Trouble accessing SMB shares via ip

[squeakybadger]

Hi all,

Running Freenas 11.3 connected to Windows Server 2019 Active Directory.

All shares are mounted under SMB, and I can connect using the freenas name.

However if I try and go via the ip, I get a permission denied error.

Only thing that I can find is that the share names appear in lowercase when via ip, and uppercase when using the server name (and how they appear in the SMB Sharing section of Freenas)

Output of testparm below

Code:

# Global parameters
[global]
        aio max threads = 2
        allow trusted domains = No
        bind interfaces only = Yes
        disable netbios = Yes
        disable spoolss = Yes
        dns proxy = No
        domain master = No
        enable web service discovery = Yes
        interfaces = 127.0.0.1 192.168.1.70
        kerberos method = secrets and keytab
        kernel change notify = No
        load printers = No
        local master = No
        logging = file
        map to guest = Bad User
        max log size = 51200
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        preferred master = No
        realm = PIKCELLS.LOCAL
        security = ADS
        server min protocol = SMB3_02
        server multi channel support = Yes
        server role = member server
        server string = FreeNAS Server
        smb ports = 445
        template shell = /bin/sh
        unix extensions = No
        username map = /usr/local/etc/smbusername.map
        username map cache time = 60
        winbind cache time = 7200
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind max domain connections = 10
        workgroup = PIKCELLS
        idmap config *: range = 90000001-100000000
        idmap config pikcells: range = 20000-90000000
        idmap config pikcells: backend = rid
        fruit:nfs_aces = no
        idmap config * : backend = tdb
        allocation roundup size = 0
        directory name cache size = 0
        dos filemode = Yes
        include = /usr/local/etc/smb4_share.conf
        mangled names = illegal
        map archive = No
        store dos attributes = No
        wide links = Yes


[ASSETS]
        aio write size = 0
        ea support = No
        hide dot files = No
        path = /mnt/PIKCELLS/ASSETS
        read only = No
        smb encrypt = required
        veto files = /.windows/.mac/
        vfs objects = catia zfs_space zfsacl fruit streams_xattr
        nfs4:mode = simple
        nfs4:acedup = merge
        nfs4:chown = true
        fruit:resource = stream
        fruit:metadata = stream


[D10]
        aio write size = 0
        ea support = No
        guest ok = Yes
        path = /mnt/PIKCELLS/DEADLINE10
        read only = No
        smb encrypt = required
        veto files = /.windows/.mac/
        vfs objects = catia zfs_space zfsacl fruit streams_xattr
        nfs4:mode = simple
        nfs4:acedup = merge
        nfs4:chown = true
        fruit:resource = stream
        fruit:metadata = stream


[MDT]
        aio write size = 0
        ea support = No
        guest ok = Yes
        hide dot files = No
        path = /mnt/PIKCELLS/MDT
        read only = No
        smb encrypt = required
        veto files = /.windows/.mac/
        vfs objects = shadow_copy_zfs ixnas fruit streams_xattr
        nfs4:mode = simple
        nfs4:acedup = merge
        nfs4:chown = true
        fruit:resource = stream
        fruit:metadata = stream


[PHOTOGRAMMETRY]
        aio write size = 0
        ea support = No
        hide dot files = No
        path = /mnt/PIKCELLS/PHOTOGRAMMETRY
        read only = No
        smb encrypt = required
        veto files = /.windows/.mac/
        vfs objects = catia zfs_space zfsacl fruit streams_xattr
        nfs4:mode = simple
        nfs4:acedup = merge
        nfs4:chown = true
        fruit:resource = stream
        fruit:metadata = stream


[PROJECTS]
        aio write size = 0
        ea support = No
        hide dot files = No
        path = /mnt/PIKCELLS/PROJECTS
        read only = No
        smb encrypt = required
        veto files = /.windows/.mac/
        vfs objects = catia zfs_space zfsacl fruit streams_xattr
        nfs4:mode = simple
        nfs4:acedup = merge
        nfs4:chown = true
        fruit:resource = stream
        fruit:metadata = stream


[RESOURCES]
        aio write size = 0
        ea support = No
        hide dot files = No
        path = /mnt/PIKCELLS/RESOURCES
        read only = No
        smb encrypt = required
        veto files = /.windows/.mac/
        vfs objects = catia zfs_space zfsacl fruit streams_xattr
        nfs4:mode = simple
        nfs4:acedup = merge
        nfs4:chown = true
        fruit:resource = stream
        fruit:metadata = stream


[VMS]
        aio write size = 0
        ea support = No
        level2 oplocks = No
        oplocks = No
        path = /mnt/PIKCELLS/VMS
        read only = No
        smb encrypt = required
        strict locking = Yes
        veto files = /.windows/.

Any ideas of what is causing this issue?

Thanks.

 

[anodos]

Is NTLM auth disabled in your AD domain?

 

[Newfoundland.Republic]

Could it be that you need the old NTLM v.1?

 

[squeakybadger]

NTLM is just at the default (Not Defined) in the AD GPO.

Every windows computer is now running win10, so wouldn't NTLM v.1 be unnecessary?

 

[anodos]

Could it be that you need the old NTLM v.1?

No. The reason why I asked about NTLM is that in AD when you connect via hostname (in principal) you should be authenticating using kerberos. You can't do kerberos auth over IP addresses and so the windows clients have to perform NTLMv2.

 

[anodos]

Set auxiliary parameter "log level = 1 auth_audit:5", and then "tail -f /var/log/samba4/log.smbd" and watch authentication attempts over IP address.

 

[squeakybadger]

I disabled ipv6 in the nic on a couple of pc's, but now that seems to have reversed the problem - I can now connect via ip and not by the server name...

tail of the log file where I was flicking between the server name and then ip shares:

Code:

root@pikdrive[~]# tail -f /var/log/samba4/log.smbd

[2020/02/10 14:20:40.065120,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:20:40.066414,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:20:40.066798,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:20:40.070093,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:20:42.098338,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:15.706005,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [srvsvc,ncacn_np] user [PIKCELLS]\[Administrator] [S-1-5-21-676162675-249835194-3389236030-500] at [Mon, 10 Feb 2020 14:21:15.705994 GMT] Remote host [ipv4:192.168.1.52:59401] local host [ipv4:192.168.1.70:445]
[2020/02/10 14:21:15.706510,  1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
  Failed to fetch record!
[2020/02/10 14:21:15.706542,  1] ../../source3/smbd/server_reload.c:64(delete_and_reload_printers)
  pcap cache not loaded
[2020/02/10 14:21:19.001067,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:32.260789,  1] ../../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (No such file or directory)
[2020/02/10 14:21:32.262401,  1] ../../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (No such file or directory)
[2020/02/10 14:21:32.264572,  1] ../../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (No such file or directory)
[2020/02/10 14:21:32.268845,  0] ../../lib/param/loadparm.c:784(lpcfg_map_parameter)
  Unknown parameter encountered: "symlinks"
[2020/02/10 14:21:32.268880,  0] ../../lib/param/loadparm.c:1810(lpcfg_do_global_parameter)
  Ignoring unknown parameter "symlinks"
[2020/02/10 14:21:32.273398,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,krb5] user [PIKCELLS]\[Administrator] [S-1-5-21-676162675-249835194-3389236030-500] at [Mon, 10 Feb 2020 14:21:32.273352 GMT] Remote host [ipv4:192.168.1.52:59907] local host [ipv4:192.168.1.70:445]
[2020/02/10 14:21:32.275723,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [srvsvc,ncacn_np] user [PIKCELLS]\[Administrator] [S-1-5-21-676162675-249835194-3389236030-500] at [Mon, 10 Feb 2020 14:21:32.275716 GMT] Remote host [ipv4:192.168.1.52:59907] local host [ipv4:192.168.1.70:445]
[2020/02/10 14:21:32.276471,  1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
  Failed to fetch record!
[2020/02/10 14:21:32.276509,  1] ../../source3/smbd/server_reload.c:64(delete_and_reload_printers)
  pcap cache not loaded
[2020/02/10 14:21:36.466792,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [srvsvc,ncacn_np] user [PIKCELLS]\[Administrator] [S-1-5-21-676162675-249835194-3389236030-500] at [Mon, 10 Feb 2020 14:21:36.466781 GMT] Remote host [ipv4:192.168.1.52:59907] local host [ipv4:192.168.1.70:445]
[2020/02/10 14:21:36.467284,  1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
  Failed to fetch record!
[2020/02/10 14:21:36.467315,  1] ../../source3/smbd/server_reload.c:64(delete_and_reload_printers)
  pcap cache not loaded
[2020/02/10 14:21:49.660845,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:54.434660,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [srvsvc,ncacn_np] user [PIKCELLS]\[pikcells] [S-1-5-21-676162675-249835194-3389236030-1125] at [Mon, 10 Feb 2020 14:21:54.434642 GMT] Remote host [ipv4:192.168.1.199:57230] local host [ipv4:192.168.1.70:445]
[2020/02/10 14:21:54.435107,  1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
  Failed to fetch record!
[2020/02/10 14:21:54.435140,  1] ../../source3/smbd/server_reload.c:64(delete_and_reload_printers)
  pcap cache not loaded
[2020/02/10 14:21:56.618718,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.619174,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.619465,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.619528,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.621217,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.622793,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.624126,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.624557,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.624855,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.625320,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.626774,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.627195,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:56.634192,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:21:58.662489,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:22:00.053309,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/02/10 14:22:04.318963,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [srvsvc,ncacn_np] user [PIKCELLS]\[pikcells] [S-1-5-21-676162675-249835194-3389236030-1125] at [Mon, 10 Feb 2020 14:22:04.318949 GMT] Remote host [ipv4:192.168.1.199:57230] local host [ipv4:192.168.1.70:445]
[2020/02/10 14:22:04.319392,  1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
  Failed to fetch record!
[2020/02/10 14:22:04.319446,  1] ../../source3/smbd/server_reload.c:64(delete_and_reload_printers)
  pcap cache not loaded
[2020/02/10 14:22:06.056993,  1] ../../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (No such file or directory)
[2020/02/10 14:22:06.058512,  1] ../../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (No such file or directory)
[2020/02/10 14:22:06.062049,  0] ../../lib/param/loadparm.c:784(lpcfg_map_parameter)
  Unknown parameter encountered: "symlinks"
[2020/02/10 14:22:06.062081,  0] ../../lib/param/loadparm.c:1810(lpcfg_do_global_parameter)
  Ignoring unknown parameter "symlinks"
[2020/02/10 14:22:06.067335,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [PIKCELLS]\[pikcells] at [Mon, 10 Feb 2020 14:22:06.067247 GMT] with [NTLMv2] status [NT_STATUS_OK] workstation [S08] remote host [ipv4:192.168.1.199:57586] became [PIKCELLS]\[pikcells] [S-1-5-21-676162675-249835194-3389236030-1125]. local host [ipv4:192.168.1.70:445]
[2020/02/10 14:22:06.069229,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,NTLMSSP] user [PIKCELLS]\[pikcells] [S-1-5-21-676162675-249835194-3389236030-1125] at [Mon, 10 Feb 2020 14:22:06.069222 GMT] Remote host [ipv4:192.168.1.199:57586] local host [ipv4:192.168.1.70:445]
[2020/02/10 14:22:06.071034,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [srvsvc,ncacn_np] user [PIKCELLS]\[pikcells] [S-1-5-21-676162675-249835194-3389236030-1125] at [Mon, 10 Feb 2020 14:22:06.071027 GMT] Remote host [ipv4:192.168.1.199

 

[squeakybadger]

Quick update on this.

Went into the smb shares and used the remove acls option on each, then started adding the usergroups for the domain users that were needed.

Finally added the default group@/user@/everyone@ acls to each share and everything seems to be working correctly over ip and server name.

It's been 12+ hours since these changes, so any ip/network permission changes should have taken effect by now.

Updating from 11.2 to 11.3 might have caused the permissions to throw a bit of a wobbly!