[SOLVED] [samba] tree connect failed: NT_STATUS_WRONG_PASSWORD

littlebigman · 10-07-2013, 08:24 AM

Hello

I need to share files from a Linux host that I booted up with a live distro off a USB keydrive.

Since I could get neither Lighttpd nor Apache to run, I tried Samba.

After creating this simple /tmp/smb.conf (in /tmp because the Samba directory is read-only)...

Code:

[global]
workgroup = WORKGROUP
;commented by me to investigate
;encrypt passwords = yes
wins support = yes
log level = 1
max log size = 1000
read only = no

[homes]
browsable = no
map archive = yes

[test]
browsable = yes
read only = yes
path = /tmp

... netstat shows that smbd and nmbd are running, but for some reason, I cannot access the share from XP:

Quote:

My Network Places/Workgroup is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

The network name cannot be found.

What could it be? Is there a way to check if a firewall could be running and prevent users from accessing the share?

Thank you.

mostlyharmless · 10-07-2013, 12:11 PM

It might help if you either add the windows user as a user on the Linux system, with the same password, and/or try guest ok to your smb.conf. I also added the smbuser to the smb passwords. There's also a Windows specific option depending on your samba version... I'll see if I can post my smb.conf. Not to turf you to google, but did you look at the simple samba setup on the samba homepage?
Here's my smb.conf, works for Win XP, and 7; change the workgroup name and shares as needed; and you probably don't need the cups printer stuff

Code:

[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
   workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
   server string = SambaServer

# Security mode. Defines in which mode Samba will operate. Possible 
# values are share, user, server, domain and ads. Most people will want 
# user level security. See the Samba-HOWTO-Collection for details.
   security = share
   client lanman auth = yes

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
   hosts allow = 192.168.1. 192.168.2. 127.

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes

# you may wish to override the location of the printcap file
   printcap name = cups

# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
;   printcap name = lpstat

   print command = lpr -oraw -r -P'%p' %s
   lpq command = /usr/bin/lpq -P%p

# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
   printing = cups

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Backend to store user information in. New installations should 
# use either tdbsam or ldapsam. smbpasswd is available for backwards 
# compatibility. tdbsam requires no further configuration.
   passdb backend = tdbsam 

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
   local master = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
   dns proxy = no 


#============================ Share Definitions ==============================
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

# NOTE: If you have a BSD-style print system there is no need to 
# specifically define each individual printer
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = yes
# Set public = yes to allow user 'guest account' to print
   public = yes
   guest ok = yes
   writable = no
   printable = yes
   create mode=0700
   write list=@adm root <username>
   use client driver = yes

# This one is useful for people to share files
[data]
   comment = Temporary file space
   path = /data
   read only = no
   public = yes

lleb · 10-07-2013, 01:06 PM

you can also use FileZilla to scp files between winXP and your Live Linux system. this requires only enabling ssh and disabling the firewall on the Live Linux system.

littlebigman · 10-08-2013, 06:43 AM

Thanks for the help.

I'm now in my second day, and still no go. The Net is full of outdated or mega-complicated smb.conf while I'm simply looking for a super-easy file that simply lets any Windows user read files from a Linux host. I simply want to configure Samba to run like an anonymous FTP server so I can share files in read-only with any user on the LAN.

First thing, though: Can Samba share a directory with just "nobody" in /etc/passwd and not in its own database? I don't want to have to add all Windows users to Samba if a single users is OK.

At this point, here's my smb.conf:

Code:

[global]
workgroup = WORKGROUP
encrypt passwords = yes
;wins support = yes
log level = 2 
;max log size = 1000
;read only = no
guest account = nobody

security = user
;makes no difference, and option deprecated anyway
;security = share

;DEPRECATED
;null passwords = yes

map to guest = Bad User

[test]
path = /tmp
browsable = yes
read only = yes
guest ok = yes
only guest = yes

;Still get ERR 5
public = yes

;Err 6118: List of servers for workgroup not currently available
force user = nobody

pan64 · 10-08-2013, 07:48 AM

your settings look a bit strange for me, but probably I missed something:
security = user
means all the users will be autenticated
guest account = nobody
means unknown users will be mapped to nobody
map to guest = Bad User
user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account.
....
I do not know if nobody has right (in your case) to read the data on your disk, but usually nobody has no any useful rights.
I would rather map all the users to another account (which has read access to that share)

littlebigman · 10-08-2013, 08:19 AM

Thanks. I don't know what I'm doing and just copy/pasted from pages found on the Net. There's a lot of wrong/outdated/complicated stuff out there, even on the official Samba site.

I found no recent, working example on how to set up a read-only Samba server to share files to Windows users like an anonymous FTP server.

It was not mentionned in the articles I read, but I tried running "smbpasswd -a nobody" and just hitting ENTER for a password, and it seems to got a bit beyond, but still no share is displayed in Windows "net view".

User "nobody" should be able to access /tmp, right? Also, it shouldn't need a Samba password, or does it?

pan64 · 10-08-2013, 12:05 PM

no, you must not use nobody, that is reserved. try to find another username (lke ftpuser), create it and modify config file to use that instead of nobody

littlebigman · 10-09-2013, 09:25 AM

Thanks. Several documents I read used the Unix "nobody" username, which is why I used it as well.

Also, the docs aren't clear whether it's required to add users to Samba, or if Unix users are enough. I suspect the former, so added a "samba" user both to Unix and Samba (adduser samba ; smbpasswd -a samba).

However, I'm still getting error 5 "Access denied" because Samba doesn't force user names to "samba".

Here's the smb.conf:

Code:

[global]
workgroup = WORKGROUP
netbios name = LINUX

encrypt passwords = yes

;guest account = nobody
guest account = samba
map to guest = Bad User

security = user

[test]
path = /tmp
browsable = yes
read only = yes
guest ok = yes
only guest = yes
public = yes
available = yes

;force user = nobody
force user = samba

Here's what Samba says:

Code:

[2013/10/09 16:13:41.458888,  2] smbd/reply.c:553(reply_special)
  netbios connect: name1=LINUX          0x20 name2=FRED-PC        0x0
[2013/10/09 16:13:41.460377,  2] smbd/reply.c:573(reply_special)
  netbios connect: local=linux remote=fred-pc, name type = 0
[2013/10/09 16:13:41.465734,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2013/10/09 16:13:41.468900,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2013/10/09 16:13:41.818774,  2] smbd/reply.c:553(reply_special)
  netbios connect: name1=LINUX          0x20 name2=FRED-PC        0x0
[2013/10/09 16:13:41.820275,  2] smbd/reply.c:573(reply_special)
  netbios connect: local=linux remote=fred-pc, name type = 0
[2013/10/09 16:13:41.832520,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [fred] -> [fred] FAILED with error NT_STATUS_NO_SUCH_USER
[2013/10/09 16:13:41.837126,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [fred] -> [fred] FAILED with error NT_STATUS_NO_SUCH_USER
[2013/10/09 16:14:33.272162,  0] printing/print_cups.c:151(cups_connect)
  Unable to connect to CUPS server localhost:631 - Connection refused
[2013/10/09 16:14:33.275586,  0] printing/print_cups.c:528(cups_async_callback)
  failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL

Mmm...

pan64 · 10-09-2013, 09:34 AM

you tried to access as fred, try to create that unix user and samba account. It will only be used for authentication, but not for accessing that share.

littlebigman · 10-10-2013, 08:44 AM

Thanks for the tip, but I want to create a read-only share that anyone can access without having to create users.

Through the "guest" account, I thought it was possible to tell Samba to just ignore the Windows user/password, and use the same Unix user; That way, I can use a single Unix account for use by everyone, and not even create a symetric user in Samba.

Is this not possible?

littlebigman · 10-10-2013, 07:17 PM

A bit of progress:

1. security = user : doesn't switch from "fred" to "nobody", so it can't work since the user isn't mapped to "nobody".

