LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-18-2015, 10:33 AM   #1
OklahomaDave
LQ Newbie
 
Registered: Feb 2015
Posts: 6

Rep: Reputation: Disabled
SAMBA 4.1 share enumeration fails


Hi, all.

I have a SAMBA 3.6 PDC in my home network, and it has multiple Win7 Pro/64 clients all running happily. I've introduced a SAMBA 4.1 box as a BDC, joined the domain, copied the relevant user files (smbpasswd, /etc/passwd, /etc/group), and can verify that domain users authenticate to the BDC via wbinfo -a.

Users can browse and use shares on the PDC with no issue. The new BDC, however, cannot be browsed by either the existing PDC or my Win7 boxes. SMBCLIENT can *connect* to the share, but ls always returns NT_STATUS_ACCESS_DENIED. When browsing the server, I get 'Error returning browse list: NT_STATUS_ACCESS_DENIED."

When browsing the machine-specific logs on the BDC, following the browse attempt, I see the following:

"service[$IPC]: requires encryptionSMBtrans ACCESS_DENIED"

So that tells me that the new SAMBA 4.1 server is employing a security model/protocol requiring encrypted access to the IPC share before returning a browse list, one higher up the food chain than that presently being used by the 3.6 box. Question is, which one? Again, all existing clients can browse all shares on the 3.6 box.

Anything that could point me in the right direction would be most appreciated!
 
Old 02-23-2015, 07:31 PM   #2
OklahomaDave
LQ Newbie
 
Registered: Feb 2015
Posts: 6

Original Poster
Rep: Reputation: Disabled
Solved!

The resolution to this issue, which I post here for posterity's sake, actually came in two parts.

The first part, indirectly, was to solve a machine authentication issue to my PDC. The solution to that was to set the RequireStrongKey value to 1 in HKLM/CCS/Services/NETLOGON registry key each of my Win7/Pro boxes.

This value was 0 for all my Win7/Pro clients against my DC, which was Samba 3.3.4 at the time. Then, for apparently only a brief time, RequireStrongKey=0 was thought to be a correct setting for Win7 boxes to join a Samba domain. Apparently, some later discussions between Samba devs and Microsoft about protocol negotiation for Samba and Windows boxes led to a change that, ultimately, forced RequireStrongKey=1.

During my research on this issue, I noticed that the machine authentication failures occurred *after* I updated the server from 3.3.4 to 3.6.24. Doing so actually made the RequireStrongKey=0 value wrong. Changing that, and then restarting the NETLOGON service, fixed the problem, which was verified by the NLTEST tool resyncing to the DC. Doing that forces the machine to re-authenticate to the domain, proving the trust relationship was fixed.

The second part of my problem was in realizing I had disabled NTLMv2 authentication on the Samba 4.1 server, forcing it to a default of SMB3, which obviously Windows 7 doesn't do.

Both problems solved.

Last edited by OklahomaDave; 02-23-2015 at 07:38 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] openSuSE fails to connect to samba share on Apple Time Capsule Quija Linux - Networking 3 07-08-2013 02:15 PM
[SOLVED] pic16c745 shipped with out firmware ? usb enumeration fails PoleStar Linux - Embedded & Single-board computer 2 03-22-2012 12:33 PM
Mounting a Samba Share Fails Quantumstate Linux - Networking 2 03-23-2011 07:12 AM
Access Based Enumeration on Linux with Samba? gimpy530 Linux - General 3 06-01-2009 08:25 PM
Linux USB Enumeration Vs Windows USB Enumeration rajasekarpadmanaban Linux - Software 1 05-02-2007 03:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration