OracleLinux 7.3 - Samba 4.6.2 - NT_STATUS_ACCESS_DENIEDWindows PCs being asked for password after CentOS 7.4/Samba 4.6.2 upgrade?Samba configuration for public sharesSAMBA 4.1.6 create public shareSamba 4.1.17-Debian Access denied to fileshareSamba DC - NT_STATUS_OBJECT_NAME_NOT_FOUNDCannot Connect to AD Joined Samba Share on RHEL 7.3 from WindowsWindows PCs being asked for password after CentOS 7.4/Samba 4.6.2 upgrade?Trust between NT4 samba domain and AD samba domain: which direction?Centos7 Samba can't write subdirectories via GVFSSamba permission confusionSamba & AutoFS Hide shares
How can I get a job without pushing my family's income into a higher tax bracket?
Answer "Justification for travel support" in conference registration form
Is this homebrew life-stealing melee cantrip unbalanced?
How to give very negative feedback gracefully?
For a benzene shown in a skeletal structure, what does a substituent to the center of the ring mean?
Is Cola "probably the best-known" Latin word in the world? If not, which might it be?
What happens if I start too many background jobs?
Pressure inside an infinite ocean?
A non-technological, repeating, phenomenon in the sky, holding its position in the sky for hours
How can I close a gap between my fence and my neighbor's that's on his side of the property line?
What happens to the Time Stone
If Earth is tilted, why is Polaris always above the same spot?
What are the spoon bit of a spoon and fork bit of a fork called?
Does this article imply that Turing-Computability is not the same as "effectively computable"?
Should I replace my bicycle tires if they have not been inflated in multiple years
Moving the subject of the sentence into a dangling participle
Is there a legal ground for stripping the UK of its UN Veto if Scotland and/or N.Ireland split from the UK?
Is induction neccessary for proving that every injective mapping of a finite set into itself is a mapping onto itself?
Upside-Down Pyramid Addition...REVERSED!
Point of the the Dothraki's attack in GoT S8E3?
Short story with physics professor who "brings back the dead" (Asimov or Bradbury?)
If 1. e4 c6 is considered as a sound defense for black, why is 1. c3 so rare?
SQL Server Management Studio SSMS 18.0 General Availability release (GA) install fails
Am I getting DDOS from crawlers?
OracleLinux 7.3 - Samba 4.6.2 - NT_STATUS_ACCESS_DENIED
Windows PCs being asked for password after CentOS 7.4/Samba 4.6.2 upgrade?Samba configuration for public sharesSAMBA 4.1.6 create public shareSamba 4.1.17-Debian Access denied to fileshareSamba DC - NT_STATUS_OBJECT_NAME_NOT_FOUNDCannot Connect to AD Joined Samba Share on RHEL 7.3 from WindowsWindows PCs being asked for password after CentOS 7.4/Samba 4.6.2 upgrade?Trust between NT4 samba domain and AD samba domain: which direction?Centos7 Samba can't write subdirectories via GVFSSamba permission confusionSamba & AutoFS Hide shares
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have ran into an issue with SAMBA during a recent server build. Below is a configuration I have used many times without issues.
Samba Configuration - (Anonymous is commented out but works fine when enabled)
[global]
workgroup = SAMBA
security = user
map to guest = Bad User
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
log file = /var/log/samba/%m
log level = 1
#[Anonymous]
#comment = Anonymous File Server Share
#path = /tmp
#browsable =yes
#writable = yes
#guest ok = yes
#read only = no
[hes]
comment = stuff
path = /u01/app2
valid users = hesowner, oracle
writable = yes
browsable = yes
printable = no
invalid users = None
Testing shares local with smbclient works just fine.
[root@test1 ~]# smbclient -U hesowner //test1/hes
Enter SAMBAhesowner's password:
Domain=[TEST1] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: > ls
. D 0 Tue Aug 29 14:39:32 2017
.. D 0 Tue Aug 29 14:33:15 2017
reports D 0 Tue Aug 29 14:33:15 2017
forms D 0 Tue Aug 29 14:33:53 2017
eis_ws_approvals D 0 Tue Aug 29 14:45:20 2017
52403200 blocks of size 1024. 36431144 blocks available
smb: >
So the problem is in Windows10 Pro when trying to access the share via \test1hes I just get a prompt for user/pass repeatedly and cannot access the share.
Here is the logs...
[2017/09/07 11:54:20.051608, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.051670, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.125206, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.125265, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.161800, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.161824, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.237828, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.237851, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
I see it is mentioning "guest user" which is odd. Nothing works when removing "map to guest = Bad User"
I'm at a complete loss...
Thanks for the help.
samba4
asked Sep 7 '17 at 16:21
xguruxguru
13316
add a comment |
I have ran into an issue with SAMBA during a recent server build. Below is a configuration I have used many times without issues.
Samba Configuration - (Anonymous is commented out but works fine when enabled)
[global]
workgroup = SAMBA
security = user
map to guest = Bad User
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
log file = /var/log/samba/%m
log level = 1
#[Anonymous]
#comment = Anonymous File Server Share
#path = /tmp
#browsable =yes
#writable = yes
#guest ok = yes
#read only = no
[hes]
comment = stuff
path = /u01/app2
valid users = hesowner, oracle
writable = yes
browsable = yes
printable = no
invalid users = None
Testing shares local with smbclient works just fine.
[root@test1 ~]# smbclient -U hesowner //test1/hes
Enter SAMBAhesowner's password:
Domain=[TEST1] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: > ls
. D 0 Tue Aug 29 14:39:32 2017
.. D 0 Tue Aug 29 14:33:15 2017
reports D 0 Tue Aug 29 14:33:15 2017
forms D 0 Tue Aug 29 14:33:53 2017
eis_ws_approvals D 0 Tue Aug 29 14:45:20 2017
52403200 blocks of size 1024. 36431144 blocks available
smb: >
So the problem is in Windows10 Pro when trying to access the share via \test1hes I just get a prompt for user/pass repeatedly and cannot access the share.
Here is the logs...
[2017/09/07 11:54:20.051608, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.051670, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.125206, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.125265, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.161800, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.161824, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.237828, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.237851, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
I see it is mentioning "guest user" which is odd. Nothing works when removing "map to guest = Bad User"
I'm at a complete loss...
Thanks for the help.
samba4
asked Sep 7 '17 at 16:21
xguruxguru
13316
With the upgrade of Samba 4.6.2 I had the same problem. I fixed it doing this: https://serverfault.com/questions/875250/windows-pcs-being-asked-for-password-after-centos-7-4-samba-4-6-2-upgrade
– Edward_178118
Sep 25 '17 at 17:51
add a comment |
I have ran into an issue with SAMBA during a recent server build. Below is a configuration I have used many times without issues.
Samba Configuration - (Anonymous is commented out but works fine when enabled)
[global]
workgroup = SAMBA
security = user
map to guest = Bad User
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
log file = /var/log/samba/%m
log level = 1
#[Anonymous]
#comment = Anonymous File Server Share
#path = /tmp
#browsable =yes
#writable = yes
#guest ok = yes
#read only = no
[hes]
comment = stuff
path = /u01/app2
valid users = hesowner, oracle
writable = yes
browsable = yes
printable = no
invalid users = None
Testing shares local with smbclient works just fine.
[root@test1 ~]# smbclient -U hesowner //test1/hes
Enter SAMBAhesowner's password:
Domain=[TEST1] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: > ls
. D 0 Tue Aug 29 14:39:32 2017
.. D 0 Tue Aug 29 14:33:15 2017
reports D 0 Tue Aug 29 14:33:15 2017
forms D 0 Tue Aug 29 14:33:53 2017
eis_ws_approvals D 0 Tue Aug 29 14:45:20 2017
52403200 blocks of size 1024. 36431144 blocks available
smb: >
So the problem is in Windows10 Pro when trying to access the share via \test1hes I just get a prompt for user/pass repeatedly and cannot access the share.
