SMB share cannot be accessed after upgrade

RouterOS General
1

I upgraded my Mikrotik cAP ac to version 7.14.2 yesterday (don’t remember which exact version I had before that). After the upgrade, I noticed that I cannot access the default SMB share /flash/pub, named pub, where I output the active clients list for my home automation script to fetch.

Everything is as before, the share is enabled and user ‘guest’ with password ‘guest’ has read access to the folder. However, trying to log in to \192.168.0.100\pub prompts me with a username and password, but refuses login because "password is incorrect’ even though I know it’s correct and also tested changing it several times.

Is there something I should check that I may have forgotten?

2

I’d start with Mirkotik logs.
https://wiki.mikrotik.com/wiki/Manual:System/Log

There is even a separate category: smb

3

I added smb to topics, but there are no smb-related entries (or anything else to be exact) in the log at all when trying to log in.

I also upgraded my hEX S at the same time, but I don’t think that should affect this issue.

4

Probably related to these SMB changes:

What’s new in 7.14 (2024-Feb-29 09:10):

!) rose-storage - moved SMB service to the RouterOS bundle;
!) smb - removed legacy SMB service (replaced with newer and faster ROSE SMB service, compatible with SMB 2.1, SMB 3.0 and SMB 3.1.1);

5

Try to remove the smb user and add it one more time

6

No luck, still the same issue.

7

Good lord feeling like a total failure today. Tired downgrading mikrotik to 17.3.5 but its not downgrading after reboot. Have you tried downgrading ?

8

Have you read my thread changes in this thread.

http://forum.mikrotik.com/t/cant-connect-smb-in-mikrotik/174932/9

9

Is there any resolution to this issue?

10

I am sorry to say…
Have you tested the beta ?
And is it only Windows the problem exist ?
Windows can be little angry about the smb version, M$ have disable old versions, because of easy hacking issues.
And what I can see my Linux mount, mounts at version 3.1.1 see my another thread.
If you are very kind to Mikrotik you may try to grab some pcaps files so you can see the differences between LInux and Windows. PCAPS = Wireshark, tcpdump dump files. And with Windws what version do you use ???..winver.exe.

11

Post full Export from the device. There is no known issue with SMB

12

This is the export compact output. And as mentioned, the old version had no issues and I have not changed any settings with the new firmware. patrikg also linked his thread with issues earlier, http://forum.mikrotik.com/t/cant-connect-smb-in-mikrotik/174932/9

# 2024-04-17 10:43:41 by RouterOS 7.14.2
# software id = 0VNY-A9XJ
#
# model = RBcAPGi-5acD2nD
# serial number = xxxxxx
/interface bridge
add name=bridge1 port-cost-mode=short
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm \
    group-key-update=1h mode=dynamic-keys name=Olohuone supplicant-identity=\
    "" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm \
    group-key-update=1h mode=dynamic-keys name=Arska_5G supplicant-identity=\
    "" unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    band=2ghz-b/g/n country=finland disabled=no disconnect-timeout=5s \
    distance=indoors frequency=2447 installation=indoor mode=ap-bridge \
    security-profile=Olohuone ssid=Olohuone wireless-protocol=802.11 \
    wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    amsdu-limit=2048 band=5ghz-n/ac channel-width=20/40mhz-eC country=finland \
    disabled=no disconnect-timeout=5s distance=indoors frequency=5200 \
    installation=indoor mode=ap-bridge security-profile=Arska_5G ssid=\
    Arska_5G wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=guest_pool ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=192.168.1.2-192.168.1.254
/ip smb users
add name=guest read-only=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/ip smb
set comment=MTSMB domain=WORKGROUP enabled=yes
/interface bridge filter
add action=drop chain=input disabled=yes dst-port=68 in-interface=ether1 \
    ip-protocol=udp mac-protocol=ip
/interface bridge port
add bridge=bridge1 comment=defconf ingress-filtering=no interface=wlan1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 comment=defconf ingress-filtering=no interface=wlan2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether1 internal-path-cost=\
    10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=*B internal-path-cost=10 \
    path-cost=10 pvid=100
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=*C untagged=bridge1 vlan-ids=100
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=*5 \
    network=192.168.88.0
add address=192.168.1.0/24 interface=*C network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=bridge1
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    0.0.0.0 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.1.0/24
/ip smb shares
set [ find default=yes ] comment=activelist directory=/flash/pub disabled=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2 type=internal
add interface=ether1 type=external
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Helsinki
/system leds settings
set all-leds-off=immediate
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system scheduler
add interval=5m name=active_devices on-event="/interface wireless registration\
    -table print file=/flash/pub/activelist.txt" policy=ftp,read,write,test \
    start-date=2023-10-27 start-time=20:34:30
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add dont-require-permissions=no name=active_devices owner=admin policy=\
    ftp,write source="/interface wireless registration-table print file=/flash\
    /pub/activelist.txt"
13

