WinXP cannot access samba shares from RH9

kc8tbe · 04-20-2003, 11:29 AM

I have two machines, a RH9 and WinXP, connected wirelessly through a netgear router.

Under RedHat 8.0, RH could access samba shares on my WinXP and WinXP could access shares configured with swat from RH8.
I then updated to RH8.0.94. Subsequently, RH8 could still access WinXP but WinXP could not access RH8. I figured it was a beta thing.

I wiped the hd on my RH8 and installed RH9. Used swat. Internet connection works fine (via DHCP). Computers can ping each other. WinXP sees the hostname and description of my RH9 box. But while RH9 can access WinXP, WinXP says this about RH9:

Code:

\\Jack is not accessible. You might not have permission to access this network resource. Contact the administrator of this server to find out if you have access permissions.

The network path was not found.

(Jack is the name of my RH9 box).

I have set up Jack with share-access security. I veryfied that the domain of my WinXP is not blocked in smb.conf. I tried turning Jack's winns server on and off. No success.

Help?

david_ross · 04-20-2003, 01:57 PM

Try accessing
\\jacks.ip.addr.ess\

It may be a name resolution problem.

Could also be a firewall config problem.

Did you just copy the old smb.conf file or did you make a new one?

kc8tbe · 04-20-2003, 04:17 PM

Already tried accessing Jack by his IP. No such luck. And I had swat generate a new smb.conf file.

And yes, all my shares have the line "browseable=yes", so that isn't the problem either.

bax · 04-20-2003, 09:10 PM

The FIRST thing you should ever do when checking Samba errors is check /var/log/samba/

kc8tbe · 04-21-2003, 08:03 PM

OK. Here are some recent log entries taken while WinXP was trying to connect to RH9:

log.nmbd:

Code:

[2003/04/21 20:59:29, 0] nmbd/nmbd.c:main(794)
  Netbios nameserver version 2.2.7a-security-rollup-fix started.
  Copyright Andrew Tridgell and the Samba Team 1994-2002
[2003/04/21 20:59:29, 0] nmbd/asyncdns.c:start_async_dns(148)
  started asyncdns process 4656

log.smbd

Code:

[2003/04/21 20:59:29, 0] smbd/server.c:main(707)
  smbd version 2.2.7a-security-rollup-fix started.
  Copyright Andrew Tridgell and the Samba Team 1992-2002

smbd.log: empty
smbmount.log: empty

Doesn't look suspicious to me.

bax · 04-21-2003, 09:32 PM

Looks suspicious to me but my Samba box is working perfectly

. Have you added your machine/user accounts via smbpasswd?

kc8tbe · 04-22-2003, 05:42 AM

A username on my Linux box is "bkay". My WinXP is always logged on as "Bonnie". So I've tried "bkay = bkay" and "bkay = Bonnie", but neither works. And suppose smbpasswd isn't set correctly - shouldn't I at least get prompted for a password when trying to connect from WinXP?

And yes, my list of allowed domains in smb.conf includes my WinXP IP. I even tried turning the feature off. No effect.

bax · 04-22-2003, 07:56 AM

Can the boxes ping each other? What happns when you run net view from command line?

kc8tbe · 04-22-2003, 05:07 PM

The computers can ping each other and the RH9 machine appears from WinXP net view command.

When the RH9 machine is Win98SE (it is a dual boot), WinXP can access shares on it just fine. It is only when the RH9 is in Linux that there is a problem.

zollodav · 04-22-2003, 05:09 PM

In the SWAT utility do you have Lanman Enabled? If so the default WinXP Network Provider Order uses something else as the primary. You can go into regedit on the XP machine and the key is
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Control
NetworkProvider
HwOrder Modify ProviderOrder
and Order Modify ProviderOrder

Both should have LanmanWorkstation as the first in the list
If that still doesn't work, do you have encryption enabled on the Samba box? And have you enabled NetLogon? If so, there are several things that could fail authentication.

1. System times must be within 30 minutes of each other or else Samba will think that the user's authentication has expired.

2. The lmcompatibilitylevel - might cause some issues with the introducation of the new CHAP(Challenge Protocol) Ntlmv2 128bit encryption - I haven't yet tested this as to whether it fails authentication or is not compatible with RH9, but I believe the default setting in windowsXP is 0, which never uses this.

3. Hopefully in the smb.conf these settings are not set:
server schannel = yes
client schannel =yes
If so, there are settings that need to be made in XP.

All in all, if you do have netlogon enabled in Samba, you can just go ahead and disable it unless you want to set up secure channels. If so, I can explain what needs to be done. If you have lanman enabled that's fine it's not that big of a headache, just follow the steps above for that one. Actually I would suggest you do it this, otherwise there might be a confilict.

Here is a good small tutorial on how to set up the Samba side of Lanman and how the enryption works and all.

http://de.samba.org/samba/ftp/docs/h...NCRYPTION.html

especially the part about the Smbpasswd File

I'll check back

kc8tbe · 04-22-2003, 08:12 PM

The phrases "lanman" and "schannel" don't appear in my smb.conf file, so I assume I don't those features enabled.
Netlogons are not enabled.
The following lines from my smb.conf file pertain to encryption (at least I think they do):

Code:

# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = SHARE

# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; password server = <NT-Server-Name>

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

# The following is needed to keep smbclient from spouting spurious errors
# when Samba is built with support for SSL.
; ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt

# The following are needed to allow password changing from Windows to
# update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# You can use PAM's password change control flag for Samba. If
# enabled, then PAM will be used for password changes when requested
# by an SMB client instead of the program listed in passwd program.
# It should be possible to enable this without changing your passwd
# chat parameter for most setups.

pam password change = yes

# Unix users can map to different SMB User names
username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m

# This parameter will control whether or not Samba should obey PAM's
# account and session management directives. The default behavior is
# to use PAM for clear text authentication only and to ignore any
# account or session management. Note that Samba always ignores PAM
# for authentication in the case of encrypt passwords = yes

obey pam restrictions = yes

Please tell me if these settings need to be changed.
And let me know if editing the WinXP registry as you described could make things worse. If not, I can try it for poops and giggles.

By the way,
I also tried commenting out this line in smb.conf. No effect:

Code:

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

zollodav · 04-22-2003, 11:32 PM

HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Control
NetworkProvider
HwOrder
Order

Go here in your XP registry to the HwOrder and the Order keys and let me know what the entry "ProviderOrder" says for both.

you should see something like
ProviderOrder NTSPD, LanmanWorkstation

it's something like ntspd, can't remember the exact letters but anyhow let me know what it says. In the mean time, cat your smbpasswd file and see if any of your user names from your /etc/passwd file are in there, if not follow this:

This is all in one line:
$ cat /etc/passwd | mksmbpasswd.sh > /usr/local/samba/private/smbpasswd
End of Line and hit enter

If your command can't find the mksmbpasswd.sh do a:

$ find / -name mksmbpasswd.sh

and instead of the "| mksmbpasswd.sh"
enter "| /{directory from find wihtout the brackets}/mksmbpasswd.sh"

The directory should be /usr/local/samba/source or src or bin/mksmbpasswd.sh

if that still doesn't work for some messed up reason, cd into the mksmbpasswd.sh directory and type this

$ cat /etc/passwd | ./mksmbpasswd.sh > /usr/local/samba/private/smbpasswd

if all else fails verify your root and try again

Also, go into the SWAT utility http://localhost:901 and hit Globals and then hit Advanced, and scroll down untill you see something that says Lanman Enabled. Let me know if it's yes or no.

If you share is not appearing in your network neighborhood or when you type in "net view" in the command prompt, samba says to wait 48 minutes or add to your smb.conf file this command:

Depends on what Class your IP address is:

Class C:

remote announce X.X.X.255

meaning the first number in your ip address is in the range of 192 - 223 example 192.168.1.255

Class B:

remote announce X.X.255.255

meaning the first number in your ip address is in the range of 128 -191 example 128.12.255.255

Class A:

remote announce X.255.255.255

meaning the first number in your ip address is in the range of 0 -127 example 60.255.255.255

Leave the X's, this is considered your netmask which determines the addresses to the hosts on the network.

You can also verify that your linux box is the Domain Master by typing in

$ nmblookup -MT your_domain

This will verify the linux box is the domain master.

Let me know what all of these say and do the mksmbpasswd.sh and hopefully I can provide an answer to the issue.

kc8tbe · 04-23-2003, 04:52 PM

In case I forgot to mention it before, "Jack" does appear from WinXP "net view" as "Jack".

My smbpasswd file is located in /etc/samba, not /usr/local/samba/private/. Should I still modify it as you described?

Also, http://localhost:901/ doesn't exist on my machine. I access SWAT through a GUI Redhat has put together (a rather nice utility that leaves comments in smb.conf). Redhat's SWAT doesn't say anything about "lanman" and the word doesn't appear in smb.conf, so you'll have to tell me another way to find it.

In the WinXP registry, both ORDER and HWORDER have the same value set for "ProviderOrder":
RDPNP,LanmanWorkstation,Webclient
Don't forget that WinXP accesses the internet through a Netgear router. Wouldn't want it to stop doing that!

Incidentally, WinXP also cannot access webpages hosted on Jack's Apache/Tux server. Although this is another problem for another thread, it may share a cause with the present problem.

david_ross · 04-24-2003, 12:51 PM

Actually it could be related - It could be a firewall problem like I said in post 2. Try running this as root:
iptables -F

This should remove all firewall rules. If this works you can then decide what rules to put in and save them with:
service iptables save

zollodav · 04-24-2003, 01:00 PM

OK, sorry for taking so long to reply, hectic work, now, go ahead and modify the registry settings and make it say

LanmanWorkstation,Webclient

for both of the keys

and then execute this command on the linux box(make sure your root first)

$ cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

for mksmbpasswd.sh if it doesn't recognize it, ofcourse point it to the directory for example...

/usr/local/samba/bin/mksmbpasswd.sh

don't modify the directory that would cause problems, well give that a shot and then let me know what happens.

By the way how is your network setup, how many machines? and what are their os?