Folder sharing in Windows: holy ****

[johnt]

It seems that I cannot share anything over my network without giving "everyone" permissions.

 

I have a Windows 11 Pro device that I use as a server and NAS. I use a local account with a password. I have shared folders on this computer. I generally use Advanced Sharing to create a Share name, and I set the permissions to the local account only. This requires I enter a password to access this folder from other devices on my network. This is exactly the behavior I want.

 

In my limited infinite wisdom, I created a separate VLAN for my server/NAS for some minimal level of protection against my network in case that PC is hacked because it is on 24/7. I was able to setup the permissions properly in my gateway where the default network has access to all other VLANs. The trunk ports are all setup properly to allow traffic between the networks. Accessing the data isn't a problem for "everyone."

 

I have a gaming PC that also uses Windows 11 Pro, a MacBook Pro, and an iPhone all on my default network. The laptop and phone are able to connect to the server with an IP, prompts me for my user name and password (where I use the local account creds), and it works perfectly. My gaming PC refuses to accept the credentials no matter what. It says my device is not authorized. If I disable the password requirement, it says I do not have permission. Sometimes it doesn't even ask for a password even though I enabled it in group policy.

 

I can't seem to find a single tutorial without opening the security to everyone. Why does it work on Apple? It's so frustrating.

[Levent]

Pretty sure your issue is with one client and has nothing to do woth your server. SMB server works quite painlessly from my own experience.

 

Windows is the worst piece of shit operating system that is currently being sold as a product.

 

I also had this problem numerious times, I have had to clear my credentials in credential manager.

[Alex Atkin UK]

3 hours ago, Levent said:

Windows is the worst piece of shit operating system that is currently being sold as a product.

Only because MacOS isn't sold as a product.

When it comes to file sharing MacOS is orders of magnitude worse, particularly SMB.  It uses their custom version of the protocol that performs like garbage unless the server is also MacOS, as it expects the server to do meta data indexing.  This is made worse by their file browser Finder also being utterly garbage compared to other OS file browsers/requesters.

 

I spent about a year trying to use a Mac Mini for image work, trying all the SMB tweaks to make it work properly, but I got so sick of it taking minutes to parse a file share directory listing whereas Windows took seconds, I went back to Windows.

 

Speaking as a primarily Linux user.

[leadeater]

2 hours ago, johnt said:

My gaming PC refuses to accept the credentials no matter what. It says my device is not authorized. If I disable the password requirement, it says I do not have permission. Sometimes it doesn't even ask for a password even though I enabled it in group policy.

 

Any chance the account you are logged in to on your Gaming PC also exists on the Windows server/SMB Server? If yes then that is almost certainly your problem. Windows will automatically try and authenticate using current logged in credentials and if the account name exists on the remote server then it'll simply get an authentication failure.

 

If you want to force it to use the correct login context/domain and user account you can change this in the Map Network Drive settings.

 

 

Once you click Finish the Login Prompt will open and then enter Username and Password like below

 

By putting in remoteserver\ you are telling your client to use the account/password database of the remote server and not to try passwordless hashed login.

 

Also creating a VLAN and subnet and allowing traffic between it won't actually give you any extra security. Network compromises happen through 'client computers' and if that has the network drive attached then any malware will know both it's computer name and IP address while also having a valid account to login to the server defeating any point to a simple VLAN/subnet for that type of security purpose.

 

Unless you have lots of servers or other secure devices on that VLAN/subnet then there isn't much point to doing it, and if your SMB server gets compromised then attacks can/will originate from that compromised computer thus being able to attack locally within that network segment. Network segmentation isn't strictly and security mechanism, you have to combine it with other things like a firewall and put restrictions and scanning in place as well as ensure system security is up to scratch also. Honestly save yourself the hassle and have your SMB server on the same subnet.

[johnt]

7 hours ago, Levent said:

 

Pretty sure your issue is with one client and has nothing to do woth your server. SMB server works quite painlessly from my own experience.

 

I can't tell if there is a port I need to open to allow communication between the IPs or networks or what. I tried opening the networks to each other completely and it's not still not taking the password. It works just fine with permissions set to everyone, but not a password. I do agree it's probably a client-side issue but I cannot seem to figure it out. The stupid thing only asks for a password once after I restart. It doesn't ask again at all. I'm up to like 50 restarts.

 

7 hours ago, Alex Atkin UK said:

Speaking as a primarily Linux user.

TrueNAS has been calling my name lately. I keep sending it to voice mail but I think I have to answer it soon. Do you have any experience with NextCloud or its alternatives? I don't have much need for a complicated sharing configuration, but I do want it to have some minimal level of security. I agree Apple has its shares of shortcomings, but I can't deny that it is working here without any access issues. It reconnects every time.

 

5 hours ago, leadeater said:

Any chance the account you are logged in to on your Gaming PC also exists on the Windows server/SMB Server?

Nope. The gaming PC has a Microsoft account and the NAS/server has a local account. Completely different PC names, user names, and passwords. I tried using both the "Network" folder in Windows and mapping a network drive. Both have similar issues. But mapping a drive gives me an error that says the drive is also mapped with a different user name and password and to disconnect first and try again. But I am not sure how it came to that conclusion lol

 

I feel like I am so close. It's probably one tiny checkbox somewhere in Windows.

 

If it helps add clues to a puzzle, I can use RDC from all my devices into the NAS/server. I was able to do that without any special rules for ports between the VLANs. 

[leadeater]

49 minutes ago, johnt said:

Nope. The gaming PC has a Microsoft account and the NAS/server has a local account. Completely different PC names, user names, and passwords. I tried using both the "Network" folder in Windows and mapping a network drive. Both have similar issues. But mapping a drive gives me an error that says the drive is also mapped with a different user name and password and to disconnect first and try again. But I am not sure how it came to that conclusion lol

Have your tried ticking the box as per my image? Doing that at a minimum ensures you actually know which username and password is being used and what authentication domain/computer is being checked against.

 

Also when you say everyone do you mean share permissions or NTFS? Generally you set the share permissions to everyone full access and use the NTFS/Filesystem permissions to control actual access.

 

P.S. 'Everyone' means any authenticated user, it's not literally everyone.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-special-identities-groups#everyone

 

And if you want to see any current connections to an SMB Server run the following command in PowerShell

Get-SmbConnection

https://learn.microsoft.com/en-us/powershell/module/smbshare/get-smbconnection?view=windowsserver2022-ps

 

You can also close/end ant SMB sessions with 'Close-Smbsession'

https://learn.microsoft.com/en-us/powershell/module/smbshare/close-smbsession?view=windowsserver2022-ps

[johnt]

Boys! Add me to the group of the biggest dummies ever. Turns out I set the "Limit the number of simultaneous users to" to 2. I thought this wouldn't be an issue since I was the only one testing everything. But my laptop and phone must have taken those connections even after I quit the app or turned off the screen... didn't see that one coming smh

 

I was doing some other testing and I was about to add another user to my system and test more. So I disconnected the server from my laptop in preparation, came to my gaming PC and everything started working just fine. I increased the number and all my devices can access the folder shares and everything across the VLANs (all clients on default to NAS) at the same time.

 

I'm a fucking idiot sometimes. But at least I didn't give up! Thank you guys for the suggestions and discussion. @leadeater thank you for suggesting I try to map it again. Without that error message I wouldn't have pushed my brain to think about users.

 

 

1 hour ago, johnt said:

I am not sure how it came to that conclusion lol

So I figured out how it came to that conclusion