- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Samba share access permissions not making sense
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just noticed that access permissions for SMB shares on my ReadyNAS102 don't seem to be working.
When I set up my RN102 sereval years ago I was a bit lazy and just set up all my shares as read/write for any user with anonymous access allowed. It's juts me using it, so no biggie. However later I added a home-made CCTV system which uses FTP to upload images from cameras which are them viewed using HTTP on a small website whch is hosted on the NAS. For this I created a new share called "CCTV" and user accounts for each camera and a master account for the viewer, which all worked just fine.
Recently, however, I decided I watned to be ablet o download the images from the camera en masse using my Windows 7 PC, so I "simply" added SMB access to the share and attempted to connect to it, and.... got a bog fat "access denied" message.
In fact, I canot access this share over SMB even if I set it to alllow Anonymous Access. Ahat is even more weird, if I create a new share just for testing, turn SMB access on and set it to only allow my "CCTV master user" it still allows any-old-one to access it.
In short it seems like any SMB permissons that I try to set from some point in time prior to now are being completely ignored. Old shares I cannot add permissions, and new shares I cannot restrict permissions.
Any thoughts, anyone?
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Digsy wrote:
The CCTV share is the only share that I want to require a username and password for, but when specify this username in Network Access and I supply credentials for it when I try to connect, it doesn't work unless I use the command line.Windows won't accept my username and password as valid, but the command line will.
Obviously this is a Windows issue.
If you entered the credential in the Windows Credential Manager, then you shouldn't be needing to enter the username at all. If you also entered the password there, you shouldn't be needing to enter that either.
Are you entering \\nas-ip-address\sharename in the file explorer address bar to access the share?
One thing to keep in mind - Windows only allows one set of credentials per machine at a time. And if you first access the NAS w/o a credential, Windows will still use one - it defaults to using the Windows Login. You can clear that using the net use * /delete /y command. So perhaps just try that command, and then see if the file explorer will take your credential.
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Samba share access permissions not making sense
@Digsy wrote:
Any thoughts, anyone?
Without more details on your settings, we can't offer much advice.
There are File Permissions (which apply to all protocols - in your case both FTP and SMB), and there is Network Access, which needs to be set up separately for each protocol. Both need to be set up to allow access, but either can result in denied access.
My general advice here is to set up the File Permissions so that everyone can access the underlying files. Then control access with Network Access alone. That is generally simpler.
In your specific case with denied access. I suggest starting by resetting the file permissions for the share, and see if that allows you to access the files over SMB. Check the box next to "Grant rename and delete privileges" before you click on the reset control. The CCTV system might be using very restrictive file permissions when it creates the files - resetting the permissions will change that so they match the configuration on the share.
For your test share, try creating a test account, and put it in test group (not users). Then try enabling read-only network access to the test group, but no access to the users group. Also set read/write access for the test account, but not for the CCTV account. Then see if that allows access when you access the NAS with the test account credentials, but denies access when you use the CCTV account credentials.
You do need to be careful when testing share access with Windows, as it often isn't applying the user credentials that you think it is. So if you are using Windows, then I suggest testing access directly with the windows command line. You launch this by typing CMD in the windows search box.
Test access to a share by entering
net use * /delete /y net use t: \\nas-ip-address\sharename /user:username password
using actual values instead of the blue placeholders of course. Be careful on the typing - particularly with spaces and the slash directions.
The first command terminates any open SMB sessions in the PC, the second attempts to mount the NAS share as drive letter T. If you want to test with multiple NAS accounts, make sure you enter the both commands every time.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Samba share access permissions not making sense
Thanks for the detailled reply. I sem to have fixed this now but I still don't understand how / why.
When gong into the File Access section for the share, I noticed that although the folder owner name was set to my master CCTV account, there was no tick against "Folder Owner" for either Read nor Read/Write access, although Rear/Write was ticked for "Folder Group". Bear in mind that this was working fine for HTTP (reading via the web viewer) and write (via FTP) but not for SMB.
I guess I had accidentally locked my master CCTV account out by granting neither read nor read/write access, but I don't understand why SMB should behave differently to FTP or HTTP where this setting is concerned.
Also, it seems (as you suggest) that I can only map this particular share from the command line and not from inside Explorer - again, no idea why.
As I have a solution I haven't done all your troubleshooting steps, but here are my settings for this share:
Network access:
For SMB:
Admin (group): Read / Write
Admin (user): Read / Write
CCTV master (user): Rear / Write
No others ticked
For FTP:
Admin (group): Read / Write
Cameras (group): Read / Write
Admin (user): Read / Write
CCTV master (user): Rear / Write
No others ticked
For HTTP:
Admin (group): Read / Write
Cameras (group): Read / Write
Admin (user): Read / Write
CCTV master (user): Rear / Write
No others ticked
File access:
Folder Owner: CCTV master
Folder Group: Cameras
"Grant rename and delete...": ticked
Everyone (group): Read/Write
Folder Owner (user): Read/Write
Folder Group (group): Read/Write
Admin (group): Read/Write
Admin (user): Read/Write
No others ticked
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Samba share access permissions not making sense
@Digsy wrote:
Also, it seems (as you suggest) that I can only map this particular share from the command line and not from inside Explorer - again, no idea why.
