Jump to content

Folder sharing in Windows: holy ****

Go to solution Solved by leadeater,
2 hours ago, johnt said:

My gaming PC refuses to accept the credentials no matter what. It says my device is not authorized. If I disable the password requirement, it says I do not have permission. Sometimes it doesn't even ask for a password even though I enabled it in group policy.

 

Any chance the account you are logged in to on your Gaming PC also exists on the Windows server/SMB Server? If yes then that is almost certainly your problem. Windows will automatically try and authenticate using current logged in credentials and if the account name exists on the remote server then it'll simply get an authentication failure.

 

If you want to force it to use the correct login context/domain and user account you can change this in the Map Network Drive settings.

 

image.png.9c1295703affdd3d01b37058de3c2c23.png

 

Once you click Finish the Login Prompt will open and then enter Username and Password like below

image.png.f845d6e40a20c270314c4572c98fb116.png

 

By putting in remoteserver\ you are telling your client to use the account/password database of the remote server and not to try passwordless hashed login.

 

Also creating a VLAN and subnet and allowing traffic between it won't actually give you any extra security. Network compromises happen through 'client computers' and if that has the network drive attached then any malware will know both it's computer name and IP address while also having a valid account to login to the server defeating any point to a simple VLAN/subnet for that type of security purpose.

 

Unless you have lots of servers or other secure devices on that VLAN/subnet then there isn't much point to doing it, and if your SMB server gets compromised then attacks can/will originate from that compromised computer thus being able to attack locally within that network segment. Network segmentation isn't strictly and security mechanism, you have to combine it with other things like a firewall and put restrictions and scanning in place as well as ensure system security is up to scratch also. Honestly save yourself the hassle and have your SMB server on the same subnet.

It seems that I cannot share anything over my network without giving "everyone" permissions.

 

I have a Windows 11 Pro device that I use as a server and NAS. I use a local account with a password. I have shared folders on this computer. I generally use Advanced Sharing to create a Share name, and I set the permissions to the local account only. This requires I enter a password to access this folder from other devices on my network. This is exactly the behavior I want.

 

In my limited infinite wisdom, I created a separate VLAN for my server/NAS for some minimal level of protection against my network in case that PC is hacked because it is on 24/7. I was able to setup the permissions properly in my gateway where the default network has access to all other VLANs. The trunk ports are all setup properly to allow traffic between the networks. Accessing the data isn't a problem for "everyone."

 

I have a gaming PC that also uses Windows 11 Pro, a MacBook Pro, and an iPhone all on my default network. The laptop and phone are able to connect to the server with an IP, prompts me for my user name and password (where I use the local account creds), and it works perfectly. My gaming PC refuses to accept the credentials no matter what. It says my device is not authorized. If I disable the password requirement, it says I do not have permission. Sometimes it doesn't even ask for a password even though I enabled it in group policy.

 

I can't seem to find a single tutorial without opening the security to everyone. Why does it work on Apple? It's so frustrating.

Link to comment
Share on other sites

Link to post
Share on other sites

Pretty sure your issue is with one client and has nothing to do woth your server. SMB server works quite painlessly from my own experience.

 

Windows is the worst piece of shit operating system that is currently being sold as a product.

 

I also had this problem numerious times, I have had to clear my credentials in credential manager.

mY sYsTeM iS Not pErfoRmInG aS gOOd As I sAW oN yOuTuBe. WhA t IS a GoOd FaN CuRVe??!!? wHat aRe tEh GoOd OvERclok SeTTinGS FoR My CaRd??  HoW CaN I foRcE my GpU to uSe 1o0%? BuT WiLL i HaVE Bo0tllEnEcKs? RyZEN dOeS NoT peRfORm BetTer wItH HiGhER sPEED RaM!!dId i WiN teH SiLiCON LotTerrYyOu ShoUlD dEsHrOuD uR GPUmy SYstEm iS UNDerPerforMiNg iN WarzONEcan mY Pc Run WiNdOwS 11 ?woUld BaKInG MY GRaPHics card fIX it? MultimETeR TeSTiNG!! aMd'S GpU DrIvErS aRe as goOD aS NviDia's YOU SHoUlD oVERCloCk yOUR ramS To 5000C18

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, Levent said:

Windows is the worst piece of shit operating system that is currently being sold as a product.

Only because MacOS isn't sold as a product.

When it comes to file sharing MacOS is orders of magnitude worse, particularly SMB.  It uses their custom version of the protocol that performs like garbage unless the server is also MacOS, as it expects the server to do meta data indexing.  This is made worse by their file browser Finder also being utterly garbage compared to other OS file browsers/requesters.

 

I spent about a year trying to use a Mac Mini for image work, trying all the SMB tweaks to make it work properly, but I got so sick of it taking minutes to parse a file share directory listing whereas Windows took seconds, I went back to Windows.

 

Speaking as a primarily Linux user.

Router:  Intel N100 (pfSense) WiFi6: Zyxel NWA210AX (1.7Gbit peak at 160Mhz)
WiFi5: Ubiquiti NanoHD OpenWRT (~500Mbit at 80Mhz) Switches: Netgear MS510TXUP, MS510TXPP, GS110EMX
ISPs: Zen Full Fibre 900 (~930Mbit down, 115Mbit up) + Three 5G (~800Mbit down, 115Mbit up)
Upgrading Laptop/Desktop CNVIo WiFi 5 cards to PCIe WiFi6e/7

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, johnt said:

My gaming PC refuses to accept the credentials no matter what. It says my device is not authorized. If I disable the password requirement, it says I do not have permission. Sometimes it doesn't even ask for a password even though I enabled it in group policy.

 

Any chance the account you are logged in to on your Gaming PC also exists on the Windows server/SMB Server? If yes then that is almost certainly your problem. Windows will automatically try and authenticate using current logged in credentials and if the account name exists on the remote server then it'll simply get an authentication failure.

 

If you want to force it to use the correct login context/domain and user account you can change this in the Map Network Drive settings.

 

image.png.9c1295703affdd3d01b37058de3c2c23.png

 

Once you click Finish the Login Prompt will open and then enter Username and Password like below

image.png.f845d6e40a20c270314c4572c98fb116.png

 

By putting in remoteserver\ you are telling your client to use the account/password database of the remote server and not to try passwordless hashed login.

 

Also creating a VLAN and subnet and allowing traffic between it won't actually give you any extra security. Network compromises happen through 'client computers' and if that has the network drive attached then any malware will know both it's computer name and IP address while also having a valid account to login to the server defeating any point to a simple VLAN/subnet for that type of security purpose.

 

Unless you have lots of servers or other secure devices on that VLAN/subnet then there isn't much point to doing it, and if your SMB server gets compromised then attacks can/will originate from that compromised computer thus being able to attack locally within that network segment. Network segmentation isn't strictly and security mechanism, you have to combine it with other things like a firewall and put restrictions and scanning in place as well as ensure system security is up to scratch also. Honestly save yourself the hassle and have your SMB server on the same subnet.

Link to comment
Share on other sites

Link to post
Share on other sites

7 hours ago, Levent said:

 

Pretty sure your issue is with one client and has nothing to do woth your server. SMB server works quite painlessly from my own experience.

 

I can't tell if there is a port I need to open to allow communication between the IPs or networks or what. I tried opening the networks to each other completely and it's not still not taking the password. It works just fine with permissions set to everyone, but not a password. I do agree it's probably a client-side issue but I cannot seem to figure it out. The stupid thing only asks for a password once after I restart. It doesn't ask again at all. I'm up to like 50 restarts.

 

7 hours ago, Alex Atkin UK said:

Speaking as a primarily Linux user.

TrueNAS has been calling my name lately. I keep sending it to voice mail but I think I have to answer it soon. Do you have any experience with NextCloud or its alternatives? I don't have much need for a complicated sharing configuration, but I do want it to have some minimal level of security. I agree Apple has its shares of shortcomings, but I can't deny that it is working here without any access issues. It reconnects every time.

 

5 hours ago, leadeater said:

Any chance the account you are logged in to on your Gaming PC also exists on the Windows server/SMB Server?

Nope. The gaming PC has a Microsoft account and the NAS/server has a local account. Completely different PC names, user names, and passwords. I tried using both the "Network" folder in Windows and mapping a network drive. Both have similar issues. But mapping a drive gives me an error that says the drive is also mapped with a different user name and password and to disconnect first and try again. But I am not sure how it came to that conclusion lol

 

I feel like I am so close. It's probably one tiny checkbox somewhere in Windows.

 

If it helps add clues to a puzzle, I can use RDC from all my devices into the NAS/server. I was able to do that without any special rules for ports between the VLANs. 

Link to comment
Share on other sites

Link to post
Share on other sites

49 minutes ago, johnt said:

Nope. The gaming PC has a Microsoft account and the NAS/server has a local account. Completely different PC names, user names, and passwords. I tried using both the "Network" folder in Windows and mapping a network drive. Both have similar issues. But mapping a drive gives me an error that says the drive is also mapped with a different user name and password and to disconnect first and try again. But I am not sure how it came to that conclusion lol

Have your tried ticking the box as per my image? Doing that at a minimum ensures you actually know which username and password is being used and what authentication domain/computer is being checked against.

 

Also when you say everyone do you mean share permissions or NTFS? Generally you set the share permissions to everyone full access and use the NTFS/Filesystem permissions to control actual access.

 

P.S. 'Everyone' means any authenticated user, it's not literally everyone.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-special-identities-groups#everyone

 

And if you want to see any current connections to an SMB Server run the following command in PowerShell

Get-SmbConnection

https://learn.microsoft.com/en-us/powershell/module/smbshare/get-smbconnection?view=windowsserver2022-ps

 

You can also close/end ant SMB sessions with 'Close-Smbsession'

https://learn.microsoft.com/en-us/powershell/module/smbshare/close-smbsession?view=windowsserver2022-ps

Link to comment
Share on other sites

Link to post
Share on other sites

Boys! Add me to the group of the biggest dummies ever. Turns out I set the "Limit the number of simultaneous users to" to 2. I thought this wouldn't be an issue since I was the only one testing everything. But my laptop and phone must have taken those connections even after I quit the app or turned off the screen... didn't see that one coming smh

 

I was doing some other testing and I was about to add another user to my system and test more. So I disconnected the server from my laptop in preparation, came to my gaming PC and everything started working just fine. I increased the number and all my devices can access the folder shares and everything across the VLANs (all clients on default to NAS) at the same time.

 

I'm a fucking idiot sometimes. But at least I didn't give up! Thank you guys for the suggestions and discussion. @leadeater thank you for suggesting I try to map it again. Without that error message I wouldn't have pushed my brain to think about users.

 

 

1 hour ago, johnt said:

I am not sure how it came to that conclusion lol

So I figured out how it came to that conclusion

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×