Here is the logs...
[2017/09/07 11:54:20.051608, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.051670, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.125206, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.125265, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.161800, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.161824, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.237828, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.237851, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
I see it is mentioning "guest user" which is odd. Nothing works when removing "map to guest = Bad User"
I'm at a complete loss...
Thanks for the help.
samba4
asked Sep 7 '17 at 16:21
xguruxguru
13316
I have ran into an issue with SAMBA during a recent server build. Below is a configuration I have used many times without issues.
Samba Configuration - (Anonymous is commented out but works fine when enabled)
[global]
workgroup = SAMBA
security = user
map to guest = Bad User
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
log file = /var/log/samba/%m
log level = 1
#[Anonymous]
#comment = Anonymous File Server Share
#path = /tmp
#browsable =yes
#writable = yes
#guest ok = yes
#read only = no
[hes]
comment = stuff
path = /u01/app2
valid users = hesowner, oracle
writable = yes
browsable = yes
printable = no
invalid users = None
Testing shares local with smbclient works just fine.
[root@test1 ~]# smbclient -U hesowner //test1/hes
Enter SAMBAhesowner's password:
Domain=[TEST1] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: > ls
. D 0 Tue Aug 29 14:39:32 2017
.. D 0 Tue Aug 29 14:33:15 2017
reports D 0 Tue Aug 29 14:33:15 2017
forms D 0 Tue Aug 29 14:33:53 2017
eis_ws_approvals D 0 Tue Aug 29 14:45:20 2017
52403200 blocks of size 1024. 36431144 blocks available
smb: >
So the problem is in Windows10 Pro when trying to access the share via \test1hes I just get a prompt for user/pass repeatedly and cannot access the share.
Here is the logs...
[2017/09/07 11:54:20.051608, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.051670, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.125206, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.125265, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.161800, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.161824, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.237828, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.237851, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
I see it is mentioning "guest user" which is odd. Nothing works when removing "map to guest = Bad User"
I'm at a complete loss...
Thanks for the help.
samba4
samba4
asked Sep 7 '17 at 16:21
xguruxguru
13316
asked Sep 7 '17 at 16:21
xguruxguru
13316
asked Sep 7 '17 at 16:21
xguruxguru
13316
asked Sep 7 '17 at 16:21
xguruxguru
13316
asked Sep 7 '17 at 16:21
xguruxguru
13316
13316
With the upgrade of Samba 4.6.2 I had the same problem. I fixed it doing this: https://serverfault.com/questions/875250/windows-pcs-being-asked-for-password-after-centos-7-4-samba-4-6-2-upgrade
– Edward_178118
Sep 25 '17 at 17:51
add a comment |
With the upgrade of Samba 4.6.2 I had the same problem. I fixed it doing this: https://serverfault.com/questions/875250/windows-pcs-being-asked-for-password-after-centos-7-4-samba-4-6-2-upgrade
– Edward_178118
Sep 25 '17 at 17:51
With the upgrade of Samba 4.6.2 I had the same problem. I fixed it doing this: https://serverfault.com/questions/875250/windows-pcs-being-asked-for-password-after-centos-7-4-samba-4-6-2-upgrade
– Edward_178118
Sep 25 '17 at 17:51
With the upgrade of Samba 4.6.2 I had the same problem. I fixed it doing this: https://serverfault.com/questions/875250/windows-pcs-being-asked-for-password-after-centos-7-4-samba-4-6-2-upgrade
– Edward_178118
Sep 25 '17 at 17:51
add a comment |
2 Answers
2
active
oldest
votes
if anyone else runs into this problem, my solution was to adjust the security policies on the Windows client.