Likely the PC isn't using the correct credentials. Try running the windows credential manager, and delete any existing credentials for the NAS. Then add a credential, using the NAS account you wish to use.
Note if you use both NAS hostname and the NAS IP, you will need two credentials - one for each.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Samba share access permissions not making sense
Yes, there was an entry in credental manager, but it looked correct. I deleted it and created a new one but it still won't allow e to map the drive from Explorer.
So how should (in your opinion) my access permissions for SMB be set up for this to work?
All I want is for one user to be able to connect to this particular share with username and password protection using Explorer, ideally without having to permanently map it to a drive letter, or having to use the command line. I cannot see what I am doing wrong here. It feels like something isn't working the way it should.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Samba share access permissions not making sense
@Digsy wrote:
All I want is for one user to be able to connect to this particular share with username and password protection using Explorer, ideally without having to permanently map it to a drive letter, or having to use the command line. I cannot see what I am doing wrong here. It feels like something isn't working the way it should.
And that user account is the only one you want to use for NAS access from that PC?
Are you able to access other shares from file explorer with the new credential?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Samba share access permissions not making sense
All my other shares are set to allow anonymous access, so I do not need to provide credentials to access them. I can map these shares or connect directly by typing the pathname into Explorer just fine.
The CCTV share is the only share that I want to require a username and password for, but when specify this username in Network Access and I supply credentials for it when I try to connect, it doesn't work unless I use the command line.Windows won't accept my username and password as valid, but the command line will.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Digsy wrote:
The CCTV share is the only share that I want to require a username and password for, but when specify this username in Network Access and I supply credentials for it when I try to connect, it doesn't work unless I use the command line.Windows won't accept my username and password as valid, but the command line will.
Obviously this is a Windows issue.
If you entered the credential in the Windows Credential Manager, then you shouldn't be needing to enter the username at all. If you also entered the password there, you shouldn't be needing to enter that either.
Are you entering \\nas-ip-address\sharename in the file explorer address bar to access the share?
One thing to keep in mind - Windows only allows one set of credentials per machine at a time. And if you first access the NAS w/o a credential, Windows will still use one - it defaults to using the Windows Login. You can clear that using the net use * /delete /y command. So perhaps just try that command, and then see if the file explorer will take your credential.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Samba share access permissions not making sense
@StephenB wrote:One thing to keep in mind - Windows only allows one set of credentials per machine at a time. And if you first access the NAS w/o a credential, Windows will still use one - it defaults to using the Windows Login. You can clear that using the net use * /delete /y command. So perhaps just try that command, and then see if the file explorer will take your credential.
Well, that'll be it, then!
I always have two shares mapped to my PC at boot up, so although anonymous, they will be using my Windows login credentials, and this will be stopping me from making a second ad hoc connection to my CCTV share.
If I unmap both shares then I can connect to my CCTV share using my CCTV master account withouth any issues.
This also explains why FTP and HTTP access works, because for the former it is the cameras making the connection, and for the latter it is my web browser - so neither associated to WIndows.
Thanks for bearing with me on this. Much appreciated. 🙂
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Samba share access permissions not making sense
@Digsy wrote:
I always have two shares mapped to my PC at boot up, so although anonymous, they will be using my Windows login credentials, and this will be stopping me from making a second ad hoc connection to my CCTV share.
If I unmap both shares then I can connect to my CCTV share using my CCTV master account withouth any issues.
Great.
There is a potential workaround here. Windows treats the IP address and the hostname as two different machines. So if you are mapping the drives at bootup with the hostname, then you can still use the CCTV credential if you use the IP address. Or the other way around (use the IP address for ordinary access, and the hostname for the CCTV share).
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Samba share access permissions not making sense
@Digsy wrote:I always have two shares mapped to my PC at boot up, so although anonymous, they will be using my Windows login credentials, and this will be stopping me from making a second ad hoc connection to my CCTV share.
Not at all - you can add more users to allow the access to the same shared folder. Unless I'm very wrong, having both authenticated and non-authenticated ("guest") access to the very same shared folder is possible.
Better or more professional approach is grouping users with the similar access rights into a group, and grant the access rights based on the group - not on the base of users. This does avoid all ACLs need to be rewritten on every change - what can be a tedious and slow job on large amounts of folders and files.
Be aware that newer Windows 10 builds do no longer allow using non-authenticated access - unless you are going to tweak it - because it's considered a security risk.
To allow non-authenticated access _and_ access to Windows systems already holding valid credentials already in use for more secured folders, add the read+write access for the implicit group "users". However I fear the ReadyNAS Web UI does not let us configure this correct set-up (working on generic SAMBA servers, on QNAP, on Synology, ...). That would be much better than workarounds using IP instead of the name.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Samba share access permissions not making sense
@schumaku wrote:
@Digsy wrote:
I always have two shares mapped to my PC at boot up, so although anonymous, they will be using my Windows login credentials, and this will be stopping me from making a second ad hoc connection to my CCTV share.
Unless I'm very wrong, having both authenticated and non-authenticated ("guest") access to the very same shared folder is possible.
With Windows, you can only access the NAS IP-address or hostname with one set of credentials at a time.
Since he wasn't using the CCTV credential when he mapped the shares at bootup, that credential couldn't be used when he tried to access the CCTV share.