Windows 10 64 domain computer cannot access Linux (Raspberry Pi3) samba share

5

Samba server: Raspberry Pi3, running osmc media server (I believe this is a down-scaled Raspbian version). Samba version: 4.2.10

Domain controller: Windows 2012

Windows client: Windows 10 Evt. 64-bit

Before I set up the domain controller and connected the Win10 client to it, I was able to access the smb shares on the smb server without problems.

After connecting the Win10 client to the AD, I can see the smb server, but I'm not able to log in ("Access denied").

EDIT: Naturally, I've tried logging in to the samba share with WORKGROUP\username, which according to some should work. It doesn't.

From what I'm reading, this is because of the smb server not supporting the smb client version (3?) used by Windows 10. So, since there is no Windows 10 help to be found, I tried this MS article for Windows 7:

https://support.microsoft.com/en-us/kb/2696547

I disabled smb version 2 and 3, and enabled version 1, as suggested in another forum. When I rebooted the machine, the Win10 client wasn't even able to SEE the smb shares. When I disabled version 1, and enabledf version 2 and 3 again, I was back to the client seeing the share but not being able to log in.

Anyone know how to fix this? It was also suggested to join the smb/linux server to the Windows domain, but since the easy solution for that doesn't work on the Pi3 architecture, I'm reluctant to try installing Kerberos and all that stuff manually, since I really don't know much about it. Also, I excpect that some essential package doesn't exist for the Pi3, and I'll be stuck halfway through with a more or less broken system.

It seems that several people claim that disabling samba 2/3 works for them. Strange that this doesn't work for me, on either the Win 10 client og the Win 2008 server. And MS seems to be more or less unwilling to help with this too - which is not uncommon, in my experience.

The smb.conf file (unchanged after the installation):

[global]

config file = /etc/samba/smb-local.conf

workgroup = WORKGROUP
security=user
follow symlinks = yes
wide links = no
unix extensions = no
lock directory = /var/cache/samba
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 1
map to guest = bad user
usershare template share = automount template

read raw = Yes
write raw = Yes
strict locking = no
min receivefile size = 16384
use sendfile = true
aio read size = 2048
aio write size = 2048
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072

[osmc]
browsable = yes
read only = no
valid users = osmc
path = /home/osmc
comment = OSMC Home Directory

[automount template]
browseable = yes
-valid = no
valid users = osmc
path = %P
hide files = /$RECYCLE.BIN/System Volume Information/desktop.ini/thumbs.db/

UPDATE

I gave up on the Windows AD server, and set up a Samba DC instead. Incredibly, the EXACT same problem is present when the Windows 10 computer is logged on to the Samba domain. And the Samba DC is also unable to access the same samba share(s), getting "Access denied".

It seems that Samba is the real source of pain and suffering here, and there doesn't seem to be any way to fix it either. The solution must be to use only Windows as file servers.

Frank H.

Posted 2016-09-29T09:13:29.960

Reputation: 189

So you run a business with an RPi server ? – None – 2016-09-29T11:43:10.510

Nah, it's just a home project with a server borrowed from work. Why? – Frank H. – 2016-09-29T11:46:08.153

Does it yield a better error message than just Access denied anywhere. Anything in the eventviewer? Did you check that you are still using the same account? (E.g not previously working with a computer local accounts and now switched to a domain account which has insufficient credentials on the Pi?). – Hennes – 2016-09-29T13:04:24.303

Not sure where in the even viewer I'd expect to find any more details? The security to log reports an "audit success" for the event, specifying the account and credentials used. As for the account used, it's a samba share with only one valid user (on the samba server), and this is the user I'm trying to use. The same user that I'm able to log in when the Win10 machine is not logged on to the 2008 AD. – Frank H. – 2016-09-29T13:11:12.243

Samba has supported SMB3 for quite some time now. Also, Windows 10 can of course connect to older versions no problem. Do you have any group policies defined that might interfere with SMB connectivity? Like requiring Kerberos or whatever? – Daniel B – 2016-10-01T16:14:54.977

Not that I know of, but I'm no AD expert, so I'm not sure where to look for it? The AD is "vanilla", with no custom configuration other than the domain name. – Frank H. – 2016-10-04T12:43:09.160

Answers

0

It could be that your Windows 10 client is now trying to implicitly authenticate using DOMAIN\username when you try to access the share.

Does the Raspberry Pi3 have a hostname/NETBIOS name in the samba configuration (under the global config section)? If so, you could try specifying SAMBA_NETBIOSNAME\username when you try to authenticate to access the share.

UPDATE:
Based on the config you provided I would suggest adding netbios name = pi3 or something to that effect and then trying to sign in with pi3\username.

You might also try playing with some of the other authentication settings found in the documentation for SAMBA. Note that you'll probably have to restart the samba daemon after making changes to the config.

For example, you might try adding auth methods = guest sam winbind noting that guest allows anonymous access. That way you could isolate the problem between a configuration problem and an authentication problem (assuming anonymous access would be used when you can't authenticate - I'm rusty on my SAMBA skills).

In other words, as long as you can get in with guest enabled then we know at least the v1,2,3 piece is working and you can focus on the authentication settings. Once you've finally got the settings working for non-guest access you should remove the guest access to prevent unauthorized access to your share(s).

I'd also consider adding settings to force the ntlm auth, lanman auth, server schannel, and server signing settings to mirror the settings in your Windows client.

To check the equivalent Windows settings, run "secpol.msc" and check the settings under:

Security Settings
  Local Polices
    Security Options
      - Microsoft network client: *
      - Network security: *

Microsoft network client: Digitally encrypt or sign secure channel data (always)
Microsoft network client: Digitally encrypt secure channel data (when possible)
Microsoft network client: Digitally sign secure channel data (when possible)

These settings dictate what the server schannel and server signing settings should be in your samba config.

Network security: LAN Manager authentication level

This setting dictates what the ntlm auth and lanman auth settings should be in your samba config.

For example, Send NTLMv2 response only. Refuse LM & NTLM in your Windows settings is equivalent to ntlm auth = no and lanman auth = no in your samba config.

NOTE: I don't recommend changing your Windows settings unless you're comfortable troubleshooting authentication issues with the domain afterwards.

David Woodward

Posted 2016-09-29T09:13:29.960

Reputation: 1 094

Sorry, I forgot to mention that. I've updated the question now. The samba server is configured with the workgroup "WORKGROUP", However, WORKGROUP\username from the Windows 10 computer doesn't work. – Frank H. – 2016-09-30T06:17:42.350

I wasn't referring to the domain\workgroup name configured for samba, but the hostname or the name of the pi itself. For example if I have a Windows system that is not a member of a domain named "DavesPC" and its configured with the default "WORKGROUP" then I might authenticate to that PC using DavesPC\adminacct. Are you able to post your samba config in your question? Maybe that would shed some light on things. – David Woodward – 2016-10-01T05:37:21.480

Ah, ok. Neither the smb servers hostname nor its IP (hostname\user or 10.0.0.110\user) works. I've posted the sbm.conf in the question. – Frank H. – 2016-10-01T15:58:01.133

I don't see the [global] config header. Is this a partial copy? Can you also include the /etc/samba/smb-local.conf file linked to in the config you posted? I was hoping to see some other config options like netbios name = hostname or lanman auth = no in the [global] section that might help troubleshoot this. – David Woodward – 2016-10-01T16:10:11.243

Sorry - I forgot to include the [global] header. Fixed it now. The smb-local.conf file doesn't exist, so I'm not sure why it's linked. – Frank H. – 2016-10-04T12:42:12.417

I've updated my answer with a couple of ideas. – David Woodward – 2016-10-04T13:24:59.627

