Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Invalid Login to Gentoo Samba from Windows 11 [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
alienjon
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1726

PostPosted: Thu Nov 07, 2024 1:27 am    Post subject: Invalid Login to Gentoo Samba from Windows 11 [SOLVED] Reply with quote

So my goal is to setup a file server that is accessible from other computers on my home LAN. I already have a Gentoo server up and running, have installed Samba per the wiki and reviewed the guide. It starts up without any errors in the logs or dmesg. In File Explorer in windows the server even shows up, but when I try to open it, and it asks for my credentials, I get "Access is denied." errors. I've tried the username as both [username] and [domain]\[username] as well as both the samba password for that user and the server login for that user. The guides seem to work great, until they don't, and I'm honestly not even sure what I'm looking for online, as everything is a little off of my problem. Here's my setup:

emerge samba -pv:
[ebuild   R    ] net-fs/samba-4.19.7::gentoo  USE="acl ads client cups ldap pam python regedit system-mitkrb5 winbind zeroconf -addc -ceph -cluster -debug (-fam) -glusterfs -gpg -iprint -json -llvm-libunwind -profiling-data -quota (-selinux) -snapper -spotlight -syslog (-system-heimdal) -systemd (-test) -unwind" ABI_X86="(64) -32 (-x32)" PYTHON_SINGLE_TARGET="python3_12 -python3_10 -python3_11" 0 KiB


This is when I put in my samba password - I get this error.
smbclient -L DEVOLVED:
Password for [WORKGROUP\{USERNAME}]:
tree connect failed: NT_STATUS_ACCESS_DENIED



It works when I use my server password (ie: the actual password for the user on my machine)
smbclient -L DEVOLVED:
Password for [WORKGROUP\alienjon]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        RootStorage     Disk      Root storage for the main storage drive.
        Movies1         Disk      Share to the first movie storage.
        Music           Disk      Share for music.
        Movies2         Disk      Share to the second movie storage.
        JonShare        Disk      Jon's Share
        LauraShare      Disk      Laura's Share
        IPC$            IPC       IPC Service (Rosen Home Server)
SMB1 disabled -- no workgroup available



testparm:
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
        bind interfaces only = Yes
        dns proxy = No
        interfaces = lo 192.168.1.0/24 enp6s0
        log file = /var/log/samba/log.%m
        max disk size = 102400
        max log size = 50
        security = USER
        server role = standalone server
        server signing = if_required
        server string = {server string}
        wins support = Yes
        idmap config * : backend = tdb
        hosts allow = 192.168.1. 127.
        invalid users = root @wheel


[RootStorage]
        comment = {comment}
        path = /mnt/Storage1
        read only = No
        valid users = {user1} {user2}


[Movies1]
        comment = {comment}
        path = /mnt/Storage2
        read only = No
        valid users = {user1} {user2}


[Music]
        comment = {comment}
        path = /mnt/Storage1/Music
        read only = No
        valid users = {user1} {user2}


[Movies2]
        comment = {comment}
        path = /mnt/Storage3
        read only = No
        valid users = {user1} {user2}


[JonShare]
        comment = {comment}
        path = /mnt/Storage1/Users/{user1}
        read only = No
        valid users = {user1}


[LauraShare]
        comment = {comment}
        path = /mnt/Storage1/Users/{user2}
        read only = No
        valid users = {user2}



If it's not obvious I'm replacing the private stuff in {brackets}.


Last edited by alienjon on Tue Nov 12, 2024 2:39 am; edited 1 time in total
Back to top
View user's profile Send private message
rab0171610
Guru
Guru


Joined: 24 Dec 2022
Posts: 423

PostPosted: Thu Nov 07, 2024 4:47 am    Post subject: Reply with quote

I am just speculating here. I had a similar problem at some point in the past. It may be that the smb protocols are different between the two machines. You may need to do a little research to find out what versions of the smb protocol your version of samba and Windows both support. Without looking into it further, I cannot say definitively.
I currently have this in my smb.conf:
Code:
client max protocol = SMB2_02
server max protocol = SMB2_02
client min protocol = NT1
server min protocol = NT1

You can use a combination of these client/server min/max protocol entries to restrict the subset of smb protocols which are valid for both machines. In my case, they were not negotiating a common supported smb protocol correctly due to a known bug.
Back to top
View user's profile Send private message
alienjon
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1726

PostPosted: Thu Nov 07, 2024 5:28 am    Post subject: Reply with quote

@rab0171610
No change. Lots of ideas like that floating around and hard to really know the problem. "Access denied" really isn't all that helpful on the Windows end.

