samba - Oct 2018 - Not working with Windows clients where "Digitally sign communications (always)" is enabled

Samba version: 4.7.6
OS: Ubuntu 18.04.1 server
Client: Windows 7 SP1 (Traditional Chinese)

Problem:
Normally, a client can connect to [homes] share on server.
(I type \\serverIP\my_user_name and press enter,
the username/password dialog pops up,
I input those of my Ubuntu user,
and the contents of my home dir on the server reveal.)
But when Win7 is configured with this setting enabled,
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\Microsoft network client: Digitally sign
communications (always)
(due to a recent change of security policies where I work),
no dialog pops up, only an error message, whose English equivalent I
believe is
"The account is not authorized to log in from this station."

Successful log.clientIP: https://pastebin.com/HD6ZmscP
Successful log.smbd: https://pastebin.com/Xy9HHuwB
Failed log.clientIP: https://pastebin.com/D7gF7G2K
Failed log.smbd: https://pastebin.com/03nwg48t
smb.conf: https://pastebin.com/XE6FwDGi

I greatly appreciate any help.

On Mon, 29 Oct 2018 18:42:00 +0800
Jyunhao Shih via samba <samba at lists.samba.org> wrote:
> Samba version: 4.7.6
> OS: Ubuntu 18.04.1 server
> Client: Windows 7 SP1 (Traditional Chinese)
> 
> Problem:
> Normally, a client can connect to [homes] share on server.
> (I type \\serverIP\my_user_name and press enter,
> the username/password dialog pops up,
> I input those of my Ubuntu user,
> and the contents of my home dir on the server reveal.)
> But when Win7 is configured with this setting enabled,
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\Security Options\Microsoft network client: Digitally sign
> communications (always)
> (due to a recent change of security policies where I work),
> no dialog pops up, only an error message, whose English equivalent I
> believe is
> "The account is not authorized to log in from this station."
> 
> Successful log.clientIP: https://pastebin.com/HD6ZmscP
> Successful log.smbd: https://pastebin.com/Xy9HHuwB
> Failed log.clientIP: https://pastebin.com/D7gF7G2K
> Failed log.smbd: https://pastebin.com/03nwg48t
> smb.conf: https://pastebin.com/XE6FwDGi
> 
> I greatly appreciate any help.
It looks like the Samba 'standalone server' doesn't know who your
user
is. You have 'map to guest = bad user' in smb.conf, but have denied
guest access to the shares, so you cannot connect as a guest user.

Are the Windows machines in a domain ?
If they are, it would probably be a good idea to join the 'standalone
server' to the domain.

Rowland

My Windows machine is not in any domain.
And the exactly same configuration (map to guest = bad user, guest ok
= no) works fine when the aforementioned Windows policy setting is not
enabled. In that case Samba at first doesn't know who my user is,
either. It lets Windows pop up a username/password dialog to ask me
for another user credential. Only after I input correct one Windows
successfully accesses the Samba share.
In contrast, with "Digitally sign communications (always)" enabled, I
have no chance to provide another user credential. Windows just shows
the error message.
Log files show that both cases first walked through the same process,
getting user "user2" (that's the account name of my Windows user)
and
tried to use guest account. They began to do different things starting
from line 223. And in the successful case at line 278 it got what I
have input, my Ubuntu username "u634410".
If I haven't got it wrong, supposing the failure is caused by map to
guest = bad user and guest ok = no, it neither would have worked when
the Windows policy setting is not enabled, right?


Rowland Penny via samba <samba at lists.samba.org> 於 2018年10月29日 週一
下午7:13寫道：
>
> On Mon, 29 Oct 2018 18:42:00 +0800
> Jyunhao Shih via samba <samba at lists.samba.org> wrote:
>
> > Samba version: 4.7.6
> > OS: Ubuntu 18.04.1 server
> > Client: Windows 7 SP1 (Traditional Chinese)
> >
> > Problem:
> > Normally, a client can connect to [homes] share on server.
> > (I type \\serverIP\my_user_name and press enter,
> > the username/password dialog pops up,
> > I input those of my Ubuntu user,
> > and the contents of my home dir on the server reveal.)
> > But when Win7 is configured with this setting enabled,
> > Computer Configuration\Windows Settings\Security Settings\Local
> > Policies\Security Options\Microsoft network client: Digitally sign
> > communications (always)
> > (due to a recent change of security policies where I work),
> > no dialog pops up, only an error message, whose English equivalent I
> > believe is
> > "The account is not authorized to log in from this station."
> >
> > Successful log.clientIP: https://pastebin.com/HD6ZmscP
> > Successful log.smbd: https://pastebin.com/Xy9HHuwB
> > Failed log.clientIP: https://pastebin.com/D7gF7G2K
> > Failed log.smbd: https://pastebin.com/03nwg48t
> > smb.conf: https://pastebin.com/XE6FwDGi
> >
> > I greatly appreciate any help.
>
> It looks like the Samba 'standalone server' doesn't know who
your user
> is. You have 'map to guest = bad user' in smb.conf, but have denied
> guest access to the shares, so you cannot connect as a guest user.
>
> Are the Windows machines in a domain ?
> If they are, it would probably be a good idea to join the 'standalone
> server' to the domain.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba