Hi all,
I had a problem with my boot so I reinstalled latest 13.3 and reloaded the configuration. Everything (incl pool, jails, …) seems to work out of the box except for SMB shares where it will not net me log in. I can log in with the user via SSH no problem, file access is also no problem and the UID/GID are also correct.
I am seeing the same problem from Linux, Windows and MacOS so it definitely seems to be TrueNAS side. I’ve tried checking SMB configurations, rebooting, and also with both the IP and hostname on all machines. No difference.
Any ideas?
~$ smbclient --list=192.168.2.88 --user=NNNN
Password for [WORKGROUP\NNNN]:
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (FreeNAS)
movies Disk
music Disk
pics Disk
backup Disk
~$ smbclient //192.168.2.88/pics --user NNNN
Password for [WORKGROUP\NNNN]:
tree connect failed: NT_STATUS_ACCESS_DENIED
~$ sudo mount -t cifs -o username=NNNN,password=NNNN,iocharset=utf8 //192.168.2.88/pics /mnt/tmpmount
[sudo] password for NNNN:
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
~$ sudo dmesg | tail
[261113.218812] CIFS: Attempting to mount \\192.168.2.88\pics
[261113.292850] CIFS: VFS: cifs_mount failed w/return code = -13
… and the suggestion there was to reset the users password. I did that for my main user and it worked immediately on all systems and all is back to normal.
Not sure if this will survive a reboot (in that thread it seems to not work again after rebooting).
~$ sudo midclt call user.query '[["smb", "=", true], ["unixhash", "=", "*"]]'
[]
~$ sudo tail /var/log/middlewared.log
[2025/05/30 19:48:32] (DEBUG) SMBService.update_passdb_user():96 - User [MYUSER] does not exist in the passdb.tdb file. Creating entry with rid [20028].
[2025/05/30 19:48:33] (WARNING) SMBService.update_passdb_user():88 - SMB hash for user [OTHER1] is invalid. Authentication for SMB sessions for this user will fail until this is repaired. This may indicate that configuration was restored without a secret seed, and may be repaired by resetting the user password.
[2025/05/30 19:48:33] (WARNING) SMBService.update_passdb_user():88 - SMB hash for user [OTHER2] is invalid. Authentication for SMB sessions for this user will fail until this is repaired. This may indicate that configuration was restored without a secret seed, and may be repaired by resetting the user password.
[2025/05/30 19:48:33] (WARNING) SMBService.update_passdb_user():88 - SMB hash for user [OTHER3] is invalid. Authentication for SMB sessions for this user will fail until this is repaired. This may indicate that configuration was restored without a secret seed, and may be repaired by resetting the user password.
[2025/05/30 19:48:33] (WARNING) SMBService.update_passdb_user():88 - SMB hash for user [OTHER4] is invalid. Authentication for SMB sessions for this user will fail until this is repaired. This may indicate that configuration was restored without a secret seed, and may be repaired by resetting the user password.
This may point to the problem… MYUSER is my main user for which I reset the password in the TN GUI. Which configuration without the secret seed is it referring to? Any ideas? Not sure what I should have done differently on restoring the config.
Should I file a bug about this? This is not an “obvious” issue to find.
Did you download the configuration through the UI or just copy the config off the server through something like SCP? If the former did you select to export with the “secret seed” (UI prompt).
If you didn’t then when you restore the config we can’t decrypt any encrypted fields and things like SMB auth are hosed until you reset the password.
Did you download the configuration through the UI or just copy the config off the server through something like SCP? If the former did you select to export with the “secret seed” (UI prompt).
I did have both, one exported manually via the UI with the keys (that one was older), and one that was newer that is automatically saved weekly (.db without the keys), so I used that one.
If you didn’t then when you restore the config we can’t decrypt any encrypted fields and things like SMB auth are hosed until you reset the password.
Makes sense… what all is affected by this? Would be great to add that to the “Restore configuration” part of
The secret seed is used to decrypt encrypted fields in the TrueNAS configuration database. Various fields are encrypted because they might contain sensitive information such as cryptographic certificates, passwords (not user login passwords), or weak hashing algorithms (for example, NT hashes of SMB users).
When a config file is restored without the secret seed, encrypted fields are set to empty values. This means various services can break due to the missing information. Examples are SMB via local accounts and apps. Always select the option to save the secret seed when downloading the system config file!
Note, the secret seed does not store local users passwords in any form, only a hash of the password sufficient for authentication. Hashed passwords are not encrypted.
What happens if I do not save the secret seed? You might be prompted to enter a default password or reset the password. The UI should allow users to log into the system with their current password but might be prompted to enter a new password. Users can connect a keyboard and monitor to the system and enter a new password if they cannot log into the web UI or reset the current password.
After logging into the system, recheck all system settings to verify the configurations are correct, and then test to verify the system is working as desired. When complete and the system is operating per the desired configuration, download and save the system configuration with the secret seed option selected and keep it in a secure location.
It is a best practice to always save the secret seed with the system configuration file after making system configuration changes to have a current backup copy to use should the need arise.
This information is also returned if you query the docs bot in the docs page.
