How to access SMB/CIFS Share of my Windows 11 bhyve VM from FreeBSD

[ZioMario]

Hello.

I'm trying to access the SMB/CIFS share of my Windows 11 bhyve VM from FreeBSD (13R-p8) ; I've configured everything from scratch following these two good tutorials :

Samba fileserver on FreeBSD (Update FreeBSD 12) - davd.io

While building my new NAS, I came across the question how to install a fileserver based on Samba on FreeBSD. Here's how...

www.davd.io

SMB/CIFS on FreeBSD

If you use FreeBSD/Illumos/Linux (or other UNIX/Unix-like system) there is big chance that you do not like – to say the least – the Windows world, but sometimes there is need to share s…

vermaden.wordpress.com

as follows below. It almost works on both sides. Only a "little" problem persists for me,I'm not able to connect using the password that I have configured in Windows 11,but it works without it. But,for sure I can't share my resources without protecting them using a password.

/etc/sysctl.conf


kern.maxfiles=25600

kern.maxfilesperproc=16384

net.inet.tcp.sendspace=65536

net.inet.tcp.recvspace=65536


/boot/loader.conf:


aio_load="YES"


nano /etc/rc.conf


hostname="marietto"

ifconfig_em0="DHCP"

samba_server_enable="YES"


# pkg install samba412


gedit /usr/local/etc/smb4.conf


[global]

workgroup          = workgroup

netbios name       = marietto

server string      = samba

security           = user

max smbd processes = 3

encrypt passwords  = yes

socket options     = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536

aio read size      = 16384

aio write size     = 16384

strict locking     = no

strict sync        = no


# DISABLE PRINTING

load printers           = no

disable spoolss         = yes

show add printer wizard = no


[marietto mnt folder]

  path       = /mnt

  public     = yes

  writable   = yes

  browsable  = yes

  write list = marietto


[marietto home folder]

  path       = /home/marietto

  public     = yes

  writable   = yes

  browsable  = yes

  write list = @marietto


# id marietto

uid=1001(marietto) gid=1001(marietto) groups=1001(marietto),0(wheel),5(operator),44(video),145(webcamd),920(vboxusers),602(_pkcs11)


# which pdbedit

/usr/local/bin/pdbedit


# pkg which `which pdbedit`

/usr/local/bin/pdbedit was installed by package samba412-4.12.15_4


# pdbedit -a -u marietto


Unix username:        marietto

NT username:       

Account Flags:        [U          ]

User SID:             S-1-5-21-4245300636-4074870798-1088442022-1000

Primary Group SID:    S-1-5-21-4245300636-4074870798-1088442022-513

Full Name:            marietto

Home Directory:       \\marietto\marietto

HomeDir Drive:     

Logon Script:       

Profile Path:         \\marietto\marietto\profile

Domain:               MARIETTO

Account desc:       

Workstations:       

Munged dial:       

Logon time:           0

Logoff time:          9223372036854775807 seconds since the Epoch

Kickoff time:         9223372036854775807 seconds since the Epoch

Password last set:    Wed, 20 Apr 2022 15:00:20 CEST

Password can change:  Wed, 20 Apr 2022 15:00:20 CEST

Password must change: never

Last bad password   : 0

Bad password count  : 0

Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


# pdbedit -L

marietto:1001:marietto

on FreeBSD :

# mount_smbfs -I 192.168.1.6 //Marietto-window/c /mnt/windows-drive-c

# mount_smbfs -I 192.168.1.6 //Marietto-window/g /mnt/windows-drive-g

# mount_smbfs -I 192.168.1.6 //Marietto-window/h /mnt/windows-drive-h


mount_smbfs: unable to open connection: syserr = Authentication error

I tried with the current marietto/admin password and with the password configured on :

Control Panel /

All Control Panel Items /

Credential Manager /

Windows Credentials /

marietto

I can access the Windows shared drive from FreeBSD if I disable the password on :

Control Panel /

All Control Panel Items /

Network and Sharing Center /

Advanced sharing settings /

Password protected sharing /

Turn off password protected sharing

I'm not sure if the problem is in some bad FreeBSD or Windows setting.