Run > Secpol.msc
then I set Local Policies > Security Options > Network Security: LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'
Otherwise you can edit SAMABA instead.
Add the below line to the global section of the smb.conf file.
ntlm auth = yes
Did not resolve myself. Found the solution here.
answered Sep 7 '17 at 19:35
xguruxguru
13316
add a comment |
I wouldn't recommend enabling legacy protocols, like NTLM. This works in a Win7 environment (which supports SMB2.10 only) on Ubuntu 14/samba-4.3.11 Active Directory. It also sets a "natural" barrier to the lower Windows versions being able to connect to any share.
$ grep -E "m[ai][xn] protocol" /etc/samba/smb.conf
client ipc max protocol = SMB3
client ipc min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10
server max protocol = SMB3
server min protocol = SMB2_10
A configuration optimization and consolidation could be make, for sure - ensure you've enabled the highest possible SMB version support:
$ testparm -l --show-all-parameters | grep -E "m[ai][xn] protocol|smb encrypt"
smb encrypt=P_ENUM,default|No|False|0|Off|disabled|if_required|Yes|True|1|On|enabled|auto|desired|required|mandatory|force|forced|enforced,
server max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
server min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
Some related output from the production environment:
$smbstatus | grep -E "SMB|NTLM|^PID|--1,"
PID Username Group Machine Protocol Version
------------------------------------------------------------------------------
11724 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51177) SMB2_10
4834 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54652) SMB2_10
1512 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50496) SMB2_10
21140 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:62753) SMB2_10
26057 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54410) SMB2_10
1513 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50498) SMB2_10
11351 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51152) SMB2_10
11464 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:65059) SMB2_10
5056 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54671) SMB2_10
1511 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50494) SMB2_10
...and the lab one Centos7/samba-4.4.4 Active Directlry. You should be able to use encryption with your version of SAMBA and Win10, make sure the parameter smb encrypt is configured appropriately for mixed SMB2/3 environment.
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
10884 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:4867) SMB2_10 - HMAC-SHA256
answered Sep 8 '17 at 2:41
bofhbofh
212
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f872538%2foraclelinux-7-3-samba-4-6-2-nt-status-access-denied%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
if anyone else runs into this problem, my solution was to adjust the security policies on the Windows client.
Run > Secpol.msc
then I set Local Policies > Security Options > Network Security: LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'
Otherwise you can edit SAMABA instead.
Add the below line to the global section of the smb.conf file.
ntlm auth = yes
Did not resolve myself. Found the solution here.
answered Sep 7 '17 at 19:35
xguruxguru
13316
add a comment |
if anyone else runs into this problem, my solution was to adjust the security policies on the Windows client.
Run > Secpol.msc
then I set Local Policies > Security Options > Network Security: LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'
Otherwise you can edit SAMABA instead.
Add the below line to the global section of the smb.conf file.
ntlm auth = yes
Did not resolve myself. Found the solution here.
answered Sep 7 '17 at 19:35
xguruxguru
13316
add a comment |
if anyone else runs into this problem, my solution was to adjust the security policies on the Windows client.
Run > Secpol.msc
then I set Local Policies > Security Options > Network Security: LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'
Otherwise you can edit SAMABA instead.
Add the below line to the global section of the smb.conf file.
ntlm auth = yes
Did not resolve myself. Found the solution here.
answered Sep 7 '17 at 19:35
xguruxguru
13316
if anyone else runs into this problem, my solution was to adjust the security policies on the Windows client.
Run > Secpol.msc
then I set Local Policies > Security Options > Network Security: LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'
Otherwise you can edit SAMABA instead.
Add the below line to the global section of the smb.conf file.
ntlm auth = yes
Did not resolve myself. Found the solution here.
answered Sep 7 '17 at 19:35
xguruxguru
13316
answered Sep 7 '17 at 19:35
xguruxguru
13316
answered Sep 7 '17 at 19:35
xguruxguru
13316
answered Sep 7 '17 at 19:35
xguruxguru
13316
13316
add a comment |
add a comment |
I wouldn't recommend enabling legacy protocols, like NTLM. This works in a Win7 environment (which supports SMB2.10 only) on Ubuntu 14/samba-4.3.11 Active Directory. It also sets a "natural" barrier to the lower Windows versions being able to connect to any share.
$ grep -E "m[ai][xn] protocol" /etc/samba/smb.conf
client ipc max protocol = SMB3
client ipc min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10
server max protocol = SMB3
server min protocol = SMB2_10
A configuration optimization and consolidation could be make, for sure - ensure you've enabled the highest possible SMB version support:
$ testparm -l --show-all-parameters | grep -E "m[ai][xn] protocol|smb encrypt"
smb encrypt=P_ENUM,default|No|False|0|Off|disabled|if_required|Yes|True|1|On|enabled|auto|desired|required|mandatory|force|forced|enforced,
server max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
server min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
Some related output from the production environment:
$smbstatus | grep -E "SMB|NTLM|^PID|--1,"
PID Username Group Machine Protocol Version
------------------------------------------------------------------------------
11724 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51177) SMB2_10
4834 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54652) SMB2_10
1512 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50496) SMB2_10
21140 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:62753) SMB2_10
26057 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54410) SMB2_10
1513 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50498) SMB2_10
11351 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51152) SMB2_10
11464 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:65059) SMB2_10
5056 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54671) SMB2_10
1511 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50494) SMB2_10
...and the lab one Centos7/samba-4.4.4 Active Directlry. You should be able to use encryption with your version of SAMBA and Win10, make sure the parameter smb encrypt is configured appropriately for mixed SMB2/3 environment.
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
10884 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:4867) SMB2_10 - HMAC-SHA256
answered Sep 8 '17 at 2:41
bofhbofh
212
add a comment |
I wouldn't recommend enabling legacy protocols, like NTLM. This works in a Win7 environment (which supports SMB2.10 only) on Ubuntu 14/samba-4.3.11 Active Directory. It also sets a "natural" barrier to the lower Windows versions being able to connect to any share.
$ grep -E "m[ai][xn] protocol" /etc/samba/smb.conf
client ipc max protocol = SMB3
client ipc min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10
server max protocol = SMB3
server min protocol = SMB2_10
A configuration optimization and consolidation could be make, for sure - ensure you've enabled the highest possible SMB version support:
$ testparm -l --show-all-parameters | grep -E "m[ai][xn] protocol|smb encrypt"
smb encrypt=P_ENUM,default|No|False|0|Off|disabled|if_required|Yes|True|1|On|enabled|auto|desired|required|mandatory|force|forced|enforced,
server max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
server min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
Some related output from the production environment:
$smbstatus | grep -E "SMB|NTLM|^PID|--1,"
PID Username Group Machine Protocol Version
------------------------------------------------------------------------------
11724 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51177) SMB2_10
4834 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54652) SMB2_10
1512 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50496) SMB2_10
21140 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:62753) SMB2_10
26057 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54410) SMB2_10
1513 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50498) SMB2_10
11351 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51152) SMB2_10
11464 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:65059) SMB2_10
5056 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54671) SMB2_10
1511 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50494) SMB2_10
...and the lab one Centos7/samba-4.4.4 Active Directlry. You should be able to use encryption with your version of SAMBA and Win10, make sure the parameter smb encrypt is configured appropriately for mixed SMB2/3 environment.
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
10884 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:4867) SMB2_10 - HMAC-SHA256
answered Sep 8 '17 at 2:41
bofhbofh
212
add a comment |
I wouldn't recommend enabling legacy protocols, like NTLM. This works in a Win7 environment (which supports SMB2.10 only) on Ubuntu 14/samba-4.3.11 Active Directory. It also sets a "natural" barrier to the lower Windows versions being able to connect to any share.
