View previous topic :: View next topic |
Author |
Message |
alienjon Veteran
Joined: 09 Feb 2005 Posts: 1726
|
Posted: Thu Nov 07, 2024 1:27 am Post subject: Invalid Login to Gentoo Samba from Windows 11 [SOLVED] |
|
|
So my goal is to setup a file server that is accessible from other computers on my home LAN. I already have a Gentoo server up and running, have installed Samba per the wiki and reviewed the guide. It starts up without any errors in the logs or dmesg. In File Explorer in windows the server even shows up, but when I try to open it, and it asks for my credentials, I get "Access is denied." errors. I've tried the username as both [username] and [domain]\[username] as well as both the samba password for that user and the server login for that user. The guides seem to work great, until they don't, and I'm honestly not even sure what I'm looking for online, as everything is a little off of my problem. Here's my setup:
emerge samba -pv: | [ebuild R ] net-fs/samba-4.19.7::gentoo USE="acl ads client cups ldap pam python regedit system-mitkrb5 winbind zeroconf -addc -ceph -cluster -debug (-fam) -glusterfs -gpg -iprint -json -llvm-libunwind -profiling-data -quota (-selinux) -snapper -spotlight -syslog (-system-heimdal) -systemd (-test) -unwind" ABI_X86="(64) -32 (-x32)" PYTHON_SINGLE_TARGET="python3_12 -python3_10 -python3_11" 0 KiB |
This is when I put in my samba password - I get this error.
smbclient -L DEVOLVED: | Password for [WORKGROUP\{USERNAME}]:
tree connect failed: NT_STATUS_ACCESS_DENIED |
It works when I use my server password (ie: the actual password for the user on my machine)
smbclient -L DEVOLVED: | Password for [WORKGROUP\alienjon]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
RootStorage Disk Root storage for the main storage drive.
Movies1 Disk Share to the first movie storage.
Music Disk Share for music.
Movies2 Disk Share to the second movie storage.
JonShare Disk Jon's Share
LauraShare Disk Laura's Share
IPC$ IPC IPC Service (Rosen Home Server)
SMB1 disabled -- no workgroup available |
testparm: | Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
bind interfaces only = Yes
dns proxy = No
interfaces = lo 192.168.1.0/24 enp6s0
log file = /var/log/samba/log.%m
max disk size = 102400
max log size = 50
security = USER
server role = standalone server
server signing = if_required
server string = {server string}
wins support = Yes
idmap config * : backend = tdb
hosts allow = 192.168.1. 127.
invalid users = root @wheel
[RootStorage]
comment = {comment}
path = /mnt/Storage1
read only = No
valid users = {user1} {user2}
[Movies1]
comment = {comment}
path = /mnt/Storage2
read only = No
valid users = {user1} {user2}
[Music]
comment = {comment}
path = /mnt/Storage1/Music
read only = No
valid users = {user1} {user2}
[Movies2]
comment = {comment}
path = /mnt/Storage3
read only = No
valid users = {user1} {user2}
[JonShare]
comment = {comment}
path = /mnt/Storage1/Users/{user1}
read only = No
valid users = {user1}
[LauraShare]
comment = {comment}
path = /mnt/Storage1/Users/{user2}
read only = No
valid users = {user2} |
If it's not obvious I'm replacing the private stuff in {brackets}.
Last edited by alienjon on Tue Nov 12, 2024 2:39 am; edited 1 time in total |
|
Back to top |
|
|
rab0171610 Guru
Joined: 24 Dec 2022 Posts: 423
|
Posted: Thu Nov 07, 2024 4:47 am Post subject: |
|
|
I am just speculating here. I had a similar problem at some point in the past. It may be that the smb protocols are different between the two machines. You may need to do a little research to find out what versions of the smb protocol your version of samba and Windows both support. Without looking into it further, I cannot say definitively.
I currently have this in my smb.conf:
Code: | client max protocol = SMB2_02
server max protocol = SMB2_02
client min protocol = NT1
server min protocol = NT1
|
You can use a combination of these client/server min/max protocol entries to restrict the subset of smb protocols which are valid for both machines. In my case, they were not negotiating a common supported smb protocol correctly due to a known bug. |
|
Back to top |
|
|
alienjon Veteran
Joined: 09 Feb 2005 Posts: 1726
|
Posted: Thu Nov 07, 2024 5:28 am Post subject: |
|
|
@rab0171610
No change. Lots of ideas like that floating around and hard to really know the problem. "Access denied" really isn't all that helpful on the Windows end.