 

[SirDice]

mount_smbfs(8) only supports SMBv1. That's been switched off on Windows. And I do not recommend turning it back on.

 mount_smbfs offers	support	for SMB/CIFS/SMB1.  It does not	support	newer
     versions of the protocol like SMB2	and SMB3.  SMB2	and SMB3 are supported
     by	software available in the ports(7) collection.

SMBv1 is not installed by default in Windows 10 version 1709, Windows Server version 1709 and later versions

Discusses the behavior of the SMBv1 protocol in Windows 10 Fall Creators Update and Windows Server, version 1709 and later versions.

docs.microsoft.com

 

[ZioMario]

I have activated SMBv1 as a test and it still can't accept the password :

 

[ZioMario]

It is activated,so the password should be accepted by samba on FreeBSD. Right ?

# Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

FeatureName      : SMB1Protocol
DisplayName      : SMB 1.0/CIFS File Sharing Support
Description      : Support for the SMB 1.0/CIFS file sharing protocol, and the Computer Browser protocol.
RestartRequired  : Possible
State            : Enabled
CustomProperties :
                   ServerComponent\Description : Support for the SMB 1.0/CIFS file sharing protocol, and the Computer
                   Browser protocol.
                   ServerComponent\DisplayName : SMB 1.0/CIFS File Sharing Support
                   ServerComponent\Id : 487
                   ServerComponent\Type : Feature
                   ServerComponent\UniqueName : FS-SMB1
                   ServerComponent\Deploys\Update\Name : SMB1Protocol

 

[Sub4sub]

On FreeBSD:

mount_smbfs -N -I 10.1.1.1//computer@dysk/src /usr/home/username/samba

or

mount_smbfs -N -I 10.1.1.1//computer@dysk/src /home/username/samba

10.1.1.1 - Adres IP of Host.
computer - Probably name of host
@
@dysk - I dont remember. Perhabs it is Server String or Netbios Name,
/src - name of shared folder from smb4.conf.

[global]
workgroup = WORKGROUP
server string = Dysk
netbios name = Dysk
interfaces = ue0 10.1.1.0/24
hosts allow = 10.1.1.0/24
map to guest = Bad User
#wins support = Yes
#security = user
#passdb backend = tdbsam

[src]
path = /pathtoshared/folder
writable  = yes
browsable = yes
read only = no
guest ok = yes
public = yes
create mask = 777
directory mask = 777

Samba is a potential attack threat from the local network.

 

[ZioMario]

No,man,I'm trying to do the opposite way :

mount_smbfs -I 192.168.1.6 //Marietto-window/h /mnt/windows-drive-h

where :

192.168.1.6 : ip of guest os (windows 11 bhyve)
//Marietto-window/h : is the path of the remote shared disk on the guest
/mnt/windows-drive-h : is the folder where the remote shared disk should be mounted.

everything is correct here because I'm able to connect from freebsd to the remote / windows 11 / bhyve shared disk,but only if I disable the password on :

Control Panel /

All Control Panel Items /

Network and Sharing Center /

Advanced sharing settings /

Password protected sharing /

Turn off password protected sharing

and now I have even ascertained that on Windows is activated the right samba protocol : SMB1Protocol. So,ok,I'm groping in the dark.

 

[ZioMario]

Do you mean,while I'm on Windows and I try to access the drives that I have shared on FreeBSD ? it works :

 

[Sub4sub]

You want to flip files between FreeBSD and Windows11 using SAMBA? And both systems are on one physical computer?

 

[ZioMario]

In bhyve I have mounted two drives formatted with NTFS using Windows 11 as OS,because it is safe. I can't do this directly on FreeBSD,because its driver is not working well,so the data could be corrupted. So,I want to access the data that are mounted on those disks inside Windows 11 directly on FreeBSD,using SAMBA,yes. I find it very comfortable to do this way. Yes,FreeBSD and Windows are on the same computer and LAN. Windows has IP = 192.168.1.6 and FreeBSD 192.168.1.3.

