Bug 14080 - Windows fails to connect to guest share (SPNEGO) if host is known in AD
Summary: Windows fails to connect to guest share (SPNEGO) if host is known in AD
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2019-08-09 09:31 UTC by Andreas Schneider
Modified: 2020-12-23 19:09 UTC (History)
3 users (show)

See Also:

Network trace (11.01 KB, application/x-xz)
2019-08-09 09:31 UTC, Andreas Schneider
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2019-08-09 09:31:56 UTC
Created attachment 15387 [details]
Network trace

If you have an AD server, a Windows client and a Linux client. Both clients have been joined to the domain but the Linux client configures smbd as a standalone client with a guest share, then a user from the Windows client is not able to connect to the guest share if he uses the fqdn of the Linux client running smbd. The Windows client tries to auth with SPNEGO/NTLMSSP and smbd fails to authenticate the user.
Comment 1 Stefan Metzmacher 2019-08-13 09:41:34 UTC
The problem seems to be the client, which doesn't accept the authentication to be downgraded to guest.
Comment 2 Andreas Schneider 2019-08-13 12:53:37 UTC
I've seen that there are Windows 10 clients which have RequireSecuritySignature set to 1, so they don't allow guest connections at all. However my Windows 10 client has set it to 0.


Comment 3 Rowland Penny 2020-12-23 19:09:35 UTC
(In reply to Andreas Schneider from comment #0)
How can a Linux Samba client be joined to a domain and also be configured as a a standalone server ?

A Linux domain member will have (amongst other lines) 'security = ADS'
a standalone server will have 'security = user' or 'server role = standalone server'
You cannot use both, it might also help if you posted the smb.conf