Thanks. I tried all the normal solutions for allowing anonymous access, and it still doesn't work. Since the server SHOULD allow anonymous access, and windows still pops up with a login screen, then I guess the problem isn't on the Samba/Linux side? – Frank H. – 2016-10-04T14:44:10.763

I would still try the rest of the suggestions regarding signed communications, NTLM, and the netbios name setting. – David Woodward – 2016-10-04T14:54:17.827

I will. It just takes a while :-) – Frank H. – 2016-10-04T16:41:00.007

I'm particularly hopeful for the NTLM/signing settings because that's among the things that would potentially change when joining a domain. As a matter of fact, they're almost the only things I can think of other than the requirement of passing "othersystem\username" as your credentials when you map to remote shares that are not on the domain (which is what I was hoping the netbios name setting would help you test). – David Woodward – 2016-10-04T17:55:30.097

I just realized I'd forgotten to include the server schannel setting in my answer. It's updated now. If you're unable to get things to work after trying that out, it would be helpful if you could update your question with the samba config you tried and the current values of the Microsoft network client: * and LAN Manager authentication level settings from secpol.msc in your Windows 10 system. – David Woodward – 2016-10-04T18:03:49.590

Microsoft network client: Digitally encrypt or sign secure channel data (always), Microsoft network client: Digitally encrypt secure channel data (when possible) Microsoft network client: Digitally sign secure channel data (when possible) - none of these are found under the Microsoft network client entry. The only one of those you mention that I can find is "LAN Manager authentication level", which has the value "Not defined". – Frank H. – 2016-10-10T18:22:25.633

Hmm... Not sure what would cause that. It's supposed to still be there in Windows 10 according to this Microsoft documentation. Looks like they may have renamed it slightly. I'll have to check out one of my PC's when I get home and see if they renamed/reorganized/relocated it to somewhere that's not obvious.

– David Woodward – 2016-10-10T20:03:48.510

But should I change the "Not defined" value to the one you suggested, and use the corresponding values in smb.conf? – Frank H. – 2016-10-11T05:22:28.753

Worth a try. I'd start with NTLMv2 only and work your way back from there since it's the most secure setting. And, remember you'll likely have to reboot the Windows machine after changing the setting. And, I looked on my own Windows 10 system and found two of the "digitally sign ... (always/if server agrees)" settings there. The "encrypt secure channel" (without anything with "sign" in it) is apparently only under "Domain member". I'm not sure if you need to mess with the "Domain member" settings or not since the Pi3 is not on the domain. I doubt it. – David Woodward – 2016-10-11T07:35:21.493

What I'm afraid of is messing up the Windows 10 machine so that I cannot access the share even when I'm not logged into the domain... – Frank H. – 2016-10-11T09:58:57.433

I think I'll have to give this up. Firstly, it takes ridiculously much time troubleshooting something that never should've been a problem in the first place, taking into account the position of both AD and Samba. Second, I ran into another idiotic problem: For a completely unrelated reason, I changed the IP address of the Samba server. What happened? Then I was unable to log in to it from the Windows 10 machine WITHOUT being logged into the AD. So, changing the IP of the Samba server made it impossible to log int with the exact same credentials as before. When I changed the IP back, it worked. – Frank H. – 2016-10-11T19:02:29.743

I gave up on this, thinking that the problem was with Windows/AD. However, I just installed a Samba DC instead of the Windows server, and guess what? The EXACT problem occurs when logging the Windows 10 on to the Samba domain. So this is apparently a Samba problem, and one which doesn't seem to happen to anyone else but me, since there is not a single good solution to be found anywhere. – Frank H. – 2016-10-14T12:39:48.053

Also, accessing the share from the Samba DC with "sudo mount -t cifs //10.0.0.3/MEDIASERVER /mnt/mediadisken -o username=user" ALSO results in "Permission denied". – Frank H. – 2016-10-14T12:55:55.100

Asked: 2016-09-29T09:13:29.960

Viewed: 1 949 times

Active: 2016-10-14T17:45:19.510