MI
2015-Jun-17 19:13 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
I just joined a Windows 10 (build 10130) to our Samba 3 domain. It seems to work. I can login, a home directory is created on the server, and I can access shares. All shares are OK, except "netlogon". Logon scripts don't run, and I cannot open the netlogon share. I get "Access denied" and a prompt to enter my username and password, which keeps coming back. At the command prompt, if I do "dir \\server\netlogon", I just get "Network access is denied." but listing other shares is fine. Any ideas?
John Drescher
2015-Jun-17 19:33 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
> All shares are OK, except "netlogon". Logon scripts don't run, and I cannot > open the netlogon share. I get "Access denied" and a prompt to enter my > username and password, which keeps coming back. > > At the command prompt, if I do "dir \\server\netlogon", I just get "Network > access is denied." but listing other shares is fine. > > Any ideas?I had the same behavior when I tested this. John
Daniel Carrasco MarĂn
2015-Jun-17 19:35 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
2015-06-17 21:13 GMT+02:00 MI <mi.lists at alma.ch>:> I just joined a Windows 10 (build 10130) to our Samba 3 domain. It seems > to work. I can login, a home directory is created on the server, and I can > access shares. > > All shares are OK, except "netlogon". Logon scripts don't run, and I > cannot open the netlogon share. I get "Access denied" and a prompt to enter > my username and password, which keeps coming back. > > At the command prompt, if I do "dir \\server\netlogon", I just get > "Network access is denied." but listing other shares is fine. > > Any ideas? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Hi, Please, post your smb.cfg and the output of the command "getfacl NetLogonFolder". Greetings!!
MI
2015-Jun-18 07:33 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
> > Please, post your smb.cfg and the output of the command "getfacl NetLogonFolder".Here is the samba config. $ testparm -s ... Server role: ROLE_DOMAIN_PDC [global] workgroup = FRENETIC netbios name = JANUS server string = %h server interfaces = 127.0.0.0/8, 192.168.44.0/24, 10.44.0.0/24 bind interfaces only = Yes map to guest = Bad User passdb backend = ldapsam log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 2000 time server = Yes unix extensions = No socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add machine script = /usr/sbin/smbldap-useradd -w "%u" logon script = logon-%a.bat logon path = \\%N\%U\profile-%a logon drive = H: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = "cn=admin,dc=frenetic,dc=lan" ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap passwd sync = yes ldap suffix = dc=frenetic,dc=lan ldap ssl = no ldap user suffix = ou=People panic action = /usr/share/samba/panic-action %d create mask = 0775 directory mask = 02775 hide files = /Maildir/desktop.ini/RECYCLER/PUTTY.RND/lost+found/ veto oplock files = /*.doc/*.xls/*.mdb/*.MDB/*.pst/*.PST/ csc policy = disable wide links = Yes [netlogon] comment = Network Logon Service path = /etc/samba/netlogon write list = @admins read only = No guest ok = Yes [homes] comment = Home Directories read only = No create mask = 0700 directory mask = 0700 profile acls = Yes browseable = No etc. (other shares work OK) $ /usr/sbin/smbd --version Version 3.5.6 $ getfacl /etc/samba/netlogon/ -bash: getfacl: command not found We don't use ACLs on the server. The Unix permissions on the directory are $ stat /etc/samba/netlogon/ ... Access: (0775/drwxrwxr-x) Uid: ( 0/ root) Gid: ( 1001/ admins) Everything is fine with Win7 clients. On Win10, all I did before joining the domain was set the 2 registry keys under ...\LanmanWorkstation\Parameters : "DNSNameResolutionRequired"=dword:00000000 "DomainCompatibilityMode"=dword:00000001 And in ...\LanmanWorkstation, "DependOnService" replace "RMRxSmb20" with "RMRxSmb10" in the list.
IanLewis
2015-Aug-22 03:27 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
KPK: This sounds exactly like the problem we saw with our domain. The issue was that the services LanmanServer and LanmanWorkstation had the Parameter EnableSecuritySignature disabled on our domain controllers. If you have the same issue, set EnableSecuritySignature to 1 and RequireSecuritySignature to 0 (unless you want to require security signature) for both LanmanServer and LanmanWorkstation under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Reboot your servers and you will have access to NETLOGON and SYSVOL and your domain logon will work as expected. IL: www.mstarlabs.com -- View this message in context: http://samba.2283325.n4.nabble.com/Windows-10-in-Samba-3-domain-netlogon-share-access-denied-tp4687451p4690104.html Sent from the Samba - General mailing list archive at Nabble.com.
MI
2015-Oct-06 12:26 UTC
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
Still had the same problem with the release build of Win10. The solution posted by Marcel on July 9 worked:> Solution: GPEDIT.MSC -> Computer -> Administrative templates -> Network -> > Networkprovider -> Hardened UNC Paths- Set on "Enabled". - Under options, click on the "Show..." button - Under "Value name", enter: \\servername\netlogon ( or \\*\netlogon ) - Under "Value" enter: RequireMutualAuthentication=0, RequireIntegrity=0 -------- Original Message --------> I just joined a Windows 10 (build 10130) to our Samba 3 domain. It seems to work. I > can login, a home directory is created on the server, and I can access shares. > > All shares are OK, except "netlogon". Logon scripts don't run, and I cannot open > the netlogon share. I get "Access denied" and a prompt to enter my username and > password, which keeps coming back. > > At the command prompt, if I do "dir \\server\netlogon", I just get "Network access > is denied." but listing other shares is fine. > > Any ideas? >