× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

When I use Authentication - Access Type - Local User , then I can no longer have access to the share

Bob245
Guide

When I use Authentication - Access Type - Local User , then I can no longer have access to the share

Hello everybody,
after changing the authentication mode in my ReadyNas OS 6.10.3 from Active Directory to Local User I can no longer obtain the desired access for my share.
With Active Directory authentication there were never any problems. I created my shares and associated the various users (taken from active directory) in read-only or read-write without problems.
While now with Local User authentication, I can't find myself unable to gain access to a particular user the share I want.
I use my real case as an example. My ReadyNas is called "NAS01" and has set up the workgroup with the name "DPPNAS",
It is part of a Windows network consisting of all win10 1909 systems and some win2016 or win 2012r2 servers.
In NAS01 I created a "CPYBK" share and created a "TEST" user.
I then set the Network Access and File Access permissions for the TEST user for read-write.
When I try to connect to the share CPYBK from my PC win10 or from a win2016 server I get the following message "Network Error".
Windows cannot access \\ NAS01 \ CPYBK
Check the spelling of the name. Otherwise there might be a problem with your network. To try to identify and resolve network problems, click Diagnose.
At this point I use the IP address instead of the name and I get a new "Network Error" message
Windows cannot access \\ 192.168.10.96 \ CPYBK
You do not have permission to access \ 192.168.10.96 \ CPYBK. Contact yor network administrator to request access.
But it is not a name problem because NAS01 is inserted both in the DNS services and also in the HOSTS file of the server or of my pc used for these tests.

If in the CPYBK share, I give Everyone read-write permissions and check the "Allow Anonymous Access" for both Network Access and File Access, then I finally have access to the share.
But in this case I can create files but I can no longer delete them. In short, I'm going crazy. Can anyone help me?

I have other NAS of other brands and in those just create the share and associate a local user with read / write permissions and everything works without any complication. Please help me. Thanks
Bob

 

Model: RNDP4000|ReadyNAS Pro 4 Chassis only
Message 1 of 8

Accepted Solutions
StephenB
Guru

Re: When I use Authentication - Access Type - Local User , then I can no longer have access to the s


@Bob245 wrote:

But you have to share CPYBK with "network access" and "file access" everyone and anonymous permissions otherwise you can't get anything.
If I create a folder in the share this is without any permission (I see this by Windows Explorer).

 


I'm confused about what you are seeing right now. I guess you could look at the ACL for the share using ssh.

 

But generally I recommend Everyone access on the file access tab (and also checking the box granting deletion/renaming to non-owner of files).  Then use network access alone to control access. That assumes that it's ok for everyone who's allowed to access the share to have access to all the files and folders in it.

 

You shouldn't be needing to allow anonyomous access in network access.

 

So maybe start with full access for everyone in file access, and then tighten up the network access - making sure that works.  Then you can try reducing file access if that is necessary.

 

I don't use AD myself.  But the general behavior with Windows is that it will by default present the Windows login/password to the NAS when the share is accessed.  If the account isn't recognized by the NAS, then anonymous access is needed to access the NAS (though Windows security policies also kick in here).  If the account is recognized by the NAS, but the password is wrong, then access is denied even if anonymous access is enabled for the share.

 

So w/o AD on the NAS, you can either

  • Use the Windows Credential Manager to apply the appropriate NAS account credentials on each PC that can access the NAS
  • Manually create user accounts on the NAS to match the user names for the accounts for which you want to allow access, and make sure the passwords on the NAS match the PC logins

Personally I'd go with NAS accounts that don't match the AD username/passwords.  But that might depend on your threat model.

View solution in original post

Message 6 of 8

All Replies
StephenB
Guru

Re: When I use Authentication - Access Type - Local User , then I can no longer have access to the s


@Bob245 wrote:


In NAS01 I created a "CPYBK" share and created a "TEST" user.
I then set the Network Access and File Access permissions for the TEST user for read-write.
...

Windows cannot access \\ 192.168.10.96 \ CPYBK
You do not have permission to access \ 192.168.10.96 \ CPYBK. Contact yor network administrator to request access.

Try running CMD and then entering

net use * /delete /y
net use t: \\192.168.10.97\CPYBK /user:TEST TESTpassword

where TESTpassword is the password you configured for that user.

 

The first command terminates any SMB sessions on the PC; the second attempts to map the share to drive letter T.  Be careful on the typing (both spaces and slash direction), as the resulting errors can be quite cryptic.

 

If that works (it should), then you need to open the Windows credential manager and enter the appropriate windows credential for the NAS.  Note that if you want to use both the IP address and the hostname you will need credentials for both.  Unfortunately this will need to be done on every PC that accesses the NAS.

 

On the hostname problem, first check the NAS SMB settings (system->settings->services->smb), and make sure "legacy SMB discovery" is checked.  If the NAS isn't using DHCP, then it could be a DNS issue (related to no longer using AD).  Several (not all) users have reported issues with hostname resolution with Windows - a practical but annoying work-around is to add it to the hosts file on the PCs that have the problem.

 

Message 2 of 8
Bob245
Guide

Re: When I use Authentication - Access Type - Local User , then I can no longer have access to the s

Hi Stephen,

1) net use * /delete /y is very usefull and

net use t: \\192.168.10.96\CPYBK /user:TEST TESTpassword it work but: in the command prompt if i use T: I get "Access Denied"

then the mapped drive "T:" is not present on windows explorer....

