I have a home network with one TrueNAS Scale server and four Windows workstations. The server is used for sharing/serving media using Plex and for backing up the Windows machines, all using SMB shares for storage. Everything’s been working great until my main Windows workstation upgraded to Windows 11 24H2. Microsoft has completely removed NTLM authentication from 24H2, forcing users to either employ Active Directory or Kerberos.
Does this mean I’m going to have to stand up a separate machine just to define an AD forest or a Kerberos realm so I can access the shares again? Seems a bit of overkill for a home network. I did try following some online suggestions to reconfigure the Windows box and the shares to support NFS connections, but that was also unsuccessful. I imagine I’m not the only person out here who is having this problem, but searching the forum has turned up nothing helpful… so I’m asking. Thanks.
Okay, so is there a document someplace that guides users toward making the appropriate changes to re-enable Windows clients to access SMB shares on a TruNAS server after this deprecation? I’ve searched and cannot find one.
This looks like you may have nonstandard GPO / registry settings on the SMB client. IIRC this can happen if someone / some software has reconfigured Windows to only use the very insecure NTLMv1 auth protocol. You’ll need to review your client settings. For example: Network security LAN Manager authentication level - Windows 10 | Microsoft Learn
If your clients are being forced into NTLMv1, you should track down why this happened as it can be an indicator of malicious activity.
Well, yeah, you shouldn’t generally have guest access enabled in shares otherwise you may have to degrade client security. This is covered in our documentation regarding this legacy feature.
Comment was directed to OP. I don’t recommend disabling signing, using NTLMv1, or SMB1. Microsoft is trying to prevent you from using an unsafe configuration.
Make sure TrueNAS SMB and all workstations are configured for the same Workgroup.
Disable SMB1 on TrueNAS SMB service
Disable NTLMv1 on TrueNAS SMB service
Make sure the TrueNAS share config you’re trying to access has guest access disabled
Make sure TrueNAS has a user configured for SMB
Make sure ACLs are set on the shared dataset for the SMB user in TrueNAS
In the linked windows forum post above the user said the problem appeared
“after I removed Server 2016 essentials client connector from my window 11 home machine”
I did check into this and the authentication level was set to Not Configured. I have tried changing it to levels 0, 1, and 3 and received the same result.