I have been toying around on the Samba server configuration on my Gentoo box, though, and am focusing on this error:
smbclient -L DEVOLVED: | Password for [WORKGROUP\{USERNAME}]:
tree connect failed: NT_STATUS_ACCESS_DENIED |
This at least seems to match (somewhat) the issue in Windows. I have debugging on and am trying to see what pops up (log level of 2 in smb.conf). I did find some interesting details in the logs:
/var/log/samba/log.{IP}: | [2024/11/07 00:24:21.056830, 2] ../../source3/auth/auth.c:332(auth_check_ntlm_password)
check_ntlm_password: authentication for user [{USERNAME}] -> [{USERNAME}] -> [{USERNAME}] succeeded
[2024/11/07 00:24:21.057024, 2] ../../source3/param/loadparm.c:2916(lp_do_section)
Processing section "[RootStorage]"
[2024/11/07 00:24:21.057061, 2] ../../source3/param/loadparm.c:2916(lp_do_section)
Processing section "[Movies1]"
[2024/11/07 00:24:21.057093, 2] ../../source3/param/loadparm.c:2916(lp_do_section)
Processing section "[Music]"
[2024/11/07 00:24:21.057126, 2] ../../source3/param/loadparm.c:2916(lp_do_section)
Processing section "[Movies2]" |
/var/log/samba/log.devolved: | [2024/11/07 00:24:21.058787, 1] ../../source3/smbd/smb2_service.c:337(create_connection_session_info)
create_connection_session_info: user '{USERNAME}' (from session setup) not permitted to access this share (IPC$)
[2024/11/07 00:24:21.058802, 1] ../../source3/smbd/smb2_service.c:519(make_connection_snum)
make_connection_snum: create_connection_session_info failed: NT_STATUS_ACCESS_DENIED |
It looks like the authentication does work (so my password is being read correctly) but it's access to the IPC$ share. I'm not sure what that is, but it's late and that research may have to wait until tomorrow at this point. |
|
Back to top |
|
|
alienjon Veteran
Joined: 09 Feb 2005 Posts: 1726
|
Posted: Fri Nov 08, 2024 2:08 am Post subject: |
|
|
So after additional testing, searching online, and testing varying log levels I tried clearing the smb.conf to the default one I had. I'm suspecting the problem is something about the global settings. The following seems to work in that I can login with WORKGROUP\{username} and password:
testparm: | Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
dns proxy = No
log file = /var/log/samba/log.%m
max log size = 50
server role = standalone server
server string = {this almost likely doesn't need to be scrubbed, but kudos on you for reading it anyway!}
idmap config * : backend = tdb
[homes]
browseable = No
comment = Home Directories
read only = No
[RootStorage]
comment = Root of the main storage drive
create mask = 0765
path = /mnt/Storage1
read only = No
valid users = @users |
I'm going to keep toying with this and see when it breaks. In the meantime, anything obviously wrong with this info? |
|
Back to top |
|
|
rab0171610 Guru
Joined: 24 Dec 2022 Posts: 423
|
Posted: Fri Nov 08, 2024 4:20 am Post subject: |
|
|
I have been using samba for years in various capacities. We set it up frequently when using Windows, Linux and Novell Servers, Linux and Windows workstations in college. I have used it in my personal networks as well through all of the Windows iterations. I have found that Samba documentation is increasingly lacking and vague. I find the configuration has become overly complex and tedious, especially with regards to security and users/login options. In other words, it used to be a lot more intuitive and easy. It was relatively easy to setup and troubleshoot. In my personal opinion, it has become overly complicated due to increased minimum security requirements.
That being said, I have a very open, private home network with very little samba security. While many prefer NFS due to the fact that it is a native protocol, I prefer to use samba for simple file sharing and access between file browsers from one Linux computer to the other (KDE). I am afraid that the last time I tried to set it up, I found it more difficult than ever. I basically left it open Windows XP style with open access. Both computers on my private home network can access the others home directories, with no password or login required. The only limits are restrictions on allowed IP addresses. The router has dedicated IP by Mac address filtering. That is what works for me. I understand that others in more complex and shared networks may need better security or user restrictions, with password and username based access. I am afraid that I went with the minimal security, easier access route and am no longer as fluent in the current configuration or security options of smb.conf. Hopefully someone with more current working knowledge can help you at some point. If you do figure out what the issue is I am curious to know the solution for future reference. Please keep us updated. |
|
Back to top |
|
|
alienjon Veteran
Joined: 09 Feb 2005 Posts: 1726
|
Posted: Tue Nov 12, 2024 2:39 am Post subject: |
|
|
rab0171610 wrote: | have found that Samba documentation is increasingly lacking and vague. | Understatement of the year. Seems that a lot of the options and details in the Gentoo docs are antiquated, but takes additional testing to figure that out.
Scrubbing my conf to the default one and building off from there seems to have worked. I also reset the user passwords in both smbpasswd and passwd. I think it was some options in the [global] section that messed with things, but it's not clear how or what, really. I'll mark as solved but not really sure how to advise for anyone reading this other than "start from scratch". |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|