Samba share with Windows issues
I keep having repeating issues with a RHEL 8.7 server and Windows clients that are trying to access the RHEL samba server file system shares. This is working on other servers with RHEL 7.2 but on a new 8.7 server this was working but has now stopped working again with new errors I am struggling to interpret and diagnose the root cause.
Most of the directory shares are configured for guest access so there should be no need to login with any credentials to view most of the folders. It acts like it allows the connection and then try's to authenticate the user and fails to authenticate the user but there should be no need for this as it should be publicly accessible with guest access allowing unknown users to read the files. In this case it seems to be some type of authentication issue with the Windows clients and RHEL 8.7 samba file system shares involving NTLMv2? Any help would be appreciated. ################################################################################## Auth: [SMB2,(null)] user [domain]\[user] at [Wed, 28 Feb 2024 09:39:03.212857 EST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [DSK00000] remote host [ipv4:111.11.111.112:51596] mapped to [domain]\[user]. local host [ipv4:111.11.111.38:445] {"timestamp": "2024-02-28T09:39:03.212903-0500", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_LOGON_FAILURE", "localAddress": "ipv4:111.11.111.38:445", "remoteAddress": "ipv4:111.11.111.112:51596", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "domain", "clientAccount": "user", "workstation": "DSK00000", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "user", "mappedDomain": "domain", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 196975}} [2024/02/28 09:39:03.212940, 3] ../../auth/gensec/spnego.c:1445(gensec_spnego_server_negTokenTarg_step) gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_LOGON_FAILURE [2024/02/28 09:39:03.212961, 3] ../../source3/smbd/smb2_server.c:3956(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:147 Auth: [SMB2,(null)] user [domain]\[user] at [Wed, 28 Feb 2024 09:39:03.212857 EST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [DSK00000] remote host [ipv4:111.11.111.112:51596] mapped to [domain]\[user]. local host [ipv4:111.11.111.38:445] {"timestamp": "2024-02-28T09:39:03.212903-0500", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_LOGON_FAILURE", "localAddress": "ipv4:111.11.111.38:445", "remoteAddress": "ipv4:111.11.111.112:51596", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "domain", "clientAccount": "user", "workstation": "DSK00000", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "user", "mappedDomain": "domain", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 196975}} [2024/02/28 09:39:03.212940, 3] ../../auth/gensec/spnego.c:1445(gensec_spnego_server_negTokenTarg_step) gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_LOGON_FAILURE [2024/02/28 09:39:03.212961, 3] ../../source3/smbd/smb2_server.c:3956(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:147 |
Guest access is inhibited by default with recent Windows versions. There are ways to enable that if required, but it's not considered good security practice these days.
|
^ Yeah, what he said.
To fix it, you need to edit the Windows registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters And change the value in "AllowInsecureGuestAuth" from 0 to 1. If "AllowInsecureGuestAuth" doesn't exist, then you have to create it and set the data type to DWORD, then set it to 1 But, as mentioned above, this is not considered to be good practice. |
I appreciate the replies, the issue ended up being that the Linux server somehow got unjoined from the domain.
Once I rejoined the domain it is now properly authenticating users. |
Thanks for the update. Always good to tell explicitly when a domain is in use. Now I find such a hint buried in the output you shared:
Code:
"Auth: [SMB2,(null)] user [domain]\[user] |
All times are GMT -5. The time now is 11:30 AM. |