$ grep -E "m[ai][xn] protocol" /etc/samba/smb.conf
client ipc max protocol = SMB3
client ipc min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10
server max protocol = SMB3
server min protocol = SMB2_10
A configuration optimization and consolidation could be make, for sure - ensure you've enabled the highest possible SMB version support:
$ testparm -l --show-all-parameters | grep -E "m[ai][xn] protocol|smb encrypt"
smb encrypt=P_ENUM,default|No|False|0|Off|disabled|if_required|Yes|True|1|On|enabled|auto|desired|required|mandatory|force|forced|enforced,
server max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
server min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
Some related output from the production environment:
$smbstatus | grep -E "SMB|NTLM|^PID|--1,"
PID Username Group Machine Protocol Version
------------------------------------------------------------------------------
11724 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51177) SMB2_10
4834 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54652) SMB2_10
1512 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50496) SMB2_10
21140 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:62753) SMB2_10
26057 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54410) SMB2_10
1513 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50498) SMB2_10
11351 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51152) SMB2_10
11464 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:65059) SMB2_10
5056 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54671) SMB2_10
1511 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50494) SMB2_10
...and the lab one Centos7/samba-4.4.4 Active Directlry. You should be able to use encryption with your version of SAMBA and Win10, make sure the parameter smb encrypt is configured appropriately for mixed SMB2/3 environment.
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
10884 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:4867) SMB2_10 - HMAC-SHA256
answered Sep 8 '17 at 2:41
bofhbofh
212
I wouldn't recommend enabling legacy protocols, like NTLM. This works in a Win7 environment (which supports SMB2.10 only) on Ubuntu 14/samba-4.3.11 Active Directory. It also sets a "natural" barrier to the lower Windows versions being able to connect to any share.
$ grep -E "m[ai][xn] protocol" /etc/samba/smb.conf
client ipc max protocol = SMB3
client ipc min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10
server max protocol = SMB3
server min protocol = SMB2_10
A configuration optimization and consolidation could be make, for sure - ensure you've enabled the highest possible SMB version support:
$ testparm -l --show-all-parameters | grep -E "m[ai][xn] protocol|smb encrypt"
smb encrypt=P_ENUM,default|No|False|0|Off|disabled|if_required|Yes|True|1|On|enabled|auto|desired|required|mandatory|force|forced|enforced,
server max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
server min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
Some related output from the production environment:
$smbstatus | grep -E "SMB|NTLM|^PID|--1,"
PID Username Group Machine Protocol Version
------------------------------------------------------------------------------
11724 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51177) SMB2_10
4834 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54652) SMB2_10
1512 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50496) SMB2_10
21140 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:62753) SMB2_10
26057 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54410) SMB2_10
1513 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50498) SMB2_10
11351 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51152) SMB2_10
11464 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:65059) SMB2_10
5056 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54671) SMB2_10
1511 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50494) SMB2_10
...and the lab one Centos7/samba-4.4.4 Active Directlry. You should be able to use encryption with your version of SAMBA and Win10, make sure the parameter smb encrypt is configured appropriately for mixed SMB2/3 environment.
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
10884 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:4867) SMB2_10 - HMAC-SHA256
answered Sep 8 '17 at 2:41
bofhbofh
212
answered Sep 8 '17 at 2:41
bofhbofh
212
answered Sep 8 '17 at 2:41
bofhbofh
212
answered Sep 8 '17 at 2:41
bofhbofh
212
212
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f872538%2foraclelinux-7-3-samba-4-6-2-nt-status-access-denied%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
With the upgrade of Samba 4.6.2 I had the same problem. I fixed it doing this: https://serverfault.com/questions/875250/windows-pcs-being-asked-for-password-after-centos-7-4-samba-4-6-2-upgrade
– Edward_178118
Sep 25 '17 at 17:51