samba - Jul 2008 - The specified network name is no longer available

Hello Samba people,

 

I have been successfully using Samba for several years, across many
minor versions of Samba across many minor versions of Linux kernel 2.4.x
and 2.6.x, against a Windows 2000 and then in the past couple of years
2003 AD Domain. This morning, something broke...

 

Setting the stage:

 

RedHat Fedora based Linux box, FC8, updated over time using 'yum
update'..., current kernel is 2.6.25.10-47.fc8 (released just a few days
ago).

 

Samba packages:

samba-common-3.0.30-0.fc8

samba-client-3.0.30-0.fc8

samba-3.0.30-0.fc8

 

/etc/samba/smb.conf key configuration lines: (just ask if I've left out
any important ones, please)

workgroup = FELINESAD2

netbios name = PANTHER8

realm = ad2.felines.org

password server = reset6.ad2.felines.org

client use spnego = yes

all trusted domains = yes

security = ADS

encrypt passwords = yes

local master = no

domain master = no

preferred master = no

domain logons = no

wins support = no

wins proxy = no

dns proxy = no

map to guest = never

null passwords = no

idmap uid = 16777216-33554431

idmap gid = 16777216-33554431

template shell = /bin/false

winbind use default domain = no

 

[homes]

 browseable = no

 writable = yes

 public = no

 valid users = libove, libove@ad2.felines.org

 available = yes

 

In short, it should talk only secure Kerberos protocols and rely on my
Domain Controller reset6.ad2.felines.org (the DC for my FELINESAD2 /
ad2.felines.org Win2K3 Domain) for authentication.

The one actual home share is "libove", which lives on the Linux box at
/home/libove

 

This all used to work just fine. Today, it doesn't anymore. Example:

 

C:\>net use h: \\panther8.ad2.felines.org\libove

System error 64 has occurred.

 

The specified network name is no longer available.

 

Note that this is different from the common case I found in searching
the net for the "... no longer available" error message. That common
case was where connecting to the network share worked fine, but large
transfers broke in the middle. My case is that I can no longer connect
to the network shares on the Samba server at all.

 

 

What has changed recently?

The aforementioned kernel upgrade, care of "yum update" a couple of
days
ago.

And Domain default Policy updates I also made a few days ago, to turn on
stronger security of Windows SMB / CIFS requests such as always signing
and encrypting:

 

Domain Member: Digitally encrypt of sign secure channel data (always) -
Enabled

Domain Member: Require strong (Windows 2000 or later) session key -
Enabled

Microsoft network client: Digitally sign communications (always) -
Enabled

Microsoft network client: Send unencrypted password to third-party SMB
servers - Disabled

Microsoft network client: Digitally sign communications (always) -
Enabled

Network access: Allow anonymous SID/Name translation - Disabled

Network access: Do not allow anonymous enumeration of SAM accounts -
Enabled

Network access: Do not allow anonymous enumeration of SAM accounts and
shares - Enabled

Network access: Let Everyone permissions apply to anonymous users -
Disabled

Network security: Do not store LAN Manager hash value on next password
change - Enabled

Network security: LAN Manager authentication level - Send NTLMv2
response only, and refuse LM & NTLM

Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients - 

 Require message integrity

 Require message confidentiality

 Require NTLMv2 session security

 Require 128-bit encryption

Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers -

 Require message integrity

 Require message confidentiality

 Require NTLMv2 session security

 Require 128-bit encryption

 

The /var/log/samba/log.smb, log.<clientname>, and
log.<clientIPaddress>
subsets [ at debug level 3 ] from a session demonstrating the error
message above are posted at my web site at
http://www.felines.org/Samba_logs.txt because they are too large to
include in an email to the Samba mailing list.

 

With apologies for asking for your help before I change back these
things, reboot everything, and see if the problem goes away... does any
of this ring any bells, has anyone experienced this before and just
right away knows the answer?

 

Thanks for your help,

Jay Libove, CISSP, CIPP

Atlanta, GA, US and Barcelona, Spain

Thanks for the suggestion Andrew. I gave it a try - no difference in my
case, unfortunately.
(My client is Windows XP SP3, by the way).

Anyone, any other ideas?

Thanks!
Jay

-----Original Message-----
From: Colb, Andrew [mailto:andy@ici.org] 
Sent: Thursday, July 24, 2008 4:32 PM
To: Jay Libove; samba@lists.samba.org
Subject: RE: [Samba] The specified network name is no longer available

Jay,
We had to remove our "valid users" stanza for our windows 2000
desktops
to authenticate correctly with Samba 3. (Samba 3.0.28 on Solaris 10/64;
Win2k3/64 DCs; Winbind; Kerberos)

The "valid users" stanza apparently works fine for us on Samba 3.0.28
with Vista but not with Win2000 desktop

Conversely, the "valid users" stanza works fine for us on Samba 2.x
with
Win2000 desktop

We're in the midst of sorting out the whys and wherefores now that users
have their files back.

