FreeNAS-11.2-BETA1->FreeNAS-11.2-BETA2 Now Samba no longer works (access denied?)

[biltong2]

I upgraded to 11.2-BETA2 and now my Samba share has stopped working. Total Commander says Access Denied. Kodi says Connection Refused.

The troubleshooting guide at /docs/services.html#smb says "verify that Server maximum protocol is set to SMB2." but I cannot see that in the UI. The smb4.conf config file shows "server max protocol = SMB3" so I would like to try changing that to SMB2. The UI tooltip for auxilary parameters mentions smb5.conf but I do not have that. Adding auxiliary parameters on the share "server max protocol = SMB2" does not fix the problem. Adding it on the server level does not overwrite the parameter but adds it later, the problem also still exists.

I tried creating a new Samba share to test with, and it appears in /usr/local/etc/smb4.conf, but my original samba share is now missing from there!

If I try and open the share with a Linux box using nautilus it works!

You will see in my previous post that this is a writeable NFS directory which I ro share with Samba (after I recreated it). If I run zfs get aclmode I see "aclmode restricted local" :( If I create a test samba share on a volume with "aclmode passthrough inherited from x" then I get the same error.

If I increase the log level I see "no protocol supported" as well as "pid_to_procid: messaging_dgm_get_unique failed: No such file or directory". If I set "server min protocol = SMB1" it does not help. Here is the log:

Code:

 Requested protocol [PC NETWORK PROGRAM 1.0]
 Requested protocol [MICROSOFT NETWORKS 1.03]
 Requested protocol [MICROSOFT NETWORKS 3.0]
 Requested protocol [LANMAN1.0]
 Requested protocol [LM1.2X002]
 Requested protocol [DOS LANMAN2.1]
 Requested protocol [LANMAN2.1]
 Requested protocol [Samba]
 Requested protocol [NT LANMAN 1.0]
 Requested protocol [NT LM 0.12]
 reply_negprot: No protocol supported !
 Server exit (no protocol supported
 )

 

[biltong2]

I set "server min protocol = NT1" as auxiliary parameter on the share and now it works. Is this a kodi problem? a freenas problem caused by the upgrade?

 

[tfjad]

Run in your Linux client:

Code:

testparm -s

Do you see in the [global] section a line like: client max protocol = SMB3
If you are NOT seeing that, you must edit your smb.conf and add that line into it's [global] section. The file is probably at /etc/samba/smb.conf

The reason is, if 'client max protocol' is NOT set in smb.conf, then it defaults to NT1, which means your Linux will only make NT1 samba connections.
So, in this case the problem is not in FreeNAS, it's in some stupid defaults in Linux samba. But adding that line will fix this.

 

[biltong2]

Okay, but was there a FreeNAS change that caused this?

 

[tfjad]

Okay, but was there a FreeNAS change that caused this?

Yes, in FreeNAS 11.2-BETA2 they set server min protocol = SMB2 for security reasons. So hereafter all samba clients must be at least on level SMB2 to connect to SMB shares on newer FreeNAS versions.

 

[melloa]

If you are NOT seeing that, you must edit your smb.conf and add that line into it's [global] section. The file is probably at /etc/samba/smb.conf

Will that survive a reboot?

I just installed a fresh VM with 11.2 and SMB shares are not available on my network.

My smb.conf shows SMB2, the server shows on the network, but nothing available:

Code:

root@fn112:~ # testparm
Load smb config files from /usr/local/etc/smb4.conf
Processing section "[mello]"
Processing section "[repo]"
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
	deadtime = 15
	disable spoolss = Yes
	dns proxy = No
	dos charset = CP437
	hostname lookups = Yes
	kernel change notify = No
	lm announce = Yes
	load printers = No
	logging = file
	map to guest = Bad User
	max log size = 51200
	max open files = 459605
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	obey pam restrictions = Yes
	panic action = /usr/local/libexec/samba/samba-backtrace
	printcap name = /dev/null
	security = USER
	server min protocol = SMB2
	server role = standalone server
	server string = FreeNAS 11.2 Server
	time server = Yes
	idmap config *: range = 90000001-100000000
	idmap config * : backend = tdb
	acl allow execute always = Yes
	create mask = 0666
	directory mask = 0777
	directory name cache size = 0
	dos filemode = Yes
	ea support = Yes
	store dos attributes = Yes
	strict locking = No


[mello]
	path = "/mnt/tank/cifs/mello"
	read only = No
	veto files = /.snapshot/.windows/.mac/.zfs/
	vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr
	zfsacl:acesort = dontcare
	nfs4:chown = true
	nfs4:acedup = merge
	nfs4:mode = special
	shadow:snapdirseverywhere = yes
	shadow:format = auto-%Y%m%d.%H%M-1w
	shadow:localtime = yes
	shadow:sort = desc
	shadow:snapdir = .zfs/snapshot


[repo]
	guest ok = Yes
	hide dot files = No
	path = "/mnt/tank/cifs/repo"
	read only = No
	veto files = /.snapshot/.windows/.mac/.zfs/
	vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr
	zfsacl:acesort = dontcare
	nfs4:chown = true
	nfs4:acedup = merge
	nfs4:mode = special
	shadow:snapdirseverywhere = yes
	shadow:format = auto-%Y%m%d.%H%M-1w
	shadow:localtime = yes
	shadow:sort = desc
	shadow:snapdir = .zfs/snapshot

 

[tfjad]

Melloa, did you add the client max protocol = SMB3 line in you Linux client's smb.conf?

