NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
When I use Authentication - Access Type - Local User , then I can no longer have access to the share
Hello everybody, after changing the authentication mode in my ReadyNas OS 6.10.3 from Active Directory to Local User I can no longer obtain the desired access for my share. With Active Directory au...
Bob245 wrote:
But you have to share CPYBK with "network access" and "file access" everyone and anonymous permissions otherwise you can't get anything.
If I create a folder in the share this is without any permission (I see this by Windows Explorer).I'm confused about what you are seeing right now. I guess you could look at the ACL for the share using ssh.
But generally I recommend Everyone access on the file access tab (and also checking the box granting deletion/renaming to non-owner of files). Then use network access alone to control access. That assumes that it's ok for everyone who's allowed to access the share to have access to all the files and folders in it.
You shouldn't be needing to allow anonyomous access in network access.
So maybe start with full access for everyone in file access, and then tighten up the network access - making sure that works. Then you can try reducing file access if that is necessary.
I don't use AD myself. But the general behavior with Windows is that it will by default present the Windows login/password to the NAS when the share is accessed. If the account isn't recognized by the NAS, then anonymous access is needed to access the NAS (though Windows security policies also kick in here). If the account is recognized by the NAS, but the password is wrong, then access is denied even if anonymous access is enabled for the share.
So w/o AD on the NAS, you can either
- Use the Windows Credential Manager to apply the appropriate NAS account credentials on each PC that can access the NAS
- Manually create user accounts on the NAS to match the user names for the accounts for which you want to allow access, and make sure the passwords on the NAS match the PC logins
Personally I'd go with NAS accounts that don't match the AD username/passwords. But that might depend on your threat model.
Hi Stephen,
1) net use * /delete /y is very usefull and
net use t: \\192.168.10.96\CPYBK /user:TEST TESTpassword it work but: in the command prompt if i use T: I get "Access Denied"
then the mapped drive "T:" is not present on windows explorer....
2) SMB settings (system->settings->services->smb), it has always been set to "legacy SMB discovery"
3) all pc/server that use NAS01 have in windows\system32\drivers\etc\hosts the entry
192.168.10.96 NAS01
The nas01 have a Fixed IP
I will give you more information and do other tests after Easter. Thanks!!
Bob
Bob245 wrote:
net use t: \\192.168.10.96\CPYBK /user:TEST TESTpassword
it work but: in the command prompt if i use T: I get "Access Denied"
then the mapped drive "T:" is not present on windows explorer....
Interesting. Maybe try resetting the file permissions on the share? (clicking on "reset" on the file access tab).
Hi, thanks for your interesting...
After many attempts, reboot the PC and the server that I am using for testing, resetting the permission file as recommended by you, I got the share available as a mapped disk T :. But you have to share CPYBK with "network access" and "file access" everyone and anonymous permissions otherwise you can't get anything.
If I create a folder in the share this is without any permission (I see this by Windows Explorer).As if he had not inherited anything from the parent folder (CPYBK share folder).
Then I recreated the share from scratch and now I can no longer have access.
But it's crazy, the share's behavior is inconceivable, I can't manage this thing and then in short the share doesn't work.
Why is it so complicated to make a share that then doesn't work?
I just spent € 2000 on expanding the disks and I have an unusable NAS.
Since the nas will be used for a secure backup it must not be managed through AD but with a local user and strong password, so I'm desperate. When it was run as AD it was ok now it is unusable.
What can I do?
Bob245 wrote:
But you have to share CPYBK with "network access" and "file access" everyone and anonymous permissions otherwise you can't get anything.
If I create a folder in the share this is without any permission (I see this by Windows Explorer).I'm confused about what you are seeing right now. I guess you could look at the ACL for the share using ssh.
But generally I recommend Everyone access on the file access tab (and also checking the box granting deletion/renaming to non-owner of files). Then use network access alone to control access. That assumes that it's ok for everyone who's allowed to access the share to have access to all the files and folders in it.
You shouldn't be needing to allow anonyomous access in network access.
So maybe start with full access for everyone in file access, and then tighten up the network access - making sure that works. Then you can try reducing file access if that is necessary.
I don't use AD myself. But the general behavior with Windows is that it will by default present the Windows login/password to the NAS when the share is accessed. If the account isn't recognized by the NAS, then anonymous access is needed to access the NAS (though Windows security policies also kick in here). If the account is recognized by the NAS, but the password is wrong, then access is denied even if anonymous access is enabled for the share.
So w/o AD on the NAS, you can either
- Use the Windows Credential Manager to apply the appropriate NAS account credentials on each PC that can access the NAS
- Manually create user accounts on the NAS to match the user names for the accounts for which you want to allow access, and make sure the passwords on the NAS match the PC logins
Personally I'd go with NAS accounts that don't match the AD username/passwords. But that might depend on your threat model.
Ok your advice has finally allowed me to solve.
1) The fundamental thing is to enter the login credential in the Windows Credential Manager as recommended by you several times. Now I have access to the share with the name \\NAS01 and there is no need to log in with the IP anymore. Sorry if I haven't used the Credential Manager before, I didn't think it was so fundamental. I wanted to avoid using the credentials stored in the Windows Credential Manager because I consider it a possible security flaw, but it seems that to work I cannot do without it.
2) I confirm that I can effectively avoid setting Anonymous access for Network Access
3) Everyone permissions must be given in the Access File section (also Folder Group permissions)
4) Upon returning to the office, I will verify that security is guaranteed and that the NAS is seen and used only by the backup server using the stored credential.
Finally I ask you if you can give me indications of how to view and manage ACLs via SSH (with an example ..)
Your help was fundamental I thank you very much. Bob
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
