Cannot access Samba share on Mikrotik

zeffanyx · November 16, 2024, 5:30pm

Hello
This is perhaps not a first time someone asks this question, and I have read previous topics on the matter:
http://forum.mikrotik.com/t/smb-share-cannot-be-accessed-after-upgrade/174870/1
http://forum.mikrotik.com/t/cant-connect-smb-in-mikrotik/174932/1

So, I experience exactly the same issue myself. It happened after I upgraded my Mikrotik hap ac lite from 6.x to 7.x version of RouterOS. My configured Samba share became inaccessible from other devices due to a weird authentication issue. I tried to delete and then recreate the share, the users and reset SMB configuration, but nothing worked. As of now, I can only access my SMB share from Linux (got no Windows devices) using the guest account without password:

# 2024-11-16 20:17:59 by RouterOS 7.17beta5
# software id = XQVJ-2JBV
#
# model = RB952Ui-5ac2nD
# serial number = 71AF087F6C7E
/ip smb users
add name=guest
/ip smb
set comment=WORKGROUP domain=WORKGROUP enabled=yes
/ip smb shares
add comment=sss directory=usb1/pub name=sss

Once I add another user with a password and try to connect to the share, it fails as if the password is wrong (though it is not).

Connecting to the share from Linux seems to be fine with ‘no user’:

$ smbclient -L 192.168.88.1 --no-pass
lpcfg_do_global_parameter: WARNING: The "client plaintext auth" option is deprecated
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        sss             Disk      sss
SMB1 disabled -- no workgroup available

If i add a user:

/ip smb users
add name=guest
add comment=at name=at
/ip smb
set comment=WORKGROUP domain=WORKGROUP enabled=yes
/ip smb shares
add comment=sss directory=usb1/pub name=sss valid-users=at

It is still a no-go. Explicitly telling smbclient to authenticate with a designated user always leads to this:

$ smbclient -L 192.168.88.1 -U at
lpcfg_do_global_parameter: WARNING: The "client plaintext auth" option is deprecated
Password for [WORKGROUP\at]:
Bad SMB2 (sign_algo_id=1) signature for message
[0000] CC DE A4 5D 59 0B 5A 81   2D 29 4D 97 06 4F 3F 8D   ...]Y.Z. -)M..O?.
[0000] 6D A4 BB D9 6C 90 15 AA   DC DA AC D0 F0 50 25 9D   m...l... .....P%.
session setup failed: NT_STATUS_ACCESS_DENIED

Worst of all, I am unable to access the share (even as a guest) from macOS computers at all. Trying to connect to smb://192.168.88.1/sss doesn’t even pops a user/password promt, it just rejects the connection.
I’m really desperate since my SMB share doesn’t work as expected!
Is there anything left to do?

zeffanyx · November 16, 2024, 9:52pm

Well, I looked to the RouterOS log to see what happens when I successfully connect to my share from Linux (192.168.88.10), and this is what I see (my share is now called “'cruizer”):

2024-11-17 00:36:22 smb,info connect request user: share:cruizer from ::ffff:192.168.88.10 ok

when I explicitly add another user to cruizer’s valid users, I then cannot connect to the share:

2024-11-17 00:38:10 smb,info connect request user: share:cruizer from ::ffff:192.168.88.10 guest not among valid users of cruizer

So it looks like the Samba server in RouterOS does not detect user names. Is it because the internal Samba users are not properly registered within Samba?

zeffanyx · November 17, 2024, 4:24pm

I managed to solve my problem finally.

routed · November 25, 2024, 10:58am

Hi @zeffanyx,

I am also experiencing problems connecting to a share on hAP ac^2 with ROS 7.16.1. I would be grateful if you could share your solution with me.

Update: 2025/02/12 10:34 My issues with SMB not connecting were resolved in ROS 7.17.2

geku · December 17, 2024, 11:43pm

Same issue. I did 3 pcap files (see in attachments) to show the difference between smbclient used from WSL and windows explorer:

smbclient - success.pcap - captured from

smbclient -d=3 \\\\router.lan\\disk1 -U guest

with password

guest

, pay attention to:

Session Id: 0x0000000000000001 Acct:guest Domain:WORKGROUP Host:XXXXXX
    [Account: guest]
    [Domain: WORKGROUP]
    [Host: XXXXXX]
....
Lan Manager Response: 000000000000000000000000000000000000000000000000
    Length: 24
    Maxlen: 24
    Offset: 88
....
NTLM Response: 33ab845939872d1c7a8f8b62b098848f0101000000000000366b3f9cd250db01fe2ed2be…
    Length: 234
    Maxlen: 234
    Offset: 112

explorer - failure.pcap - captured from

using windows explorer with plain "guest guest" credentials

, pay attention to:

Session Id: 0x0000000000000001 Acct:guest Domain:MicrosoftAccount Host:XXXXXX
    [Account: guest]
    [Domain: MicrosoftAccount]
    [Host: XXXXXX]
    
Lan Manager Response: 286f1623d93be4ac00000000000000000000000000000000
    Length: 24
    Maxlen: 24
    Offset: 142

NTLM Response: 5e5ccfbef415401f1f7ec8ecf930000af8bd5cefd4031628
    Length: 24
    Maxlen: 24
    Offset: 166

explorer - failure2.pcap - captured from

using windows explorer with "WORKGROUP\guest guest" credentials

, pay attention to:

Session Id: 0x0000000000000001 Acct:guest Domain:WORKGROUP Host:XXXXXX
    [Account: guest]
    [Domain: WORKGROUP]
    [Host: XXXXXX]
    
Lan Manager Response: ff9116c48f53afa000000000000000000000000000000000
    Length: 24
    Maxlen: 24
    Offset: 128

NTLM Response: b45353cd94fd9e3278da5b2913366fcb9cc3071db96aab42
    Length: 24
    Maxlen: 24
    Offset: 152

As you can see, smbclient sent long NTLM response, while explorer was unable to provide such a response even when I used proper Domain.
Important sidenote - I’m logging into Windows with my Microsoft account. Also, to make Mikrotik share appear under Network in Windows, I changed Domain to Workgroup:

/ip smb
set domain=Workgroup enabled=yes interfaces=bridge

But I cannot access it via ‘Mikrotik’, only via ‘router.lan’:

/system identity print
  name: MikroTik

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

MT SMB issue.zip (3.1 KB)

geku · December 19, 2024, 10:12pm

Okay, finally I figured it out. Hopefully it will help others.. so, when you continiously receive login\password dialogs on Windows, OR you receive System error 86 when adding network share from the command line like that:

>net use * /delete
There are no entries in the list.

>net use X: \\router.lan\Disk1
Enter the user name for 'router.lan': guest
Enter the password for router.lan:
System error 86 has occurred.

The specified network password is not correct.

you should open Local Secuity Policy, go to Local Policies → Security Options → Network security: LAN Manager authentication level and check your setting, if it is one of (I personally had 2nd one):

Send LM & NTLM responses
Send LM & NTLM - use NTLMv2 session security if negotiated
Send NTLM response only

IT WILL NOT WORK!

You should change it to one of (I personally used 1st one):

Send NTLMv2 response only
Send NTLMv2 response only. Refuse LM
Send NTLMv2 response only. Refuse LM & NTLM

So in the end it should look like:

Detailed description of all the options you will find in the Explain tab of the window. I read that different Windows installations can have different default values, especially OEM ones where vendor tried to ‘help’ with most appropriate value.

What is NOT necessary or optional:

Having user with same name\password as on the router - not needed at all.
Changing Mikrotik SMB setting Domain from MSHOME to Workgroup - optional. I found that by default Vista (and newer) is configured as Workgroup and XP is configured as MSHOME.

Useful tip - use

nbtstat /rr

to refresh and reload NetBios names, another useful option

/n

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nbtstat

Hopefully this info will save you several nights and a lot of hair.