I have made no modifications to the smb.conf in FreeNAS, but in my Linux clients the [global] section of smb.conf looks like this:

Code:

[global]
	server string = %h server (Samba, Ubuntu)
	server role = standalone server
	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	max protocol = SMB3
	protocol = SMB3
	server min protocol = SMB2
	min protocol = SMB2
	client max protocol = SMB3
	client min protocol = SMB2
	dns proxy = No
	usershare allow guests = Yes
	usershare owner only = No
	panic action = /usr/share/samba/panic-action %d
	idmap config * : backend = tdb

I have no problems accessing shares on FreeNAS as long as permissions allow it. Also, all my Linux and Windows machines can access each other's shares.
edit: Actually that listing is how testparm shows the protocol lines. What I have in my smb.conf concerning min/max protocols is just these lines:
client min protocol = SMB2
client max protocol = SMB3
server min protocol = SMB2
server max protocol = SMB3


 

[melloa]

Melloa, did you add the client max protocol = SMB3 line in you Linux client's smb.conf?

I just decided to move my tests to a test server to stop messing with my production server.

It is a small one with a Intel(R) Xeon(R) CPU E5-1620 0 @ 3.60GHz and 32 GB RAM on a X9SRW-F. Just installed ESXi and will passthrough 2x 2TiB HDDs to the FN test VM. Will report back as soon as I finish.

Also my tests are been performed from my desktop and laptop on Mint 4.15.0-32 and Win-S#&-dos 10.

 

[melloa]

client min protocol = SMB2
client max protocol = SMB3
server min protocol = SMB2
server max protocol = SMB3

Adding those to my linux client smb.conf solved the problem.

Yes, in FreeNAS 11.2-BETA2 they set server min protocol = SMB2 for security reasons.

Which would be fine.

FN11.2 smb.conf has

Code:

server min protocol = SMB2

What is bugging me is why I had to change my client side to use SMB2 and SMB3. Will need to discuss this on their forum to see what they are defaulting to.

Will continue playing with this beta as I had problems with the installation three times already when running it with the HBAs passed and added to the VM. Only after the last update I was able to start the VM with the HBAs in it. The only other scenario was coming from 11.1 with the HBAs and changing train to upgrade to 11.2 ...

Thank you very much for your help.

 

[Birkir Brimdal]

Is there a solution that does not involve editing the client? I just upgraded from 11.1-U5 to 11.2-RC1 and our office copier/printer/SCANNER is no longer able to save scans to the shared scan directory.

 

[Ericloewe]

You can enable older authentication, but that carries obvious security implications. It's your risk assessment to make.

 

[Redcoat]

Is there a solution that does not involve editing the client? I just upgraded from 11.1-U5 to 11.2-RC1 and our office copier/printer/SCANNER is no longer able to save scans to the shared scan directory.

This isn't just a FreeNAS issue of course - MS removed default SMB1 from Windows 10 for instance. You might find that your MFP manufacturer has new firmware/drivers if you are VERY lucky.

 

[Ericloewe]

You might find that your MFP manufacturer has new firmware/drivers if you are VERY lucky.

Winning the lottery seems infinitely more likely, to be honest...

 

[Birkir Brimdal]

Can someone point me in the right direction. I edited the /usr/local/etc/smb4.conf and added "client min protocol NT1". However, that file gets overwritten when I restart the SMB service. I tried the following GUI tweaks without success: adding "client min protocol NT1" in the "Services->SMB->Auxilary Parameters". I tried clicking the checkbox "NTLMv1 Auth" and I also tried adding "client min protocol NT1" in the "Sharing->Windows (SMB) Shares->[edit share]->Advanced Mode->Auxilary Parameters. My fallback option is to set up a local FTP and configure the Kyocera 300ci for FTP.

 

[Birkir Brimdal]

SOLVED:
SMB1 was disabled in FreeNAS 11.1-U6 and here are the official instructions on how to re-enable it.
https://www.ixsystems.com/blog/library/freenas-11-1-u6/
Known Impacts

SMB1 has been disabled by default for security reasons. If legacy clients are no longer able to connect, type this command in the Shell, then restart the SMB service:

Code:

sysctl freenas.services.smb.config.server_min_protocol=NT1

If that resolves the issue, you can make that setting permanent by going to System → Tunables →Add Tunable and creating a Tunable with these settings:

Variable: freenas.services.smb.config.server_min_protocol

Value: NT1

Type: Sysctl

 

[par]

I set "server min protocol = NT1" as auxiliary parameter on the share and now it works. Is this a kodi problem? a freenas problem caused by the upgrade?

Kodi for Android still uses NT1 until v18 Leia I believe. Which should be released very soon as Kodi 18 RC1 came out a week ago. At that point I would not configure NT1 anymore.