854775807 seconds since the Epoch
Password last set:	Sun, 13 May 2018 07:01:32 CDT
Password can change:  Sun, 13 May 2018 07:01:32 CDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours		 : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
LM hash			 : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
NT hash			 : CCA2F7E7CD29530D692C69FADE42C3A1
---------------
Unix username:		guest
NT username:
Account Flags:		[DU		 ]
User SID:			 S-1-5-21-1881563143-3349900363-1681061685-3004
Forcing Primary Group to 'Domain Users' for guest
Primary Group SID:	S-1-5-21-1881563143-3349900363-1681061685-513
Full Name:			public access
Home Directory:	   \\lcars\guest
HomeDir Drive:
Logon Script:
Profile Path:		 \\lcars\guest\profile
Domain:			   LCARS
Account desc:
Workstations:
Munged dial:
Logon time:		   0
Logoff time:		  9223372036854775807 seconds since the Epoch
Kickoff time:		 9223372036854775807 seconds since the Epoch
Password last set:	Tue, 01 Aug 2017 23:21:32 CDT
Password can change:  Tue, 01 Aug 2017 23:21:32 CDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours		 : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
LM hash			 : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
NT hash			 : 31D6CFE0D16AE931B73C59D7E0C089C0
root@lcars:~ #

 

[lowlytech]

Just now restarted SMB service and reran pdbedit -L -vw and my LM hash is reset for user JAMIE

Code:

root@lcars:~ # pdbedit -L -vw
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
doing parameter client ntlmv2 auth = no
doing parameter client ipc signing = auto
doing parameter allow dcerpc auth level connect = yes
doing parameter lanman auth = yes
doing parameter client lanman auth = yes
doing parameter client plaintext auth = yes
doing parameter server signing = disabled
doing parameter ldap server require strong auth = no
doing parameter server min protocol = CORE
doing parameter log level = 3 passdb:5 auth:5
Attempting to find a passdb backend to match tdbsam (tdbsam)
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/local/lib/shared-modules/pdb/tdbsam.so' loaded
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
tdbsam_open: successfully opened /var/db/samba4/private/passdb.tdb
---------------
Unix username:		test
NT username:
Account Flags:		[U		  ]
User SID:			 S-1-5-21-1881563143-3349900363-1681061685-1004
Failed to find a Unix account for test
Primary Group SID:	(NULL SID)
Full Name:			test
Home Directory:	   \\lcars\test
HomeDir Drive:
Logon Script:
Profile Path:		 \\lcars\test\profile
Domain:			   LCARS
Account desc:
Workstations:
Munged dial:
Logon time:		   0
Logoff time:		  9223372036854775807 seconds since the Epoch
Kickoff time:		 9223372036854775807 seconds since the Epoch
Password last set:	Sat, 26 May 2018 16:11:31 CDT
Password can change:  Sat, 26 May 2018 16:11:31 CDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours		 : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
LM hash			 : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
NT hash			 : 2D20D252A479F485CDF5E171D93985BF
---------------
Unix username:		jamie
NT username:
Account Flags:		[U		  ]
User SID:			 S-1-5-21-1881563143-3349900363-1681061685-3002
Forcing Primary Group to 'Domain Users' for jamie
Primary Group SID:	S-1-5-21-1881563143-3349900363-1681061685-513
Full Name:			Jamie
Home Directory:	   \\lcars\jamie
HomeDir Drive:
Logon Script:
Profile Path:		 \\lcars\jamie\profile
Domain:			   LCARS
Account desc:
Workstations:
Munged dial:
Logon time:		   0
Logoff time:		  9223372036854775807 seconds since the Epoch
Kickoff time:		 9223372036854775807 seconds since the Epoch
Password last set:	Wed, 30 May 2018 18:34:03 CDT
Password can change:  Wed, 30 May 2018 18:34:03 CDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours		 : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
LM hash			 : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
NT hash			 : 312C2700D6C69346BE65F2B15E1D959F

 

[jtoninger]

I seem to have been struck by this same issue. I am trying to set up a FreeNAS box to serve files to old win98 machines that factory machinery.