I have been toying around on the Samba server configuration on my Gentoo box, though, and am focusing on this error:

smbclient -L DEVOLVED:
Password for [WORKGROUP\{USERNAME}]:
tree connect failed: NT_STATUS_ACCESS_DENIED


This at least seems to match (somewhat) the issue in Windows. I have debugging on and am trying to see what pops up (log level of 2 in smb.conf). I did find some interesting details in the logs:


/var/log/samba/log.{IP}:
[2024/11/07 00:24:21.056830,  2] ../../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [{USERNAME}] -> [{USERNAME}] -> [{USERNAME}] succeeded
[2024/11/07 00:24:21.057024,  2] ../../source3/param/loadparm.c:2916(lp_do_section)
  Processing section "[RootStorage]"
[2024/11/07 00:24:21.057061,  2] ../../source3/param/loadparm.c:2916(lp_do_section)
  Processing section "[Movies1]"
[2024/11/07 00:24:21.057093,  2] ../../source3/param/loadparm.c:2916(lp_do_section)
  Processing section "[Music]"
[2024/11/07 00:24:21.057126,  2] ../../source3/param/loadparm.c:2916(lp_do_section)
  Processing section "[Movies2]"



/var/log/samba/log.devolved:
[2024/11/07 00:24:21.058787,  1] ../../source3/smbd/smb2_service.c:337(create_connection_session_info)
  create_connection_session_info: user '{USERNAME}' (from session setup) not permitted to access this share (IPC$)
[2024/11/07 00:24:21.058802,  1] ../../source3/smbd/smb2_service.c:519(make_connection_snum)
  make_connection_snum: create_connection_session_info failed: NT_STATUS_ACCESS_DENIED



It looks like the authentication does work (so my password is being read correctly) but it's access to the IPC$ share. I'm not sure what that is, but it's late and that research may have to wait until tomorrow at this point.
Back to top
View user's profile Send private message
alienjon
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1726

PostPosted: Fri Nov 08, 2024 2:08 am    Post subject: Reply with quote

So after additional testing, searching online, and testing varying log levels I tried clearing the smb.conf to the default one I had. I'm suspecting the problem is something about the global settings. The following seems to work in that I can login with WORKGROUP\{username} and password:

testparm:
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
        dns proxy = No
        log file = /var/log/samba/log.%m
        max log size = 50
        server role = standalone server
        server string = {this almost likely doesn't need to be scrubbed, but kudos on you for reading it anyway!}
        idmap config * : backend = tdb


[homes]
        browseable = No
        comment = Home Directories
        read only = No


[RootStorage]
        comment = Root of the main storage drive
        create mask = 0765
        path = /mnt/Storage1
        read only = No
        valid users = @users


I'm going to keep toying with this and see when it breaks. In the meantime, anything obviously wrong with this info?
Back to top
View user's profile Send private message
rab0171610
Guru
Guru


Joined: 24 Dec 2022
Posts: 423

PostPosted: Fri Nov 08, 2024 4:20 am    Post subject: Reply with quote

I have been using samba for years in various capacities. We set it up frequently when using Windows, Linux and Novell Servers, Linux and Windows workstations in college. I have used it in my personal networks as well through all of the Windows iterations. I have found that Samba documentation is increasingly lacking and vague. I find the configuration has become overly complex and tedious, especially with regards to security and users/login options. In other words, it used to be a lot more intuitive and easy. It was relatively easy to setup and troubleshoot. In my personal opinion, it has become overly complicated due to increased minimum security requirements.

That being said, I have a very open, private home network with very little samba security. While many prefer NFS due to the fact that it is a native protocol, I prefer to use samba for simple file sharing and access between file browsers from one Linux computer to the other (KDE). I am afraid that the last time I tried to set it up, I found it more difficult than ever. I basically left it open Windows XP style with open access. Both computers on my private home network can access the others home directories, with no password or login required. The only limits are restrictions on allowed IP addresses. The router has dedicated IP by Mac address filtering. That is what works for me. I understand that others in more complex and shared networks may need better security or user restrictions, with password and username based access. I am afraid that I went with the minimal security, easier access route and am no longer as fluent in the current configuration or security options of smb.conf. Hopefully someone with more current working knowledge can help you at some point. If you do figure out what the issue is I am curious to know the solution for future reference. Please keep us updated.
Back to top
View user's profile Send private message
alienjon
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1726

PostPosted: Tue Nov 12, 2024 2:39 am    Post subject: Reply with quote

rab0171610 wrote:
have found that Samba documentation is increasingly lacking and vague.
Understatement of the year. Seems that a lot of the options and details in the Gentoo docs are antiquated, but takes additional testing to figure that out.

Scrubbing my conf to the default one and building off from there seems to have worked. I also reset the user passwords in both smbpasswd and passwd. I think it was some options in the [global] section that messed with things, but it's not clear how or what, really. I'll mark as solved but not really sure how to advise for anyone reading this other than "start from scratch".
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum