Puzzling share access behaviour


My NAS of choice is based on the FreeNAS OS (versions 9.10.2-U5 & 11.0), but I also own a ReadyNAS NV+ V2 NAS, which is still in service. I use it to house archive material, which is rarely accessed.

Printing and file services are one of the early tasks I consider when integrating a new client on the network. Having recently installed Windows Vista in a VM, I checked that I could access shares on both FreeNAS and ReadyNAS. Now when I did the same check with Windows XP in a VM, I could access shares on ReadyNAS, but not on FreeNAS. On the FreeNAS server, I would be presented with a dialog box requesting a username and password.

screenshot.155

The plot thickens further. If I do the same checks with Windows 95 in a VM, I’m denied access to both FreeNAS and ReadyNAS. A dialog box requesting a password for IPC$ is presented.

screenshot.156

Trying various username/password combinations on XP and different passwords on Windows 95 yielded nothing. What’s going on here?! Turns out it has nothing to do with passwords. To start unravelling the puzzle, let’s start by summarising what we know.

Sketch share access

 

 

 

 

Windows XP and FreeNAS

Windows (SMB) Shares section of FreeNAS documentation provided the first clue…

Sketch ntlmv1

I surmised from this that FreeNAS had NTLMv1 disabled, but ReadyNAS had it enabled. That would explain why Win XP couldn’t access FreeNAS shares, but ReadyNAS could. What strengthened this theory was  this ReadyNAS post from 2012 around ReadyNAS systems available at the time. This Microsoft article also adds weight to the theory.  It states that ‘Windows 95 and Windows 98 computers do not support NTLM’This would explain why the Windows 95 client could not connect to either FreeNAS or ReadyNAS shares.

This bug report confirms the issue and suggests two possible solutions. One solution improves overall network security; the other weakens it. The better solution is to lift XP’s game by forcing it to use NTLMv2 rather than its default NTLMv1. The weaker option is to enable NTLMv1 on FreeNAS.

I tested both options and they work. However, for the latter option, I believe there is a documentation error in FreeNAS. NTLMv1 has to be enabled as a global parameter and not a local parameter. The switch needs to be placed in Auxiliary Parameters under SMB Services.

The screenshot below shows what needs to be altered to get Windows XP to use NTLM2.

screenshot.27

Windows 95 and FreeNAS

Again the Windows (SMB) Shares section of FreeNAS documentation provided some clues…

Sketch lanman

As for Windows XP, these parameters are global rather than local and need to be placed in the Auxiliary Parameters under SMB Services. After restarting SMB services, I still had problems accessing SMB shares from Windows 95. This article provided the answer.  The steps specified in the article need to be followed, but the key is to reset the SMB password on FreeNAS.  Once I did this, I was able to access FreeNAS shares from Windows 95.

Here is a great article that looks at the relationship between LANMAN, NTLM and SMB.

Windows 95 and ReadyNAS

 As indicated in this post, any attempt to add the switches specified above will have the changes overwritten on reboot. Based on this, it is not possible for older Windows clients (pre-NT4.0) to access ReadyNAS shares.

Summary

Having trodden the path less well-travelled, this is a summary of what is considered possible albeit less secure when share access is enabled for older clients of Win 9x vintage. I don’t condone the use of LANMAN. It is insecure and should be disabled unless there are compelling reasons to switch it on. The purpose of this post was to explain the puzzling share behaviour initially observed.

Sketch lanman 3

References

  1. Windows (SMB) Shares
  2. NTLMv2 or Kerberos support
  3. Can’t access freenas with Win XP after upgrade
  4. When Windows 9x/ME Samba Access Fails
  5. LANMAN and NTLM: Not as complex as you think!
  6. Need help w/ReadyNAS SAMBA configuration
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s