microsoft, sysadmin, Win10, Windows

Could not authenticate to SMB share with correct creds [solved] : freenas

Could not authenticate to SMB share with correct creds [solved]

I solved this issue but wanted to share the solution.

I had set SMB permissions correctly according to this forum post and this video, but I was never able to access my SMB share.

I was able to see the server and the list of shares, but no matter what I could not actually open a share. No matter what user or group I used, each login from W10 would fail with ‘Access is Denied’ or ‘Incorrect user name or password’ or ‘Check with system admin to verify permissions’.

The first thing I wish I had known off the bat was that samba activity is logged in FreeNAS at /var/log/samba4/log.smbd. Tailing that log, it was obvious there were authentication issues. On each login attempt, I saw:

[2018/04/15 02:10:51.243374,  2] ../source3/param/loadparm.c:2787(lp_do_section)
  Processing section "[$fnstorage]"
[2018/04/15 02:10:51.245286,  2] ../libcli/auth/ntlm_check.c:430(ntlm_password_check)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user msUser
[2018/04/15 02:10:51.245752,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [msUser] -> [msUser] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/04/15 02:10:51.245837,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MicrosoftAccount]\[msUser] at [Sun, 15 Apr 2018 02:10:51.245799 PDT] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] workstation [win10-PC] remote host [remoteAddress] mapped to [MicrosoftAccount]\[msUser]. local host [hostAddress]
[2018/04/15 02:10:51.245934,  2] ../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_WRONG_PASSWORD

Now at first glance, what jumps out is NT_STATUS_WRONG_PASSWORD, you might think you’re just typing your password wrong. But that’s not what’s really going on– the real culprit is

ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user msUser

You may remember that NTLMv2 is the standard for SMB security, and NTLMv1 authentication is disabled by default in FreeNAS SMB shares.

I figured my PC was using NTLMv1 for some reason. A little research led me to this GPO in Group Policy:

 Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\LAN Manager authentication level\

Set this to Send NTLMv2 Only instead of whatever else it is. Mine was set to Use NTLMv2 if negotiated. See Microsoft’s docs for the caveats here.

I’m not sure if the value my PC was using is default, and I’m not sure if FreeNAS should actually negotiate NTLMv2, but this resolved my issue with no impact to other SMB shares on my network.