Hi When running 4.3.8, I cant connect to my windows 10 share (which has no access permissions). I get NT_STATUS_ACCESS_DENIED - have tried adding allow dcerpc auth level connect = yes to the smb.conf but this does not change anything. full output of smbclient -kd3 //desktop-5blpm4c/Video - the same thing on 4.3.6 gives me access: lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" added interface wlan0 ip=192.168.0.10 bcast=192.168.0.255 netmask=255.255.255.0 added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 netmask=255.255.255.0 Client started (version 4.3.8). Connecting to 192.168.0.6 at port 445 Doing spnego session setup (blob length=320) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.3.6.1.4.1.311.2.2.10 got principal=<null> GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Got challenge flags: Got NTLMSSP neg_flags=0x628a8215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP packet check failed due to short signature (0 bytes)! NTLMSSP NTLM2 packet check failed due to invalid signature! GENSEC SPNEGO: failed to verify mechListMIC: NT_STATUS_ACCESS_DENIED SPNEGO login failed: Access denied session setup failed: NT_STATUS_ACCESS_DENIED
tried adding various options to smb.conf without success: allow dcerpc auth level connect = yes client ipc signing = no winbind sealed pipes = false require strong key = false raw NTLMv2 auth = yes i should mention this is just a simple workgroup setup. also 4.3.8 completely breaks browsing with smb4k (may or may not be the same thing).
(In reply to crisb from comment #0) I need more information. For me this gives LOGON_FAILURE with 4.3.6 and 4.3.8. Can you please upload captures with both versions together with the output if you use -d 100 instead of -d3? I also need more details in the way you configured the windows 10 share and what users is used? Did you enabled the guest account or something like this?
I'll get the trace asap. The windows 10 box was configured with 'Turn off password protected sharing' in 'Manage advanced sharing settings'.
(In reply to crisb from comment #3) Ok, got it reproduced. This things is your are trying to authenticate as guest without making it explicit. smbclient -U% //desktop-5blpm4c/Video should do what you want.
(In reply to Stefan Metzmacher from comment #4) Sorry I tested with smbclient -U% //desktop-5blpm4c/Video -mSMB3
ok will try that when i can. for smb4k the issue seems to be it is issuing: net rap server domain -p 139 -I <ip addr redacted> -w MYGROUP -S LOCALHOST -U % and this is returning no members on 4.3.8, whereas on 4.3.6 there is one. similar for other workgroups found. is this related?
ok, smbclient -U% //desktop-5blpm4c/Video -mSMB3 works but: smbclient -U% //desktop-5blpm4c/Video fails still.
client ipc max protocol = NT1 makes net rap server domain -p 139 -I <ip addr redacted> -w MYGROUP -S TEST01 -U % work again correctly and return the machines present. note that none of the machines in the workgroup are running samba 4.3.8 (so I presume querying them shouldnt change in 4.3.8)
interestingly doing the command on localhost, which is of course running 4.3.8 (so 4.3.8 client and 4.3.8 server): net rap server domain -p 139 -I 172.29.0.187 -w MYGROUP -S LOCALHOST -U % without min client rpc setting: Enumerating servers in this domain or workgroup: Server name Server description ------------- ---------------------------- with min client rpc version NT1: Enumerating servers in this domain or workgroup: Server name Server description ------------- ---------------------------- LOCALHOST Samba Server
previous comment s/min/max
so, setting: client max protocol = SMB3 client ipc max protocol = NT1 fixes browsing on smb4k and logging on to passwordless windows shares. however "client max protocol = SMB3" breaks browsing with dolphin (no machines appear). mounting with dolphin and smb4k is still broken because they use smbmount/mount.cfs which dont pick up these values from the smb.conf.
*** Bug 11859 has been marked as a duplicate of this bug. ***
I don't believe this , you prefer some stupid security , than let things works, today I couldn't print because security is more important , specially when I'm under an intra network .
Please test the patches from bug #11849, thanks!
(In reply to Stefan Metzmacher from comment #14) I rebuilt the CentOS 7.2 samba-4.2.10-6.el7_2 rpm with the patch. Now smbclient works fine, as before the april-12 update. No more NTLMSSP packet check failed due to short signature (0 bytes)! NTLMSSP NTLM2 packet check failed due to invalid signature! errors. Note that w/o the patch, in my case "-mSMB3" was not enough, it would allow you to browse the Win7 machine, but when printing you get: NT_STATUS_ACCESS_DENIED opening remote file \filename This error persists even with the patch (that is, if I still use "-mSMB3"); but this is not an issue anymore since with the patch I can use smbclient w/o any option and it works as expected.
smbclient with no user works fine now, but: net rap server domain -p 139 -I <ip addr redacted> -w MYGROUP -S TEST01 -U % still returns nothing, and dolphin still asks for password.
*** Bug 11885 has been marked as a duplicate of this bug. ***
I just tried Samba version 4.4.4-3.1-x86_64 from http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_13.1/ on an openSUSE 13.1 64-bit KDE system. Dolphin again requires a username and password when trying to access a Windows 10 machine which has no password set. Went back to 4.1.22-3.51.1 and access works.
There is an odd but effective work-around described at https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572876/comments/27 namely, when the authentication window pops up: "for UNprotected share just use your local ubuntu account credentials (login and password) for protected share use credentials that was set on share-host machine" This works with Samba 4.3.9 and Nemo on Mint 18 Cinnamon 32-bit, and 4.4.4 and Dolphin on openSUSE 13.1 KDE 32-bit. It does NOT work with 4.2.4 32-bit on openSUSE 13.1 KDE. Regards, Howard
With samba 4.4.4 on Fedora 23, NT_STATUS is not ACCESS_DENIED and I have new messages like : Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) NetBIOS over TCP disabled -- no workgroup available I'm building samba 4.4.5 ATM , I google a little : https://social.technet.microsoft.com/Forums/windowsserver/en-US/f3a909c8-04e8-485d-894c-3f92683c0fd7/can-not-enable-netbios-over-tcpip-on-shared-network-interface?forum=winserverhyperv https://support.microsoft.com/en-us/kb/204279 Yet, I haven't tried enable "NetBIOS over TCP" on Windows 7 home machine . but I test with firewall disabled on my Linux .
(In reply to Stefan Metzmacher from comment #14) This is fixed since the patches from bug #11849 were released August 2016.