Windows 11 Pro Cannot Connect to NAS Authentication Failed

My Cloud OS 5 My Cloud EX
1

My Cloud Ex2 Ultra

I’ve spent some time troubleshooting, figured ask for thoughts. Not going to list all the steps that I have already attempted but below are a few:

Windows 11 Pro

  • Was Microsoft Account, converted to now a local account (Not AD connected using default WORKGROUP)
  • SMB 1.0/CIFS File Sharing Support and child options enabled
  • SMB Direct enabled
    -Services for NFS and child options enabled

Attempting to connect to NFS via Windows File Explorer.

Let’s say we go to \\[ipv4_address]
It will not load until I enter my username and password.

Once I enter the username and password it authenticates then goes to next screen to show the file shares at \\[ipv4_address].

Then, attempt to change active working directory to \\[ipv4_address]\[password_protected_share]. I make certain to click the other user option to manually type in the user name and password but it just will not stick on. And I know I’m typing in the correct user name and password.

2024 May 31 00:11:26|SAMBA|CIFS: Authentication for user [[username]] has FAILED.
2024 May 31 00:11:13|SAMBA|CIFS: Authentication for user [nobody] has FAILED.

I know the username and password also works since when I connect with my Mac it works seamlessly.

Thoughts for next steps?

2

So, I had too much coffee today and decided to do more research.
Enabled SSH temporarily and reviewed the configuration file and the log file.

I noticed something interesting in the logs.

So, of the logs I noticed this:

[2024/05/31 00:10:59.893186, 3] …/…/auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
Got user= domain=[y] workstation=[z] len1=24 len2=294
[2024/05/31 00:10:59.893301, 3] …/…/source3/auth/auth.c:204(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [y]@[z] with the new password interface.

Going to change the option in Windows from “This computer is part of a business network; I use it to connect to other computers at work” to “This is a hone computer; it’s not part of a business network” and test findings.

3

Better question is why Windows 11 is not logging correctly Samba file share server, that’s built into the default configuration.

4

Will attempt to remove PIN tomorrow and test change.

5

Did not fix. Wonder if issue with Windows 11 and Samba.

6

Also asked here:

https://answers.microsoft.com/en-us/windows/forum/all/windows-11-pro-cannot-connect-to-nas/8c2570a6-d1d8-49bb-9c2b-0a28c3b83dcd

7

Then, attempt to change active working directory to \[ipv4_address][password_protected_share]. I make certain to click the other user option to manually type in the user name and password but it just will not stick on. And I know I’m typing in the correct user name and password.

I am not clear what the problem is; but it sounds like the “other user” has different username/password than the root directory you had first logged in with.

Windows Credential manager will not permit multiple sets of credentials for the same network resource. A stupid limitation. . .but it’s there. IN OTHER WORDS. . . you can’t have multiple NAS users from the SAME windows PC. Once you log in to a device, it remembers that user. . . and it won’t let you switch credential for anything on the same IP address. Using two different PC’s to access the same NAS is no problem. . . .this is a Windows limitation.

Maybe that is the problem?

8

It’s been a bundle of issues and a great lab for learning and securing stuff.

See detail notes here for now until I port them over.
Windows 11 Pro Cannot Connect to NAS Authentication Failed - Microsoft Q&A

I got Windows working for now and Mac. Need to still do persistence tests on both. Going to work on setting up a few linux soon.

9

My Cloud Ex2 Ultra

  • Disabled NFS
  • Had to remove group due to conflicting polices for read / write where group would take priority over user defined permission
  • Verified SMB 3 was only selected
  • Verified only NTLM2 selected
  • Enabled Verbose logs

Rouge DHCP Server

  • Found and eliminated that and made a bridge (due to being a VM)

Other Fun Actions:

    1. Reviewing packet captures
    1. Reviewing Event viewer for “SMBClient” logs
    1. ssh into My Cloud Ex2 Ultra and review Samba configuration file and detailed logs
  • Dreading anyone that says let’s downgrade to SMB 2 or even SMB 1 in 2024 or use NTLM 1

Windows 11:

  • Windows Updates
  • Clear Credential Manager (if attempted for prior testing)
  • Enable insecure guest logons in SMB2 and SMB3 for Windows client and Windows Server | Microsoft Learn
  • Computer Configuration > Administrative Templates > Network > Lanman Workstation (Enabled)
  • Local Security Policy
    • LAN Manger Authentication Level = Send NTLMv2 response only and refuse LM & NTLM
    • Minimal session security for NTLM SSP (both options) NTLMv2 and 128 checked
  • Useful command to speed up troubleshooting to avoid reboots
    • net stop workstation /y
    • net start workstation
  • Adjusted network profile from public to private
  • Downgraded from Microsoft to local account
  • Removed PIN

Mac: [UPPERCASEUSERNAME]@[Server_IP]/[Share_name]

Mac supports SMB3. Example: RYAN@127.0.0.1/share

Still not certain why username must be upper case in mac when server reads all text for username as lower case, but it works. And, it does not work if it’s lowercase.

  • FYI The setting in MAC (the Apple, not Media Access Control) for file share IS ONLY if you want MAC to be a server (not need to enable that for client mode only!)
  • Clear Keychain for prior saved password before attempting again

Sources:

https://help.ubuntu.com/community/Fstab

https://linux.die.net/man/8/mount.cifs

https://ubuntu.com/server/docs/how-to-mount-cifs-shares-permanently

https://www.linode.com/docs/guides/linux-mount-smb-share/

Below is a heavy fork of the last reference

Phase 0 – Get ready

sudo apt-get update && sudo apt-get upgrade

sudo apt update && sudo apt upgrade

// Reboot of recommended

sudo apt install cifs-utils

fuser

// Terminal should usage / options for command if installed in output stream

Phase 1 – Test Ability to Connect to Samba SMB share

// denote holding a variable of your choosing, do not enter these in the terminal

sudo mkdir /mnt/[smb_share_name]

sudo mount -t cifs -o user=[user_name] //[smb_server_ipv4]/[smb_share_name] /mnt/[smb_share_name]

Enter password when prompted.

If error review data input or various error logs, hence the point of this stage happy hunting!

sudo umount -t cifs /mnt[smb_share_name]

Phase 2 – Create Credentials File

// Store where needed for business or personal needs and attempt to restricted access

sudo nano ~/.credentials

Line 1: username=[smb_user_name]

Line 2: password=[smb_user_name_password]

// Save changes and exit file

// This guide is designed for the Western Digital Hard drive so doesn’t not have Domain in home configuration.

sudo chown [linux_active_user_name]:~/.credentials

sudo chmod 600 ~/.credentials

sudo mount -t cifs -o user=[smb_user_name] //[smb_server_ipv4]/[smb_share_name] /mnt/[smb_share_name]

If error review data input or various error logs, hence the point of this stage happy hunting!

sudo umount -t cifs /mnt[smb_share_name]

Phase 3 - /etc/fstab

sudo nano /etc/fstab

// Review Fstab - Community Help Wiki

// Review https://ubuntu.com/server/docs/how-to-mount-cifs-shares-permanently

// Add a new line item in the most logical spot

//[smb_server_ipv4]/ [smb_share_name] /mnt/[smb_share_name] cifs credentials=~/.credentials,uid=1000,gid=100 0 0

// Save changes and reboot changes

If error review data input or various error logs, hence the point of this stage happy hunting!

1 Like