Marcel Ebbrecht
2015-Jul-09 08:42 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
Hi, I got the same problem with Build 10162. I dont think it's an Samba issue. It seems that Windows 10 dont like "\\....\netlogon". Our Samba 3.5.6 PDC works like a charm for win 7. From my Win10 PC i can access everything except \\dc1\netlogon Symptoms: Accessing \\dc1\netlogon -> Auth fail Accessing \\dc1\netlogon2 -> Works (same config!!!) Accessing \\dc1\s1\netlogon -> Works (links to \\dc1\netlogon) Everything works except accessing \\dc1\netlogon directly and joining domain (no AD DC found) ... must be something special with windows 10 and I bet its: - a reg key - not solvable, because MS dont want us to access netlogon shares ... Config: [netlogon2] comment = Network Logon Service # browseable = no path = /opt/netlogon guest ok = yes read only = no force group = "Domain Admins" create mode = 0665 directory mask = 0775 write list = @"Domain Admins" # valid users = @"Domain Users" @"Domain Admins" force user = nobody veto files = /.DS_Store*/Thumbs.db*/~\$*/ delete veto files = no [netlogon] comment = Network Logon Service # browseable = no path = /opt/netlogon guest ok = yes read only = no force group = "Domain Admins" create mode = 0665 directory mask = 0775 write list = @"Domain Admins" # valid users = @"Domain Users" @"Domain Admins" force user = nobody veto files = /.DS_Store*/Thumbs.db*/~\$*/ delete veto files = no ### DFS Config ### [s1] comment = DFS Share s1 path = /opt/s1 msdfs root = yes browseable = yes read only = yes force group = "Domain Admins" create mode = 0660 directory mask = 0770 valid users = @"Domain Users" @"Domain Admins" veto files = /.DS_Store*/Thumbs.db*/~\$*/ delete veto files = no ### Link in DFS path ### lrwxrwxrwx 1 root root 18 1. Okt 2013 Netlogon -> msdfs:dc1\netlogon Greetings -- Marcel Ebbrecht <m.ebbrecht at dortmundit.de> e2 consulting UG (haftungsbeschraenkt) Geschaeftssitz: Rheinlanddamm 201 D-44139 Dortmund Telefon: +49 231 / 39982051 Telefax: +49 231 / 44677897 Mobil: +49 160 / 90345852 Jabber: m.ebbrecht at dortmundit.de Internet: https://www.dortmundit.de Handelsregister Dortmund HRB 24666 Geschaeftsfuehrer: Marcel Ebbrecht Steuernummer: 314/5723/1889 USTID: DE283203942 PKI: https://ssl.dortmundit.de:18016 AGB: http://agb.dortmundit.de Diese E-Mail und moegliche Anhaenge enthalten vertrauliche Informationen, die rechtlich besonders geschuetzt sein koennen. Wenn Sie nicht der beabsichtigte Empfaenger bzw. Adressat dieser E-mail sind und diese E-Mail etwa aufgrund eines technischen Fehlers oder eines Versehens erhalten haben, informieren Sie uns bitte sofort und loeschen Sie anschliessend die E-Mail. Das unbefugte Kopieren dieser E-Mail, etwaiger Anhaenge sowie die unbefugte Weitergabe der enthaltenen Informationen an Dritte ist nicht gestattet. This e-mail message together with its attachments, if any, is confidential and may contain information subject to legal privilege (e.g. attorney-client-privilege). If you are not the intended recipient or have received this e-mail in error, please inform us immediately and delete this message. Any unauthorised copying of this message (and attachments) or unauthorised distribution of the information contained herein is prohibited. Go Green! Print this email only when necessary.