2. security = share : switches from "fred" to "nobody", but Access Denied:

Code:

check_ntlm_password:  Authentication for user [nobody] -> [nobody] FAILED with error NT_STATUS_LOGON_FAILURE

3. If I add "invalid users = nobody":

Code:

authorise_login: rejected invalid user nobody 
[2013/10/11 02:01:49.538091,  2] smbd/service.c:655(create_connection_session_info) 
Invalid username/password for [IPC$] 
[2013/10/11 02:01:49.540197,  1] smbd/service.c:805(make_connection_snum) 
create_connection_session_info failed: NT_STATUS_WRONG_PASSWORD

4. If I add "null passwords = yes" to the mix:

Code:

authorise_login: rejected invalid user nobody 
[2013/10/11 02:10:27.700093,  2] smbd/service.c:655(create_connection_session_info) 
Invalid username/password for [IPC$] 
[2013/10/11 02:10:27.702215,  1] smbd/service.c:805(make_connection_snum) 
create_connection_session_info failed: NT_STATUS_WRONG_PASSWORD

frankbell · 10-10-2013, 07:53 PM

See this on how to configure an "anonymous read-only server" from Samba-by-Example.

http://www.samba.org/samba/docs/man/...html#id2550946

littlebigman · 10-11-2013, 05:16 AM

Thanks for the tip. To investigate, I should have thought about testing from within the Linux host before trying from a Windows host.

However, still no go :-/

Code:

# cat smb.conf
[global]
workgroup = WORKGROUP
security = SHARE

[Plans]
path = /plans
read only = Yes
guest ok = Yes

# smbclient -L localhost -U%
WARNING: The security=share option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.8]

Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.8]

Next, I tried adding the following items to smb.conf one at a time, but get the same error:

Code:

[Plans]
browsable = yes

[global]
guest account = nobody
map to guest = Bad User

However, when adding

Code:

invalid users = nobody

to [global], I get the following error message:

Quote:

nobody "tree connect failed: NT_STATUS_WRONG_PASSWORD"

[2013/10/11 12:13:40.210674, 0] smbd/password.c:731(authorise_login)
authorise_login: rejected invalid user nobody

So I figured maybe Samba requires adding the "nobody" user to its user database instead of just relying on the entry in /etc/passwd:

Code:

# smbpasswd -an nobody
User nobody password set to none.

... but no go:

Code:

# smbclient -L localhost -U%
tree connect failed: NT_STATUS_WRONG_PASSWORD

littlebigman · 10-11-2013, 08:32 AM

Moving to "log level = 3", I notice this error in log.smbd:

Code:

...
Transaction 3 of length 132 (0 toread)
[2013/10/11 14:35:26.670629, 3] smbd/process.c:1467(switch_message)
switch message SMBtrans (pid 3767) conn 0xb7c0cf78
[2013/10/11 14:35:26.672412, 3] smbd/service.c:190(set_current_service)
chdir (/tmp) failed, reason: Permission denied
[2013/10/11 14:35:26.674207, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/process.c(1558) cmd=37 (SMBtrans) NT_STATUS_ACCESS_DENIED
...

Why does Samba chdir to /tmp even though no share is mapped to it, and why is it denied access?

Just to check, I ran "chown -R nobody.nobody" on the shared directory, to no avail.

littlebigman · 10-14-2013, 07:46 AM

Finally found the issue: I was using an older version of the OS instead of checking if a new version was available :-/ The latest worked right away after downloading and activating the Samba module. I should have checked that, first thing.

Then, all I needed to share files with any user without adding any user account to Slax (either Unix or Samba) is this smb.conf:

Code:

[global]
workgroup = WORKGROUP
;Not neeeded, but in case you don't like the hostname
netbios name = LINUX

;Important: Otherwise, doesn't switch to Unix "nobody" -> Err 5 Access denied
security = share

;if you need to investigate : 2 or 3
;log level = 2

[test]
path=/tmp
read only = yes
guest ok = yes

What I've learned:
1. Use the latest OS
2. In case Samba isn't working as exepcted, use "log level =2" or even "= 3" to investigate, as it provides more information than what Windows says.

Thanks a lot for your help.