 

[Sub4sub]

What if, make, FreeBSD/bhyve as the router that will assign the local address for Windows?

 

[astyle]

In that case, I'd think you might want to look at how win11 'shares' its folders. I vaguely recall that it's got some weird permissions system that doesn't play very nice with everyone else. As in, even if you share a folder from win11, that doesn't mean that other hosts can 'see' it.

 

[ZioMario]

I did more experimentation. I've disabled samba on FreeBSD and I've used two bhyve vms,on the first one there is installed Ubuntu and on the second one,Windows 11. I haven't modified anything on the latter. On the Ubuntu VM I have installed the following packages :

apt-get install cifs-utils samba-common samba winbind smbclient

I've discovered what are the right parameters on LINUX to be able to mount the same shared Windows resource that yesterday didn't mount because the password was rejected on FreeBSD:

# sudo mount -t cifs //192.168.1.4/g /mnt/windows-drive-g -o user=marietto,vers=1.0 --verbose


Password for marietto@//192.168.1.4/g:


mount.cifs kernel mount options: ip=192.168.1.4,unc=\\192.168.1.4\g,vers=1.0,user=marietto,pass=********

So,I presume that on FreeBSD my password is rejected because I don't use the parameter cifs in conjunction with mount_smbfs -I 192.168.1.6 //Marietto-window/g /mnt/windows-drive-g

but is this possible ? Or,maybe,I should use another tool "cifs" compatible. Or,maybe //Marietto-window/g becomes g. Let's see.

 

[astyle]

I did more experimentation. I've used two bhyve vms,on the first one there is installed Ubuntu and on the second one,Windows 11. I haven't modified anything on the latter. On the Ubuntu VM I have installed the following packages :

apt-get install cifs-utils samba-common samba winbind smbclient

I've discovered what are the right parameters on LINUX to be able to mount the same shared Windows resource that yesterday didn't mount because the password was rejected on FreeBSD:

# sudo mount -t cifs //192.168.1.4/g /mnt/windows-drive-g -o user=marietto,vers=1.0 --verbose


Password for marietto@//192.168.1.4/g:


mount.cifs kernel mount options: ip=192.168.1.4,unc=\\192.168.1.4\g,vers=1.0,user=marietto,pass=********

So,I presume that on FreeBSD my password is rejected because I don't use the parameter cifs in conjunction with mount_smbfs -I 192.168.1.6 //Marietto-window/h /mnt/windows-drive-h

but is this possible ? Or,maybe,I should use another tool "cifs" compatible.

I imagine that your results should be a hint to study the manpage for the FreeBSD version of mount_smbfs(8)... and find similar options there.

 

[SirDice]

CIFS is just a dialect of the SMB protocol. It's used pretty much interchangeably nowadays, so CIFS and SMB are the same thing. You're not going to find an equivalent vers= parameter because mount_smbfs(8) only supports SMBv1 (in other words, vers=1.0).

And for goodness sake turn off SMBv1 on your Windows machine. There's a LOT of ransomware that abuses the bugs that are inherent to SMBv1 (that's also the reason why Microsoft turned this off completely).

Stop using SMB1 | Microsoft Community Hub

First published on TECHNET on Sep 16, 2016 Hi folks, Ned here again and today’s topic is short and sweet: Stop using SMB1.

techcommunity.microsoft.com

 

[ZioMario]

ok. this works :

# mount_smbfs -I 192.168.1.4 -U marietto //Marietto-window/h /mnt/windows-drive-h

now I can try to secure this v.1 samba connection. If I will find troubles by doing this, I will start another thread. This has been solved.

 

[ct85711]

Just add a small side note in regards to smb1; it seems MS is in the process of totally removing (instead of just disabling, fully ripping all the dlls/files completely out for smb1) in the near relative future. So even if you want, to use smb1; you have a limited time before you are forced to move on.

SMB1 now disabled by default for Windows 11 Home Insiders builds

 

[ZioMario]

Just add a small side note in regards to smb1; it seems MS is in the process of totally removing (instead of just disabling, fully ripping all the dlls/files completely out for smb1) in the near relative future. So even if you want, to use smb1; you have a limited time before you are forced to move on.

SMB1 now disabled by default for Windows 11 Home Insiders builds

what's the alternative if mount_smbfs supports only samba 1 ? and anyway,I'm trying to secure it,can u give a look at this thread ? thanks.

Mounting a Windows shared disk inside a Windows 11 bhyve VM on FreeBSD as host OS over SSH.

Hello. I'm again here to learn how to make a secure samba v.1 connection. Goal : to be able to mount a Windows share (configured inside a Windows 11 bhyve-VM) on a single remote host OS (FreeBSD) over SSH. Take in consideration that mount_smbfs(8) on FreeBSD only supports SMBv1.mount_smbfs(8)...

forums.freebsd.org

 

[ZioMario]

Here he said that smb 3 works on Freebsd 12. So,did it stop working on 13 ? I'm reading well ?

Samba v3.x availability

I'm probably on to a bit of a loser here, but I figured I'd ask anyway. Is there still any sensible means of getting Samba v3.x for FreeBSD? I know it's ancient but I've periodically tried to get Samba v4.x working over the past couple of years or so and never succeeded. Now I'm in the...

forums.FreeBSD.org

 

[ZioMario]

VladiBG : it seems that FreeBSD 12.0 and samba48 supports SMBv3 and AES-128-CMAC. On FreeBSD 13 I have installed samba 412,that should be a version newer than 48,so,what ? A newer version of samba works worst than the older ? I don't understand what's the real situation because I see two contradictory information.

 

[VladiBG]

A newer version of samba works worst than the older ?

Why do you think so?

You can easy check the changelog of the Samba to see what's new.

 

[ZioMario]

I don't understand well where samba server has been installed on this scenario. I can tell you that if it is installed on Windows 11 and on FreeBSD 13 has been installed samba412,it will not work if it is used mount_smbfs(8) like this :

# mount_smbfs -I 192.168.1.4 -U marietto //Marietto-window/h /mnt/windows-drive-h

 

[SirDice]

mount_smbfs(8) is part of the base OS, not Samba. Installing Samba isn't magically going to make mount_smbfs(8) support anything other than SMBv1.

 

[ZioMario]

This does not change anything if it is true that FreeBSD 12.0 and samba48 supports SMBv3 and AES-128-CMAC and FreeBSD 13.0 and samba412 does not. If it is true,it is a regression. I mean that with a previous version of FreeBSD it worked better than with a newer one. Does it sound good for you ?

 

[SirDice]

This does not change anything if it is true that FreeBSD 12.0 and samba48 supports SMBv3 and AES-128-CMAC and FreeBSD 13.0 and samba412 does not.

You're totally misunderstanding the issue. Samba supports SMBv2 and SMBv3, and has done so for quite some time. FreeBSD has nothing to do with it. In any case, even on FreeBSD 12.0 mount_smbfs(8) only supports SMBv1. Again, mount_smbfs(8) has NOTHING to do with Samba.

 

[ZioMario]

No sorry. I don't understand where is the broken part,if in samba and-or in freebsd 13. In any case,it seems to me that the two situations can be compared,according with the VladiBG statement :

This is the absolute minimum howto install samba 48 to work with Windows 10 SMBv3 and AES-128-CMAC on FreeBSD 12.0

this sound to me as : with freebsd 12 and samba 48 I can use SMBv3 and AES-128-CMAC. I assume that he assumed that he wanted to install the samba server on Windows and he wanted to use the executable mount_smbfs on FreeBSD. This is what I'm trying also to do,but with FreeBSD 13. But at this point Im not sure that we wanted to do the same as me.