L.P.H. van Belle
2015-Jul-09 09:14 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
what if you try to change . msdfs:dc1\netlogon to msdfs:dc1.your.domain.tld\netlogon or use Accessing \\dc1.your.domain.tld\netlogon greetz, Louis>-----Oorspronkelijk bericht----- >Van: samba [mailto:samba-bounces at lists.samba.org] Namens >Marcel Ebbrecht >Verzonden: donderdag 9 juli 2015 10:42 >Aan: samba at lists.samba.org >Onderwerp: [Samba] Windows 10 in Samba 3 domain: netlogon >share access denied > >Hi, > >I got the same problem with Build 10162. I dont think it's an Samba >issue. It seems that Windows 10 dont like "\\....\netlogon". Our Samba >3.5.6 PDC works like a charm for win 7. From my Win10 PC i can access >everything except \\dc1\netlogon > >Symptoms: >Accessing \\dc1\netlogon -> Auth fail >Accessing \\dc1\netlogon2 -> Works (same config!!!) >Accessing \\dc1\s1\netlogon -> Works (links to \\dc1\netlogon) > >Everything works except accessing \\dc1\netlogon directly and joining >domain (no AD DC found) ... must be something special with windows 10 >and I bet its: > - a reg key > - not solvable, because MS dont want us to access netlogon shares ... > >Config: > >[netlogon2] > comment = Network Logon Service ># browseable = no > path = /opt/netlogon > guest ok = yes > read only = no > force group = "Domain Admins" > create mode = 0665 > directory mask = 0775 > write list = @"Domain Admins" ># valid users = @"Domain Users" @"Domain Admins" > force user = nobody > veto files = /.DS_Store*/Thumbs.db*/~\$*/ > delete veto files = no > >[netlogon] > comment = Network Logon Service ># browseable = no > path = /opt/netlogon > guest ok = yes > read only = no > force group = "Domain Admins" > create mode = 0665 > directory mask = 0775 > write list = @"Domain Admins" ># valid users = @"Domain Users" @"Domain Admins" > force user = nobody > veto files = /.DS_Store*/Thumbs.db*/~\$*/ > delete veto files = no > >### DFS Config ### > >[s1] > comment = DFS Share s1 > path = /opt/s1 > msdfs root = yes > browseable = yes > read only = yes > force group = "Domain Admins" > create mode = 0660 > directory mask = 0770 > valid users = @"Domain Users" @"Domain Admins" > veto files = /.DS_Store*/Thumbs.db*/~\$*/ > delete veto files = no > >### Link in DFS path ### >lrwxrwxrwx 1 root root 18 1. Okt 2013 Netlogon -> >msdfs:dc1\netlogon > >Greetings > >-- >Marcel Ebbrecht <m.ebbrecht at dortmundit.de> >e2 consulting UG (haftungsbeschraenkt) > >Geschaeftssitz: >Rheinlanddamm 201 >D-44139 Dortmund > >Telefon: +49 231 / 39982051 >Telefax: +49 231 / 44677897 >Mobil: +49 160 / 90345852 >Jabber: m.ebbrecht at dortmundit.de >Internet: https://www.dortmundit.de > >Handelsregister Dortmund HRB 24666 >Geschaeftsfuehrer: Marcel Ebbrecht >Steuernummer: 314/5723/1889 >USTID: DE283203942 > >PKI: https://ssl.dortmundit.de:18016 > >AGB: http://agb.dortmundit.de > >Diese E-Mail und moegliche Anhaenge enthalten vertrauliche >Informationen, die rechtlich besonders geschuetzt sein >koennen. Wenn Sie nicht der beabsichtigte Empfaenger bzw. >Adressat dieser E-mail sind und diese E-Mail etwa aufgrund >eines technischen Fehlers oder eines Versehens erhalten haben, >informieren Sie uns bitte sofort und loeschen Sie >anschliessend die E-Mail. Das unbefugte Kopieren dieser >E-Mail, etwaiger Anhaenge sowie die unbefugte Weitergabe der >enthaltenen Informationen an Dritte ist nicht gestattet. > >This e-mail message together with its attachments, if any, is >confidential and may contain information subject to legal >privilege (e.g. attorney-client-privilege). If you are not the >intended recipient or have received this e-mail in error, >please inform us immediately and delete this message. Any >unauthorised copying of this message (and attachments) or >unauthorised distribution of the information contained herein >is prohibited. > >Go Green! Print this email only when necessary. > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
Marcel Ebbrecht
2015-Jul-09 11:02 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