I was briefly able to access the FreeNAS (FreeNAS-11.1-U6) box from the windows 98 machines until after a reboot. Where things are different for me is that using smbpasswd -a does not resolve the issue now even temporarily.

I have deleted and recreated the user, tried smbpasswd and made sure to restart samba manually with no luck.

pdbedit shows the user has a LM Hash but I cannot verify it it is being properly updated.

I set the Auxiliary parameters:

ntlm auth = yes
allow dcerpc auth level connect = yes
client ipc signing = auto
client ntlmv2 auth = no
client lanman auth = yes
client plaintext auth = yes
lanman auth = Yes
server signing = disabled
ldap server require strong auth = no
server min protocol = CORE


Again, this setup was working, and then I rebooted, and it stopped.

Any help would be appreciated.

Thanks

 

[KrisBee]

Try contacting @anodos (ixSystems member ) re: your SMB problem.

 

[anodos]

Looks like you're getting stuck here:

Code:

[2018/08/29 11:14:51.072134,  1] ../source3/auth/auth.c:128(check_domain_match)
  check_domain_match: Attempt to connect as user FLOOR from domain FLOOR denied.

Try enabling trusted domains under Directory Services -> Active Directory. This should at a minimum move past this particular auth roadblock.

 

[teacfreak]

Hi, I'm new to this forum, signing in because I found this thread.

I face pretty similar problems with XP since the update from 9.10 to 11.1.U6 yesterday.
I managed to solve the actual issue by using old style editing of the smb4.conf. Everything now works fine again, but the /etc/local/smb4.conf is exchanged by the version of the GUI everytime I change things there or do a reboot.

So how can I protect the smb4.conf from being overwritten or exchanged by the system automatically?

Using only the auxillary parameter field wasn't sufficiend, unfortunately, so I had to do the config old school.
Unfortunately there seems to be no other way for my situation, and it's fine for my, using samba for more than 20 years.

 

[anodos]

Hi, I'm new to this forum, signing in because I found this thread.

I face pretty similar problems with XP since the update from 9.10 to 11.1.U6 yesterday.
I managed to solve the actual issue by using old style editing of the smb4.conf. Everything now works fine again, but the /etc/local/smb4.conf is exchanged by the version of the GUI everytime I change things there or do a reboot.

So how can I protect the smb4.conf from being overwritten or exchanged by the system automatically?

Using only the auxillary parameter field wasn't sufficiend, unfortunately, so I had to do the config old school.
Unfortunately there seems to be no other way for my situation, and it's fine for my, using samba for more than 20 years.

Please post your smb.conf

 

[teacfreak]

Thanks for you quick answer.
You find the config of the specific machine below.

Code:

Maura# cat smb4.conf
[global]
	server min protocol = LANMAN1
	server max protocol = SMB3
	interfaces = 127.0.0.1 172.22.1.3
	bind interfaces only = yes
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 706655
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	ntlm auth = yes
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	hostname lookups = yes
	unix extensions = no
	time server = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = yes
	local master = yes
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = standalone
	netbios name = MAURA
	netbios aliases = FILESERVER
	workgroup = HYDRO-PC-TEAM
	security = user
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = yes
	dos charset = ASCII
	unix charset = ISO8859-1
	log level = 1
	lanman auth = yes
	follow symlinks = yes
	wide links = yes
	unix extensions = no
	log file = /var/log/samba4/%m
	logon script = init.bat
	logon path = \\%L\%U\.nt-profile\%m
	logon home = \\%L\%U\.win-profil\%m
	

[Fotolabor]
	path = "/mnt/BigSpace/DS-BigSpace/Fotolabor/%U"
	comment = Fotos
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = no
	access based share enum = no
	vfs objects = zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
	create mask = 0644
	directory mask = 0755
	valid users = hugo max
	
...