Project

General

Profile

Bug #65949

Allow Windows 10 and Server 2019 to pass security check during SMB connect

Added by Arch Willingham almost 2 years ago. Updated over 1 year ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
Services
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Any windows box running Server 2019 is unable to view or use any SMB share on Freenas 11.2.
If you run "new view \\freenasbox" you get:
System error 53 has occurred.

The network path was not found.


Related issues

Related to FreeNAS - Feature #23359: Time Machine over SMBDone

History

#1 Updated by Arch Willingham almost 2 years ago

  • File debug-freenas2-20181225161404.txz added
  • Private changed from No to Yes

#2 Updated by Arch Willingham almost 2 years ago

  • Subject changed from Can vew or use SMB data from Windows Serfver 2019 to Can't vew or use SMB data from Windows Serfver 2019

#3 Updated by Arch Willingham almost 2 years ago

  • Subject changed from Can't vew or use SMB data from Windows Serfver 2019 to Can't vew or use SMB data from Windows Server 2019

#4 Updated by William Grzybowski almost 2 years ago

  • Assignee changed from Release Council to Andrew Walker

Andrew, have you seen this before?

#5 Updated by Andrew Walker almost 2 years ago

Redmine ate my initial response, but here's the issue:

The default security settings have changed in Server 2019. During session negotiation the Server 2019 client tries to authenticate to the IPC share as the local windows user three times. Each time the server responds to the Session Setup Request with success and Session Flags set to 0x0001 (i.e. guest). Server 2019 does not proceed to with a Tree Connect.

You have three possible paths forward

1) Lower the security settings on Server 2019 by setting the following local group policy:
Computer configuration\administrative templates\network\Lanman Workstation "Enable insecure guest logons"
2) Create a local user account on the FreeNAS server with the same credentials you're using on the Windows Server
3) Join everything (FreeNAS Server, Server 2019) to an AD domain

I will do some further investigation to see if need to alter our session setup response to coax a password prompt from Windows.

#6 Updated by Andrew Walker almost 2 years ago

Okay. Password prompt is presented when we set "map to guest = never". This should be the default unless we're explicitly enabled guest access on a share.

#7 Updated by Bug Clerk almost 2 years ago

  • Status changed from Unscreened to In Progress

#8 Updated by Bug Clerk almost 2 years ago

  • Status changed from In Progress to Ready for Testing

#9 Updated by Bug Clerk almost 2 years ago

  • Target version changed from Backlog to 11.2-U2

#10 Updated by Arch Willingham almost 2 years ago

Andrew Walker wrote:

Redmine ate my initial response, but here's the issue:

The default security settings have changed in Server 2019. During session negotiation the Server 2019 client tries to authenticate to the IPC share as the local windows user three times. Each time the server responds to the Session Setup Request with success and Session Flags set to 0x0001 (i.e. guest). Server 2019 does not proceed to with a Tree Connect.

You have three possible paths forward

1) Lower the security settings on Server 2019 by setting the following local group policy:
Computer configuration\administrative templates\network\Lanman Workstation "Enable insecure guest logons"
2) Create a local user account on the FreeNAS server with the same credentials you're using on the Windows Server
3) Join everything (FreeNAS Server, Server 2019) to an AD domain

I will do some further investigation to see if need to alter our session setup response to coax a password prompt from Windows.

I ended up doing your suggestion of "Computer configuration\administrative templates\network\Lanman Workstation "Enable insecure guest logons"" except via the registry. Once I did that it worked great!

#11 Updated by Dru Lavigne almost 2 years ago

  • File deleted (debug-freenas2-20181225161404.txz)

#12 Updated by Dru Lavigne almost 2 years ago

#14 Updated by Dru Lavigne almost 2 years ago

  • Subject changed from Can't vew or use SMB data from Windows Server 2019 to Allow Windows 10 and Server 2019 to pass security check during SMB connect
  • Private changed from Yes to No
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#15 Updated by Andrew Walker almost 2 years ago

Testing procedure.
1) set up a single samba share with no guest access. then run "testparm -s" from the command line. There should not be a "map to guest" entry in the testparm output.
2) set up a single samba share with guest access, then run "testparm -s" from the command line. There should now be an entry "map to guest = bad user".
3) set up two shares (one with guest and one without). Testparm output should show "map to guest = bad user"

#18 Updated by Dru Lavigne over 1 year ago

  • Status changed from Passed Testing to Done

Also available in: Atom PDF