lets ignore the dfs and concentrate on the the direct access: domain is foo.lan tried: \\dc1\netlogon \\ip\netlogon \\dc1.foo.lan\netlogon \\foo.lan\netlogon doesnt work with foo.lan\username and just username \\dc1\netlogon2 \\ip\netlogon2 \\dc1.foo.lan\netlogon2 \\foo.lan\netlogon2 works with foo.lan\username and just username - same directory, same config, just another sharename (see config). Tried also with guest ok ... netlogon2 works, netlogon not. Everything works except the netlogon share and joining domain :( Can someone confirm, that Build 10162 doesnt want to connect to netlogon shares ? I also created a netlogon share on one of our windows servers (old 2003 testing machine) ... doesnt work, so this is obviously no samba problem :( BUT: Samba people are often more competent than microsoft people on Windows ;) So is anyone here who can confirm this problem and, perhaps, submit a solution ? ty Am 09.07.2015 um 11:14 schrieb L.P.H. van Belle:> what if you try to change . > > msdfs:dc1\netlogon > to > msdfs:dc1.your.domain.tld\netlogon > > or use > Accessing \\dc1.your.domain.tld\netlogon > > > greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Marcel Ebbrecht >> Verzonden: donderdag 9 juli 2015 10:42 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Windows 10 in Samba 3 domain: netlogon >> share access denied >> >> Hi, >> >> I got the same problem with Build 10162. I dont think it's an Samba >> issue. It seems that Windows 10 dont like "\\....\netlogon". Our Samba >> 3.5.6 PDC works like a charm for win 7. From my Win10 PC i can access >> everything except \\dc1\netlogon >> >> Symptoms: >> Accessing \\dc1\netlogon -> Auth fail >> Accessing \\dc1\netlogon2 -> Works (same config!!!) >> Accessing \\dc1\s1\netlogon -> Works (links to \\dc1\netlogon) >> >> Everything works except accessing \\dc1\netlogon directly and joining >> domain (no AD DC found) ... must be something special with windows 10 >> and I bet its: >> - a reg key >> - not solvable, because MS dont want us to access netlogon shares ... >> >> Config: >> >> [netlogon2] >> comment = Network Logon Service >> # browseable = no >> path = /opt/netlogon >> guest ok = yes >> read only = no >> force group = "Domain Admins" >> create mode = 0665 >> directory mask = 0775 >> write list = @"Domain Admins" >> # valid users = @"Domain Users" @"Domain Admins" >> force user = nobody >> veto files = /.DS_Store*/Thumbs.db*/~\$*/ >> delete veto files = no >> >> [netlogon] >> comment = Network Logon Service >> # browseable = no >> path = /opt/netlogon >> guest ok = yes >> read only = no >> force group = "Domain Admins" >> create mode = 0665 >> directory mask = 0775 >> write list = @"Domain Admins" >> # valid users = @"Domain Users" @"Domain Admins" >> force user = nobody >> veto files = /.DS_Store*/Thumbs.db*/~\$*/ >> delete veto files = no >> >> ### DFS Config ### >> >> [s1] >> comment = DFS Share s1 >> path = /opt/s1 >> msdfs root = yes >> browseable = yes >> read only = yes >> force group = "Domain Admins" >> create mode = 0660 >> directory mask = 0770 >> valid users = @"Domain Users" @"Domain Admins" >> veto files = /.DS_Store*/Thumbs.db*/~\$*/ >> delete veto files = no >> >> ### Link in DFS path ### >> lrwxrwxrwx 1 root root 18 1. Okt 2013 Netlogon -> >> msdfs:dc1\netlogon >> >> Greetings >> >> -- >> Marcel Ebbrecht <m.ebbrecht at dortmundit.de> >> e2 consulting UG (haftungsbeschraenkt) >> >> Geschaeftssitz: >> Rheinlanddamm 201 >> D-44139 Dortmund >> >> Telefon: +49 231 / 39982051 >> Telefax: +49 231 / 44677897 >> Mobil: +49 160 / 90345852 >> Jabber: m.ebbrecht at dortmundit.de >> Internet: https://www.dortmundit.de >> >> Handelsregister Dortmund HRB 24666 >> Geschaeftsfuehrer: Marcel Ebbrecht >> Steuernummer: 314/5723/1889 >> USTID: DE283203942 >> >> PKI: https://ssl.dortmundit.de:18016 >> >> AGB: http://agb.dortmundit.de >> >> Diese E-Mail und moegliche Anhaenge enthalten vertrauliche >> Informationen, die rechtlich besonders geschuetzt sein >> koennen. Wenn Sie nicht der beabsichtigte Empfaenger bzw. >> Adressat dieser E-mail sind und diese E-Mail etwa aufgrund >> eines technischen Fehlers oder eines Versehens erhalten haben, >> informieren Sie uns bitte sofort und loeschen Sie >> anschliessend die E-Mail. Das unbefugte Kopieren dieser >> E-Mail, etwaiger Anhaenge sowie die unbefugte Weitergabe der >> enthaltenen Informationen an Dritte ist nicht gestattet. >> >> This e-mail message together with its attachments, if any, is >> confidential and may contain information subject to legal >> privilege (e.g. attorney-client-privilege). If you are not the >> intended recipient or have received this e-mail in error, >> please inform us immediately and delete this message. Any >> unauthorised copying of this message (and attachments) or >> unauthorised distribution of the information contained herein >> is prohibited. >> >> Go Green! Print this email only when necessary. >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
L.P.H. van Belle
2015-Jul-09 11:26 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
any messages in the windows 10 event logs, that could give some extra insight. according to https://social.technet.microsoft.com/Forums/en-US/7f5207cc-b202-47fc-bbb8-9ebe46a31961/network-logon-script-failure?forum=WinPreview2014General>\\foo.lan\netlogonshould work. but, https://adsecurity.org/?p=1405 has some good info about the latest patch about hardening GPO. (which imo wil be also in windows 10 ) im thinking it has to do also with this and since win10 is not RTM yet, that can be changed. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: samba [mailto:samba-bounces at lists.samba.org] Namens >Marcel Ebbrecht >Verzonden: donderdag 9 juli 2015 13:02 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Windows 10 in Samba 3 domain: netlogon >share access denied > >lets ignore the dfs and concentrate on the the direct access: > >domain is foo.lan > >tried: > > >\\dc1\netlogon >\\ip\netlogon >\\dc1.foo.lan\netlogon >\\foo.lan\netlogon > >doesnt work with foo.lan\username and just username > >\\dc1\netlogon2 >\\ip\netlogon2 >\\dc1.foo.lan\netlogon2 >\\foo.lan\netlogon2 > >works with foo.lan\username and just username - same >directory, same config, just another sharename (see config). > >Tried also with guest ok ... netlogon2 works, netlogon not. >Everything works except the netlogon share and joining domain :( > >Can someone confirm, that Build 10162 doesnt want to connect >to netlogon shares ? > >I also created a netlogon share on one of our windows servers >(old 2003 testing machine) ... doesnt work, so this is >obviously no samba problem :( > >BUT: Samba people are often more competent than microsoft >people on Windows ;) So is anyone here who can confirm this >problem and, perhaps, submit a solution ? > >ty > > >Am 09.07.2015 um 11:14 schrieb L.P.H. van Belle: >> what if you try to change . >> >> msdfs:dc1\netlogon >> to >> msdfs:dc1.your.domain.tld\netlogon >> >> or use >> Accessing \\dc1.your.domain.tld\netlogon >> >> >> greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>> Marcel Ebbrecht >>> Verzonden: donderdag 9 juli 2015 10:42 >>> Aan: samba at lists.samba.org >>> Onderwerp: [Samba] Windows 10 in Samba 3 domain: netlogon >>> share access denied >>> >>> Hi, >>> >>> I got the same problem with Build 10162. I dont think it's an Samba >>> issue. It seems that Windows 10 dont like >"\\....\netlogon". Our Samba >>> 3.5.6 PDC works like a charm for win 7. From my Win10 PC i >can access >>> everything except \\dc1\netlogon >>> >>> Symptoms: >>> Accessing \\dc1\netlogon -> Auth fail >>> Accessing \\dc1\netlogon2 -> Works (same config!!!) >>> Accessing \\dc1\s1\netlogon -> Works (links to \\dc1\netlogon) >>> >>> Everything works except accessing \\dc1\netlogon directly >and joining >>> domain (no AD DC found) ... must be something special with >windows 10 >>> and I bet its: >>> - a reg key >>> - not solvable, because MS dont want us to access netlogon >shares ... >>> >>> Config: >>> >>> [netlogon2] >>> comment = Network Logon Service >>> # browseable = no >>> path = /opt/netlogon >>> guest ok = yes >>> read only = no >>> force group = "Domain Admins" >>> create mode = 0665 >>> directory mask = 0775 >>> write list = @"Domain Admins" >>> # valid users = @"Domain Users" @"Domain Admins" >>> force user = nobody >>> veto files = /.DS_Store*/Thumbs.db*/~\$*/ >>> delete veto files = no >>> >>> [netlogon] >>> comment = Network Logon Service >>> # browseable = no >>> path = /opt/netlogon >>> guest ok = yes >>> read only = no >>> force group = "Domain Admins" >>> create mode = 0665 >>> directory mask = 0775 >>> write list = @"Domain Admins" >>> # valid users = @"Domain Users" @"Domain Admins" >>> force user = nobody >>> veto files = /.DS_Store*/Thumbs.db*/~\$*/ >>> delete veto files = no >>> >>> ### DFS Config ### >>> >>> [s1] >>> comment = DFS Share s1 >>> path = /opt/s1 >>> msdfs root = yes >>> browseable = yes >>> read only = yes >>> force group = "Domain Admins" >>> create mode = 0660 >>> directory mask = 0770 >>> valid users = @"Domain Users" @"Domain Admins" >>> veto files = /.DS_Store*/Thumbs.db*/~\$*/ >>> delete veto files = no >>> >>> ### Link in DFS path ### >>> lrwxrwxrwx 1 root root 18 1. Okt 2013 Netlogon -> >>> msdfs:dc1\netlogon >>> >>> Greetings >>> >>> -- >>> Marcel Ebbrecht <m.ebbrecht at dortmundit.de> >>> e2 consulting UG (haftungsbeschraenkt) >>> >>> Geschaeftssitz: >>> Rheinlanddamm 201 >>> D-44139 Dortmund >>> >>> Telefon: +49 231 / 39982051 >>> Telefax: +49 231 / 44677897 >>> Mobil: +49 160 / 90345852 >>> Jabber: m.ebbrecht at dortmundit.de >>> Internet: https://www.dortmundit.de >>> >>> Handelsregister Dortmund HRB 24666 >>> Geschaeftsfuehrer: Marcel Ebbrecht >>> Steuernummer: 314/5723/1889 >>> USTID: DE283203942 >>> >>> PKI: https://ssl.dortmundit.de:18016 >>> >>> AGB: http://agb.dortmundit.de >>> >>> Diese E-Mail und moegliche Anhaenge enthalten vertrauliche >>> Informationen, die rechtlich besonders geschuetzt sein >>> koennen. Wenn Sie nicht der beabsichtigte Empfaenger bzw. >>> Adressat dieser E-mail sind und diese E-Mail etwa aufgrund >>> eines technischen Fehlers oder eines Versehens erhalten haben, >>> informieren Sie uns bitte sofort und loeschen Sie >>> anschliessend die E-Mail. Das unbefugte Kopieren dieser >>> E-Mail, etwaiger Anhaenge sowie die unbefugte Weitergabe der >>> enthaltenen Informationen an Dritte ist nicht gestattet. >>> >>> This e-mail message together with its attachments, if any, is >>> confidential and may contain information subject to legal >>> privilege (e.g. attorney-client-privilege). If you are not the >>> intended recipient or have received this e-mail in error, >>> please inform us immediately and delete this message. Any >>> unauthorised copying of this message (and attachments) or >>> unauthorised distribution of the information contained herein >>> is prohibited. >>> >>> Go Green! Print this email only when necessary. >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
John Drescher
2015-Jul-09 15:08 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
> I got the same problem with Build 10162. I dont think it's an Samba > issue. It seems that Windows 10 dont like "\\....\netlogon". Our Samba > 3.5.6 PDC works like a charm for win 7. From my Win10 PC i can access > everything except \\dc1\netlogonHmm. On 2 test boxes I am now getting no login servers available on 10162 (while it worked for previous builds and I do not experience that on my windows 7 or 8.x machines). 10130 crashed just after the login was accepted if the network cables were connected ( I have 2 networks at work gigabit private to samba doman only + internet corporate network ). After I pulled the network cables to let 10130 in I experienced the same netlogin problem. My PDC and BDCs are samba 4.2.2. John
Marc Muehlfeld
2015-Jul-09 15:48 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
Hello John, Am 09.07.2015 um 17:08 schrieb John Drescher:> Hmm. On 2 test boxes I am now getting no login servers available on > 10162 (while it worked for previous builds and I do not experience > that on my windows 7 or 8.x machines). 10130 crashed just after the > login was accepted if the network cables were connected ( I have 2 > networks at work gigabit private to samba doman only + internet > corporate network ). After I pulled the network cables to let 10130 in > I experienced the same netlogin problem. My PDC and BDCs are samba > 4.2.2.I've renamed the old "Registry changes for NT4-style domains" page in the wiki, because Win10 in an Samba NT4 domain requires also an smb.conf setting. Otherwise you will stop at the "No logon servers available" problem. To cover everything on one page, a page rename was required. https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains Regards, Marc