2) SMB settings (system->settings->services->smb), it has always been set to "legacy SMB discovery"

3) all pc/server that use NAS01 have in windows\system32\drivers\etc\hosts the entry

192.168.10.96       NAS01  

The nas01 have a Fixed IP

I will give you more information and do other tests after Easter. Thanks!!

Bob

Message 3 of 8
StephenB
Guru

Re: When I use Authentication - Access Type - Local User , then I can no longer have access to the s


@Bob245 wrote:

 

net use t: \\192.168.10.96\CPYBK /user:TEST TESTpassword

it work but: in the command prompt if i use T: I get "Access Denied"

then the mapped drive "T:" is not present on windows explorer....

 


Interesting.  Maybe try resetting the file permissions on the share?  (clicking on "reset" on the file access tab).

Message 4 of 8
Bob245
Guide

Re: When I use Authentication - Access Type - Local User , then I can no longer have access to the s

Hi, thanks for your interesting...

After many attempts, reboot the PC and the server that I am using for testing, resetting the permission file as recommended by you, I got the share available as a mapped disk T :. But you have to share CPYBK with "network access" and "file access" everyone and anonymous permissions otherwise you can't get anything.
If I create a folder in the share this is without any permission (I see this by Windows Explorer).

As if he had not inherited anything from the parent folder (CPYBK share folder).
Then I recreated the share from scratch and now I can no longer have access.
But it's crazy, the share's behavior is inconceivable, I can't manage this thing and then in short the share doesn't work.
Why is it so complicated to make a share that then doesn't work?
I just spent € 2000 on expanding the disks and I have an unusable NAS.
Since the nas will be used for a secure backup it must not be managed through AD but with a local user and strong password, so I'm desperate. When it was run as AD it was ok now it is unusable.
What can I do?

 

Message 5 of 8
StephenB
Guru

Re: When I use Authentication - Access Type - Local User , then I can no longer have access to the s


@Bob245 wrote:

But you have to share CPYBK with "network access" and "file access" everyone and anonymous permissions otherwise you can't get anything.
If I create a folder in the share this is without any permission (I see this by Windows Explorer).

 


I'm confused about what you are seeing right now. I guess you could look at the ACL for the share using ssh.

 

But generally I recommend Everyone access on the file access tab (and also checking the box granting deletion/renaming to non-owner of files).  Then use network access alone to control access. That assumes that it's ok for everyone who's allowed to access the share to have access to all the files and folders in it.

 

You shouldn't be needing to allow anonyomous access in network access.

 

So maybe start with full access for everyone in file access, and then tighten up the network access - making sure that works.  Then you can try reducing file access if that is necessary.

 

I don't use AD myself.  But the general behavior with Windows is that it will by default present the Windows login/password to the NAS when the share is accessed.  If the account isn't recognized by the NAS, then anonymous access is needed to access the NAS (though Windows security policies also kick in here).  If the account is recognized by the NAS, but the password is wrong, then access is denied even if anonymous access is enabled for the share.

 

So w/o AD on the NAS, you can either

  • Use the Windows Credential Manager to apply the appropriate NAS account credentials on each PC that can access the NAS
  • Manually create user accounts on the NAS to match the user names for the accounts for which you want to allow access, and make sure the passwords on the NAS match the PC logins

Personally I'd go with NAS accounts that don't match the AD username/passwords.  But that might depend on your threat model.

Message 6 of 8
Bob245
Guide

Re: When I use Authentication - Access Type - Local User , then I can no longer have access to the s

Ok your advice has finally allowed me to solve.
1) The fundamental thing is to enter the login credential in the Windows Credential Manager as recommended by you several times. Now I have access to the share with the name \\NAS01 and there is no need to log in with the IP anymore. Sorry if I haven't used the Credential Manager before, I didn't think it was so fundamental. I wanted to avoid using the credentials stored in the Windows Credential Manager because I consider it a possible security flaw, but it seems that to work I cannot do without it.
2) I confirm that I can effectively avoid setting Anonymous access for Network Access
3) Everyone permissions must be given in the Access File section (also Folder Group permissions)
4) Upon returning to the office, I will verify that security is guaranteed and that the NAS is seen and used only by the backup server using the stored credential.
Finally I ask you if you can give me indications of how to view and manage ACLs via SSH (with an example ..)
Your help was fundamental I thank you very much. Bob

Message 7 of 8
StephenB
Guru

Re: When I use Authentication - Access Type - Local User , then I can no longer have access to the s


@Bob245 wrote:


Finally I ask you if you can give me indications of how to view and manage ACLs via SSH (with an example ..)
Your help was fundamental I thank you very much. Bob


The NAS will normally manage the ACL for you.  

 

But in addition to the linux file permissions, you can see the ACL with getfacl, and you could also set the ACL with setfacl.  Though any changes you make could be undone by the NAS web ui.

 

There is some info on this here: https://www.geeksforgeeks.org/access-control-listsacl-linux/

 

 

Message 8 of 8
Top Contributors
Discussion stats
  • 7 replies
  • 3337 views
  • 0 kudos
  • 2 in conversation
Announcements