Unable to authenticate with Samba 4.5 from XP box

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to authenticate with Samba 4.5 from XP box

Samba - General mailing list
Hello,

I've a computer that has XP for compatibility purposes and is outside the
domain.
I'm trying to mount some shares that are on a Member Server with Samba 4.5
but always get an error saying that password is wrong. All other computers
can enter to shares without problem and I'm sure that the password is OK
because I can login on Windows 7 computer and even I've mounted a share
from another Windows 7 computer that is also outside the domain, so looks
like is a problem with that XP Computer.

Is there any way to allow to an XP user to login into Samba 4.5 share?

I've already tried this three options:
ntlm auth = yes
raw NTLMv2 auth = yes
lanman auth = yes

And using IP limitation instead user login works fine.

Thanks!!

--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate with Samba 4.5 from XP box

Samba - General mailing list
Try this:

Goto the policy editor.

The computer settings.
Security Settings\\Local Policies\\Security Option
Change : Network security: LAN Manager authentication level"  
And set : only use NTLMv2 authentication  

Reboot the computer 2 times.
And test again.



Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Daniel Carrasco via samba
> Verzonden: maandag 30 oktober 2017 11:06
> Aan: [hidden email]
> Onderwerp: [Samba] Unable to authenticate with Samba 4.5 from XP box
>
> Hello,
>
> I've a computer that has XP for compatibility purposes and is
> outside the
> domain.
> I'm trying to mount some shares that are on a Member Server
> with Samba 4.5
> but always get an error saying that password is wrong. All
> other computers
> can enter to shares without problem and I'm sure that the
> password is OK
> because I can login on Windows 7 computer and even I've
> mounted a share
> from another Windows 7 computer that is also outside the
> domain, so looks
> like is a problem with that XP Computer.
>
> Is there any way to allow to an XP user to login into Samba 4.5 share?
>
> I've already tried this three options:
> ntlm auth = yes
> raw NTLMv2 auth = yes
> lanman auth = yes
>
> And using IP limitation instead user login works fine.
>
> Thanks!!
>
> --
> _________________________________________
>
>       Daniel Carrasco Marín
>       Ingeniería para la Innovación i2TIC, S.L.
>       Tlf:  +34 911 12 32 84 Ext: 223
>       www.i2tic.com
> _________________________________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate with Samba 4.5 from XP box

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 30 Oct 2017 11:05:52 +0100
Daniel Carrasco via samba <[hidden email]> wrote:

> Hello,
>
> I've a computer that has XP for compatibility purposes and is outside
> the domain.
> I'm trying to mount some shares that are on a Member Server with
> Samba 4.5 but always get an error saying that password is wrong. All
> other computers can enter to shares without problem and I'm sure that
> the password is OK because I can login on Windows 7 computer and even
> I've mounted a share from another Windows 7 computer that is also
> outside the domain, so looks like is a problem with that XP Computer.
>
> Is there any way to allow to an XP user to login into Samba 4.5 share?
>
> I've already tried this three options:
> ntlm auth = yes
> raw NTLMv2 auth = yes
> lanman auth = yes
>
> And using IP limitation instead user login works fine.
>
> Thanks!!
>

It should be able to connect from the XP machine, but it depends on
both being setup correctly, so can you post the smb.conf from the 4.5
computer.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate with Samba 4.5 from XP box

Samba - General mailing list
Thanks L.P.H and Rowland,

I've just tested the L.P.H solution and after reboot I'm able to
authenticate with the member server without problem. Is slow listing
folders with much objects but works (maybe happened always).

Here's my smb.conf:

[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.COM
server role = member server
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config ACONFI:backend = rid
idmap config ACONFI:schema_mode = rfc2307
idmap config ACONFI:range = 10000-999999

winbind nss info = rfc2307
# winbind trusted domains only = no
winbind use default domain = yes
# winbind enum users  = yes
# winbind enum groups = yes
winbind offline logon = yes
# winbind refresh tickets = Yes
# winbind expand groups = 4
winbind normalize names = Yes
# domain master = no
# local master = no
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
log level = 3

# Configuramos la papelera de reciclaje y el audit
vfs objects = recycle full_audit

# Papelera de reciclaje
recycle:repository = /server/share/Papelera/
recycle:keeptree = yes
recycle:versions = yes
# No recicla ficheros vacios
recycle:minsize = 1
# Excluye ficheros temporales
recycle:exclude = *.tmp, *.TMP, *.temp, *.TEMP, *.o, *.obj, ~$*, *.lock,
*.lck, *.sqlite-wal, *.bak, thumb.db
# No recicla ficheros del escaner
#recycle:exclude_dir = /server/share/Escaner/

# Audit
full_audit:prefix = %u|%I|%m|%R|%S
full_audit:success = chmod chmod_acl chown connect disconnect link mkdir
pread pwrite read removexattr rename rmdir setxattr unlink write
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = NOTICE

[Folder]
path = /server_ssd/share/folder
read only = no
browsable = yes
valid users = @allowed_group

.... And more shares with similar configuration (only changes valid users).

Greetings!!

2017-10-30 11:30 GMT+01:00 Rowland Penny via samba <[hidden email]>:

> On Mon, 30 Oct 2017 11:05:52 +0100
> Daniel Carrasco via samba <[hidden email]> wrote:
>
> > Hello,
> >
> > I've a computer that has XP for compatibility purposes and is outside
> > the domain.
> > I'm trying to mount some shares that are on a Member Server with
> > Samba 4.5 but always get an error saying that password is wrong. All
> > other computers can enter to shares without problem and I'm sure that
> > the password is OK because I can login on Windows 7 computer and even
> > I've mounted a share from another Windows 7 computer that is also
> > outside the domain, so looks like is a problem with that XP Computer.
> >
> > Is there any way to allow to an XP user to login into Samba 4.5 share?
> >
> > I've already tried this three options:
> > ntlm auth = yes
> > raw NTLMv2 auth = yes
> > lanman auth = yes
> >
> > And using IP limitation instead user login works fine.
> >
> > Thanks!!
> >
>
> It should be able to connect from the XP machine, but it depends on
> both being setup correctly, so can you post the smb.conf from the 4.5
> computer.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate with Samba 4.5 from XP box

Samba - General mailing list
On Mon, 30 Oct 2017 12:19:06 +0100
Daniel Carrasco via samba <[hidden email]> wrote:

> Thanks L.P.H and Rowland,
>
> I've just tested the L.P.H solution and after reboot I'm able to
> authenticate with the member server without problem. Is slow listing
> folders with much objects but works (maybe happened always).
>
> Here's my smb.conf:
>
> [global]
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.COM
> server role = member server
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 3000-7999
> idmap config ACONFI:backend = rid
> idmap config ACONFI:schema_mode = rfc2307
> idmap config ACONFI:range = 10000-999999

I hope that 'workgroup = DOMAIN' is really 'workgroup = ACONFI'

As you are using 'rid', you do not need the 'schema_mode' line.

>
> winbind nss info = rfc2307

You also do not need the line above.

> # winbind trusted domains only = no
> winbind use default domain = yes
> # winbind enum users  = yes
> # winbind enum groups = yes
> winbind offline logon = yes
> # winbind refresh tickets = Yes

You really should uncomment the line above.

> # winbind expand groups = 4
> winbind normalize names = Yes
> # domain master = no
> # local master = no
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> log level = 3
>
> # Configuramos la papelera de reciclaje y el audit
> vfs objects = recycle full_audit

I would combine the two 'vfs objects' lines, the second one turns off
the first one.

>

> [Folder]
> path = /server_ssd/share/folder
> read only = no
> browsable = yes
> valid users = @allowed_group

As you seem to want to use 'acl_xattr' you should set the valid users
from windows and remove the 'valid users' line.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate with Samba 4.5 from XP box

Samba - General mailing list
Thanks Rowland.

Yes, I use ACONFI as Workgroup but I always try to hide my domain name on
lists (today i've failed :P)

Thanks for your recomendations. I'll change it, and I'll disable
the acl_xattr because I use the linux tools to manage the permissions
(setfacl).

Greetings!!

2017-10-30 12:44 GMT+01:00 Rowland Penny via samba <[hidden email]>:

> On Mon, 30 Oct 2017 12:19:06 +0100
> Daniel Carrasco via samba <[hidden email]> wrote:
>
> > Thanks L.P.H and Rowland,
> >
> > I've just tested the L.P.H solution and after reboot I'm able to
> > authenticate with the member server without problem. Is slow listing
> > folders with much objects but works (maybe happened always).
> >
> > Here's my smb.conf:
> >
> > [global]
> > workgroup = DOMAIN
> > security = ADS
> > realm = DOMAIN.COM
> > server role = member server
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 3000-7999
> > idmap config ACONFI:backend = rid
> > idmap config ACONFI:schema_mode = rfc2307
> > idmap config ACONFI:range = 10000-999999
>
> I hope that 'workgroup = DOMAIN' is really 'workgroup = ACONFI'
>
> As you are using 'rid', you do not need the 'schema_mode' line.
>
> >
> > winbind nss info = rfc2307
>
> You also do not need the line above.
>
> > # winbind trusted domains only = no
> > winbind use default domain = yes
> > # winbind enum users  = yes
> > # winbind enum groups = yes
> > winbind offline logon = yes
> > # winbind refresh tickets = Yes
>
> You really should uncomment the line above.
>
> > # winbind expand groups = 4
> > winbind normalize names = Yes
> > # domain master = no
> > # local master = no
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> > log level = 3
> >
> > # Configuramos la papelera de reciclaje y el audit
> > vfs objects = recycle full_audit
>
> I would combine the two 'vfs objects' lines, the second one turns off
> the first one.
>
> >
>
> > [Folder]
> > path = /server_ssd/share/folder
> > read only = no
> > browsable = yes
> > valid users = @allowed_group
>
> As you seem to want to use 'acl_xattr' you should set the valid users
> from windows and remove the 'valid users' line.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate with Samba 4.5 from XP box

Samba - General mailing list
On Mon, 30 Oct 2017 13:07:17 +0100
Daniel Carrasco <[hidden email]> wrote:

> Thanks for your recomendations. I'll change it, and I'll disable
> the acl_xattr because I use the linux tools to manage the permissions
> (setfacl).
>

You will still need 'acl_xattr' for setfacl. Either just use Unix
permissions and 'valid users', or use 'acl_xattr' and don't use 'valid
users'.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate with Samba 4.5 from XP box

Samba - General mailing list
Thanks,

I'll change it later, because for now I'm configuring the permissions.

Greetings!!

2017-10-30 13:17 GMT+01:00 Rowland Penny via samba <[hidden email]>:

> On Mon, 30 Oct 2017 13:07:17 +0100
> Daniel Carrasco <[hidden email]> wrote:
>
> > Thanks for your recomendations. I'll change it, and I'll disable
> > the acl_xattr because I use the linux tools to manage the permissions
> > (setfacl).
> >
>
> You will still need 'acl_xattr' for setfacl. Either just use Unix
> permissions and 'valid users', or use 'acl_xattr' and don't use 'valid
> users'.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba