TS-419P - WINDOWS 7 clients - Cannot login to shares

Discussion on setting up QNAP NAS products.
Post Reply
quaz
New here
Posts: 4
Joined: Sun Aug 15, 2010 12:35 am

TS-419P - WINDOWS 7 clients - Cannot login to shares

Post by quaz » Sun Aug 15, 2010 1:07 am

Hello, I'm kinda new to the NAS word I've some IT & networking skills but, evidently I ain't got enough!

I've a problem with a TS-419P mounting the last 3.3.1 Build 0720T firmware. After configuring the shares, users, and rights for them I soon realize that through windows explorer I wasn't able to access my shared directories on the NAS.
I've no problem connecting to the nas ip, or name after configuring it to operate a s WINS server, and setting up the clients right for it, but as soon I was trying to access a restricted folder with my username it will soon give me an error for username / password.

Here what I've tried today:

Login:
[Nas Username] no joy
[Computer name]\[Nas Username] no joy
[Nas name]\[Nas Username] no joy

I've tried again the various methods of login after modify some "Local Security Policies"

- Network security: minimum session security for NTLM SSP based (inluding secure RPC) clients -> uncheck the require 128-bit encryption flag
- Network security: minimum session security for NTLM SSP based (inluding secure RPC) servers -> uncheck the require 128-bit encryption flag
- Network security: Lan Manager authentication level -> send LM & NTLM responses OR send LM & NTLM responses use NTLMv2 session security if negotiated

I can make mapped network drives with net use, but not of the "root shared" directory of the NAS, but it's not the same accessing all the shares at the same time, and If I need to make to many mapped network drives.

I've already searched the forums but come up empty, if this was already resolved in the past I'm sorry to double post it again, but coming up really desperate.

Best Regards,

QuaZ

User avatar
schumaku
Guru
Posts: 43648
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: TS-419P - WINDOWS 7 clients - Cannot login to shares

Post by schumaku » Mon Aug 16, 2010 2:37 am

Hi QuaZ,

Configure NAS and Windows 7 system into the same workgroup.

-> Access to the default public share is possible already now.

Add the same username and password you are using to login to your Windows 7 system to the NAS.

Add this user to a group on the NAS if you fancy, simplifies things when adding additional users.

Grant the access rights for the user (or the group) on the share level.

Browse your network using Windows Explorer, discover the NAS, connect to the shares, or map shares with just a mouse click. Can't be easier.

No fussing around with dedicated users to access a share, nor change any registry entries compromising Windows 7 default security. Remember: From the same Windows client, you can only use one set of credentials to access Microsoft share resources on a single server, this is by M$ design, not QNAP.

-Kurt.

quaz
New here
Posts: 4
Joined: Sun Aug 15, 2010 12:35 am

Re: TS-419P - WINDOWS 7 clients - Cannot login to shares

Post by quaz » Mon Aug 16, 2010 6:30 am

Hi,

The local security settings was suggested in some wiki/similar... but I've done all that 2 days ago and something more, cause of my problems, I really doesn't understand entirely the need to have a "everyone" group, it happens to be configured by me to deny all access to every share, in the process of locking security down while placing it online. That causes the problem, I don't really understand why net use mapping works any way!

Once disabled all flags on everyone everything works likes it should.

I've only one more question, I've the nas connected with a WRT610N (linksys) and the first DNS it's configured as the router IP in the nas. In samba networking on win 7 clients I can't see the nas as a "server/computer" with it's name. I've started the WINS server on the nas, and configured the clients to connect to it but I still can't see it as a "server/computer", but if I write in the clients \\NasName the clients finds it. The questions is, I've configured wrong something there, or it's normal that the nas does't appear as other pcs/servers on the samba network? (the multimedia services instead appear with their names in w7 network)

Thank you for answering Kurt.

Br

ag

User avatar
schumaku
Guru
Posts: 43648
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: TS-419P - WINDOWS 7 clients - Cannot login to shares

Post by schumaku » Mon Aug 16, 2010 7:31 am

All users on the NAS must belong to the "everyone" group, and is mainly used on the Linux file system on the NAS, and for the share access configuration. As this group is part of the core design, it cannot be removed. The "behavior" requires some understanding what Microsoft intended to do with it, and has been implemented in SAMBA accordingly:

- Ticking "Read only" does grant read access to the share for the users in the everyone group.
- Ticking "Read/Write" does grant read and write access based on the everyone group - typical example: The Public share.
- Not ticking any share field for the everyone group does not grant any access rights because the user is member in this group. -> This is what you typically should do if you do not want to grant access rights.
- Ticking "Deny Access" for the shares in the everyone group does explicitly deny the access to these shares - in the case of the everyone group, to all users.

Any "Deny Access" entry will really deny the access to a user when explicitly applied to a user, respective if applied to a group if the user is member of this group.

A typical usage scenario for a "Deny Access" group is to prohibit access to the shares for former employees, because it's a good policy not to remove the username from a system (just to disable) to keep the tracking of files for example. Otherwise, the UID will be visible numerical only. All what's required is a "formeremployees" group, which holds a "Deny Access" for all shares - if someone is leaving, you disable the account, and revoke the access rights by adding the user to the group "formeremployees".

Hope this clarifies the somewhat nasty difference between "no access" (nothing ticked) and "deny access".

---

On your second question, I need to do some brainstorming - because we always deploy a DNS service able to resolve any systems on the network, and legacy WINS is not used therefore. Let's see - very simplified:

Without DNS, WINS allows the NAS to be found by entering \\nasname - without you have to reference it as \\192.168.123.45 for example. That part makes sense, and works for you.

The NAS will become visible in the Windows network environment if the network service discovery is activated in the network settings. This network service discovery requires some exceptions in the Windows client firewall rule. Windows Vista and Windows 7 automatically take care of this of the system is in the "Home" or "Office" network zone (Private Network), and closes it if it's in a public network. Brain-dead 3rd party firewalls might not be aware of tie M$ control, so you might need to set the exceptions manually. I strongly discourage the usage of third party firewall applications on Vista or Windows 7 anyway. If both the Windows clients and the NAS are in the same workgroup, the discovery is faster. This is about it.

quaz
New here
Posts: 4
Joined: Sun Aug 15, 2010 12:35 am

Re: TS-419P - WINDOWS 7 clients - Cannot login to shares

Post by quaz » Mon Aug 16, 2010 9:19 pm

Thank you again Kurt,

For the first topic it's now clear and i can create various groups but everyone it's like the name says for every user, So if i deny something there but give full access on another group that the user belong to the Deny of the everyone will allways win on the full access of some other group (administrators, or other custom group). It's good to know!.

---

For the second topic I think that your point is, if same workgroup, on the same dns without any wins involved and with discovery enabled on win 7 clients the NAS should be visible by it's name. If that's the case, this should be the NORMAL way this thing works, It's expected to work this way but, In my case, no firewalls involved for local connections at all, discovery enabled on clients, same workgroup yes, but NASNAME still not visible on clients network. It's seams strage...

quaz
New here
Posts: 4
Joined: Sun Aug 15, 2010 12:35 am

Re: TS-419P - WINDOWS 7 clients - Cannot login to shares

Post by quaz » Wed Aug 18, 2010 9:50 pm

I've contacted the support and the guy in question change some settings and then told me to test by myself the mysteries of while pinging the qnap nas replied on a search ip of my dns (opendns)... so after hrs of testing I changed in my router the first DNS with the one from google ( with it the problem do not happens, nice to know), and when I tried *again to check for the NAS under samba network, no change. The support guy change my port trunking settings from 802.3ad to active backup(fail over), I suppose this nas simply can't do 802.3ad, ok, the active bk was a nice alternative, but for some reason, I wanna test disabling the port truncking and see if there was any changes with my "nas name invisibility under samba networks problem", and that was it, with port trunking disable i finally see the nas by it's name without wins on the samba network of the clients. It's know to "work like that" or more correctly "don't work like that" with port trunking enabled ? Because to me, it seams kinda strange.

---

Another problem the tech guys do changed something in putty, i don't know what exacly but I think something related to the way login to certain services of the nas, now that the nas is back online, every 30 seconds report this Warning in the logs:
2010-08-18 15:44:36 System 127.0.0.1 localhost Re-launch process [proftpd].
for what i can gather on the web proftpd has something to do with the ftp service, I've tried to disable it, and the error stops ok, but as soon i re-enable it come's back. The error starts after i reconfigured the samba service in the nas (for some reason the support guy changed my workgroup to the standard "WORKGROUP" instead leaving the workgroup that I've set. If i go backwards with the log I find this error starting right after this line:

2010-08-18 14:01:55 System 127.0.0.1 localhost Re-launch process [proftpd].
2010-08-18 13:16:46 admin 192.168.0.101 --- [Microsoft Networking] Login style set to DOMAIN+username.
2010-08-18 13:16:35 admin 192.168.0.101 --- [Microsoft Networking] Name Resolution priority changed to [DNS only].
2010-08-18 13:16:35 admin 192.168.0.101 --- [Microsoft Networking] WINS service disabled.


That was me after changing back the workgroup, I've disabled the WINS server cause it's no longer necessary, but the options about the login style are greied out, I cannot change settings for that but the log did write that I've changed settings. Doesn't know if that helps, but the "warning spam" started right after that line.

I've written another email to support, but could take some time to have an answer now...

Best R.

Ag

User avatar
schumaku
Guru
Posts: 43648
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: TS-419P - WINDOWS 7 clients - Cannot login to shares

Post by schumaku » Wed Aug 18, 2010 11:19 pm

Hi Ag,
quaz wrote:The support guy change my port trunking settings from 802.3ad to active backup(fail over), I suppose this nas simply can't do 802.3ad,

If your Ethernet switch ports are configured into a Link Aggregation Group (LAG) based on LACP and 802.3ad, this works for 100%.

There was an issue with _other_ much less sophisticated load-balance schemes with NFS, when running v3.3.0 firmware, issue is fixed in the v3.3.1 release:
[Major Bug Fixes]
- [Network Services] NFS cannot be mounted via UDP protocol when port trunking mode is enabled.
One could assume, similar issues can show up when the network is mis-configured, and can cause issues in other UDP traffic (i.e. DNS) on the v3.3.0 firmware version.

If the two switch ports used for the NAS are correctly configured into a 802.3ad based unique LAG, you should be able to re-enable 802.3ag without side effects.

-Kurt.

Post Reply

Return to “Turbo Station Installation & Setup”