Looks like configuration is mixed up between old and new SMB implementation, something has gone wrong during upgrade. Normally it is not so, for others the upgrade has happened smoothly, but here something went wrong and now two SMB programs want to co-exist. I think the easiest fix is to do a reinstall with RouterOS 7.14.2 and configure SMB again. You can re-apply all the other config from your export via copy/paste, but leave out everything to do with SMB

14

I was finally able to reinstall 7.14.3 using Netinstall, but the same problem still exists.

15

This is rather odd. I tried accessing the device using ftp and it also fails login, but at least it shows that in the log. I have a user named ‘guest’ with set password, but login still fails with that password using Windows ftp or FileZilla.

16

Why do you have /ip pool1 same as pool2? It is not right.
You have one big mix in the IP firewall filter, “Input” and “forward” trafic are not indicated as it should be. In this way, traffic cannot work correctly.
Default configuration is always taken as a basis. Records responsible for incoming traffic are missing.
Example:
Input Chain - this section is responsible for incoming traffic.
Forward chain - this section is responsible for traffic passing through the router.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment="drop all else"
17

That was the old config. I started from a clean configuration and this is it now.

/interface bridge
add name=bridge1
/interface wifi channel
add band=2ghz-n disabled=no frequency=2442 name=Olohuone secondary-frequency=\
    2467 skip-dfs-channels=all width=20mhz
add band=5ghz-ac disabled=no frequency=5240 name=Arska_5G \
    secondary-frequency=5280 skip-dfs-channels=all width=20/40mhz-eC
/interface wifi security
add authentication-types=wpa2-psk disabled=no group-encryption=ccmp \
    group-key-update=1h name=Olohuone
add authentication-types=wpa2-psk disabled=no group-encryption=ccmp \
    group-key-update=1h name=Arska_5G
/interface wifi configuration
add channel=Olohuone country=Finland disabled=no mode=ap name=Olohuone \
    security=Olohuone ssid=Olohuone
add channel=Arska_5G country=Finland disabled=no mode=ap name=Arska_5G \
    security=Arska_5G ssid=Arska_5G
/interface wifi
set [ find default-name=wifi1 ] channel=Olohuone configuration=Olohuone \
    configuration.mode=ap .tx-power=40 disabled=no name=wlan1 security=\
    Olohuone security.encryption=ccmp
set [ find default-name=wifi2 ] channel=Arska_5G configuration=Arska_5G \
    configuration.mode=ap .tx-power=40 disabled=no name=wlan2 security=\
    Arska_5G security.encryption=ccmp
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip smb
set domain=WORKGROUP enabled=yes
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip dhcp-client
add interface=bridge1
/ip dns
set servers=192.168.0.1
/ip service
set ftp address=192.168.0.50/32
/ip smb shares
add directory=/ name=pub read-only=yes valid-users=guest
/system clock
set time-zone-name=Europe/Helsinki
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system scheduler
add interval=5m name=active_devices on-event=\
    "/interface wifi registration-table print file=/activelist.txt" policy=\
    ftp,read,write,test start-date=2023-10-27 start-time=20:34:30
/system script
add dont-require-permissions=no name=active_devices owner=admin policy=\
    ftp,read,write source=\
    "/interface wifi registration-table print file=/activelist.txt"
18

I encounter the same problem. I also tried 7.15 and it doesn’t work either. If I add an accept rule on TCP port 445 I see packets.

19

I went back to 7.12.2 and it still doesn’t work. returning to 7.14.3 I see the device doing an SMB scan but it is not possible to connect

20

Got the same issue after upgrading to 7.14.3. Can’t connect to smb share from windows 10. It was working on version 6 before the upgrade.
Added input, forward and output firewall rules to allow all traffic to all tcp and upd ports (quite excessive, yes) and see the counters.
Still can’t open any of those ports - TCP 137,139,445, UDP 137,138 from my windows computer using telnet and nmap. Tried to re-create users and shares - no luck.
I’ve got RouterOS 7.8 on another mikrotik and SMB share there works perfectly so it’s not something related to my windows pc.

UPD: I’ve found that when I put something in SMB comment field (like “123”) and let it wait for 10-20 seconds then I am able to connect to the share. If I edit comment field and remove everything - it does not work. Tried that several times - remove and put, looks like it is the reason. Now it works.