Andy

-----Original Message-----
From: samba-bounces+acolb=ici.org@lists.samba.org
[mailto:samba-bounces+acolb=ici.org@lists.samba.org] On Behalf Of Jay
Libove
Sent: Thursday, July 24, 2008 3:26 PM
To: samba@lists.samba.org
Subject: [Samba] The specified network name is no longer available

Hello Samba people,

 

I have been successfully using Samba for several years, across many
minor versions of Samba across many minor versions of Linux kernel 2.4.x
and 2.6.x, against a Windows 2000 and then in the past couple of years
2003 AD Domain. This morning, something broke...

 

Setting the stage:

 

RedHat Fedora based Linux box, FC8, updated over time using 'yum
update'..., current kernel is 2.6.25.10-47.fc8 (released just a few days
ago).

 

Samba packages:

samba-common-3.0.30-0.fc8

samba-client-3.0.30-0.fc8

samba-3.0.30-0.fc8

 

/etc/samba/smb.conf key configuration lines: (just ask if I've left out
any important ones, please)

workgroup = FELINESAD2

netbios name = PANTHER8

realm = ad2.felines.org

password server = reset6.ad2.felines.org

client use spnego = yes

all trusted domains = yes

security = ADS

encrypt passwords = yes

local master = no

domain master = no

preferred master = no

domain logons = no

wins support = no

wins proxy = no

dns proxy = no

map to guest = never

null passwords = no

idmap uid = 16777216-33554431

idmap gid = 16777216-33554431

template shell = /bin/false

winbind use default domain = no

 

[homes]

 browseable = no

 writable = yes

 public = no

 valid users = libove, libove@ad2.felines.org

 available = yes

 

In short, it should talk only secure Kerberos protocols and rely on my
Domain Controller reset6.ad2.felines.org (the DC for my FELINESAD2 /
ad2.felines.org Win2K3 Domain) for authentication.

The one actual home share is "libove", which lives on the Linux box at
/home/libove

 

This all used to work just fine. Today, it doesn't anymore. Example:

 

C:\>net use h: \\panther8.ad2.felines.org\libove

System error 64 has occurred.

 

The specified network name is no longer available.

 

Note that this is different from the common case I found in searching
the net for the "... no longer available" error message. That common
case was where connecting to the network share worked fine, but large
transfers broke in the middle. My case is that I can no longer connect
to the network shares on the Samba server at all.

 

 

What has changed recently?

The aforementioned kernel upgrade, care of "yum update" a couple of
days
ago.

And Domain default Policy updates I also made a few days ago, to turn on
stronger security of Windows SMB / CIFS requests such as always signing
and encrypting:

 

Domain Member: Digitally encrypt of sign secure channel data (always) -
Enabled

Domain Member: Require strong (Windows 2000 or later) session key -
Enabled

Microsoft network client: Digitally sign communications (always) -
Enabled

Microsoft network client: Send unencrypted password to third-party SMB
servers - Disabled

Microsoft network client: Digitally sign communications (always) -
Enabled

Network access: Allow anonymous SID/Name translation - Disabled

Network access: Do not allow anonymous enumeration of SAM accounts -
Enabled

Network access: Do not allow anonymous enumeration of SAM accounts and
shares - Enabled

Network access: Let Everyone permissions apply to anonymous users -
Disabled

Network security: Do not store LAN Manager hash value on next password
change - Enabled

Network security: LAN Manager authentication level - Send NTLMv2
response only, and refuse LM & NTLM

Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients - 

 Require message integrity

 Require message confidentiality

 Require NTLMv2 session security

 Require 128-bit encryption

Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers -

 Require message integrity

 Require message confidentiality

 Require NTLMv2 session security

 Require 128-bit encryption

 

The /var/log/samba/log.smb, log.<clientname>, and
log.<clientIPaddress>
subsets [ at debug level 3 ] from a session demonstrating the error
message above are posted at my web site at
http://www.felines.org/Samba_logs.txt because they are too large to
include in an email to the Samba mailing list.

 

With apologies for asking for your help before I change back these
things, reboot everything, and see if the problem goes away... does any
of this ring any bells, has anyone experienced this before and just
right away knows the answer?

 

Thanks for your help,

Jay Libove, CISSP, CIPP

Atlanta, GA, US and Barcelona, Spain

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba