Windows 2019 and truenas SMB share access problems

samba4windows-server-2019

I'm having all sorts of trouble getting a FRESH Windows Server 2019 to connect to a samba share on Truenas 12.

Originally, when I tried to log in, Windows kept saying You Can't Access This Shared Folder Because Your Organization's Security Policies Block Unauthenticated Guest Access., so I went into registry and changed the lanman workstation setting AllowInsecureGuestAuth to 1. That solved that issue.

Now when I try to map the share, it just says Access is denied when I try and enter the user credentials.
Checking truenas log.smbd:

[2021/11/07 14:33:36.554336,  1] ../../source3/smbd/service.c:369(create_connection_session_info)
  create_connection_session_info: guest user (from session setup) not permitted to access this share (Backup)
[2021/11/07 14:33:36.554346,  1] ../../source3/smbd/service.c:557(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

Enabling guest access to the SMB share in Truenas lets windows mount the folder, but it still says You do not have permission to access \\server\Backup\. despite the Truenas folder being owned by the user and having read write permission.
Log entries for that error:

[2021/11/07 14:55:22.096249,  0] ../../source3/smbd/service.c:171(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/MainPool/Backup) failed: Permission denied. Current token: uid=65534, gid=65534, 3 groups: 65534 90000001 90000002
[2021/11/07 14:55:22.096273,  0] ../../source3/smbd/service.c:183(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/MainPool/Backup) failed: Permission denied. Current token: uid=65534, gid=65534, 3 groups: 65534 90000001 90000002

But before I solve that part, I am confused about the log saying guest user.
So why is Windows server trying to use a guest user when I gave it credentials of the user I created in truenas? I never said use guest login on windows…

Best Answer

Did you actually invoke an net use \\servername\$IPC /user:YOURCREATEDUSER ?

An resulting config on the TrueNAS could look like this.

testparm |grep -A6 sharename
[sharename]
    ea support = No
    kernel share modes = No
    path = /mnt/p0/share
    posix locking = No
    read only = No
    vfs objects = streams_xattr shadow_copy_zfs ixnas aio_fbsd
    nfs4:chown = true

The ACLs on that Share are ususally the route of all problems.

root@nas[/mnt/p0]# getfacl share 
# file: share
# owner: username
# group: groupofuser
     user:username:rwxpDdaARWcCo-:fd-----:allow
            owner@:rwxpDdaARWcCo-:fdi----:allow
 group:groupofuser:rwxpDdaARWcCo-:-------:allow
            group@:rwxpDdaARWcCo-:fdi----:allow
         everyone@:rwxpDdaARWc---:fd-----:allow
group:anothergroup:rwxpDdaARWcCo-:fd-----:allow
  user:anotheruser:rwxpDdaARWcCo-:fd-----:allow
         everyone@:--------------:fd-----:allow

The new GUI has a a few gimmicks for that.

EDIT:

I played it through and it worked. I didn't have an Windows-Server on Hand but even a SMB3-Connection should suffice.

For testing-purposes i suggest you create a new Dataset.

Check that your User on the TrueNAS has the Option 'Samba Authentication' enabled.

Now you can 'ADD" a new Share and Choose the untouched Dataset and fill in a Name. For 'Purpose' you will choose 'Default share parameters'. After submitting these Settings the Gui will Ask you if you want to Configure the ACL's. - Do that - . Then you will select the ACL-Preset 'RESTRICTED'. After that insert your User and Group in the Box at the Left top and select the corresponding 'Apply User/Group'-Checkboxes. Down at the Bottom you will also Select 'Apply permissions recursively'. There will be a warning - 'Confirm' and 'Continue' and all that is left is the 'Save' Button.

I can also provide you with Screenshots if needed. But i would need to upload them because of my LOW status'. Holla' if needed :-).

Related Topic