samba - Jun 2015 - Windows 10 in Samba 3 domain: netlogon share access denied

I just joined a Windows 10 (build 10130) to our Samba 3 domain. It seems to
work. I
can login, a home directory is created on the server, and I can access shares.

All shares are OK, except "netlogon". Logon scripts don't run, and
I cannot open the
netlogon share. I get "Access denied" and a prompt to enter my
username and password,
which keeps coming back.

At the command prompt, if I do "dir \\server\netlogon", I just get
"Network access is
denied." but listing other shares is fine.

Any ideas?

> All shares are OK, except "netlogon". Logon scripts don't
run, and I cannot
> open the netlogon share. I get "Access denied" and a prompt to
enter my
> username and password, which keeps coming back.
>
> At the command prompt, if I do "dir \\server\netlogon", I just
get "Network
> access is denied." but listing other shares is fine.
>
> Any ideas?
I had the same behavior when I tested this.

John

2015-06-17 21:13 GMT+02:00 MI <mi.lists at alma.ch>:
> I just joined a Windows 10 (build 10130) to our Samba 3 domain. It seems
> to work. I can login, a home directory is created on the server, and I can
> access shares.
>
> All shares are OK, except "netlogon". Logon scripts don't
run, and I
> cannot open the netlogon share. I get "Access denied" and a
prompt to enter
> my username and password, which keeps coming back.
>
> At the command prompt, if I do "dir \\server\netlogon", I just
get
> "Network access is denied." but listing other shares is fine.
>
> Any ideas?
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
Hi,

Please, post your smb.cfg and the output of the command "getfacl
NetLogonFolder".

Greetings!!

>
> Please, post your smb.cfg and the output of the command "getfacl
NetLogonFolder".
Here is the samba config.

$ testparm -s
...
Server role: ROLE_DOMAIN_PDC
[global]
     workgroup = FRENETIC
     netbios name = JANUS
     server string = %h server
     interfaces = 127.0.0.0/8, 192.168.44.0/24, 10.44.0.0/24
     bind interfaces only = Yes
     map to guest = Bad User
     passdb backend = ldapsam
     log level = 2
     syslog = 0
     log file = /var/log/samba/log.%m
     max log size = 2000
     time server = Yes
     unix extensions = No
     socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
     load printers = No
     add machine script = /usr/sbin/smbldap-useradd -w "%u"
     logon script = logon-%a.bat
     logon path = \\%N\%U\profile-%a
     logon drive = H:
     domain logons = Yes
     os level = 64
     preferred master = Yes
     domain master = Yes
     dns proxy = No
     wins support = Yes
     ldap admin dn = "cn=admin,dc=frenetic,dc=lan"
     ldap group suffix = ou=Groups
     ldap machine suffix = ou=Computers
     ldap passwd sync = yes
     ldap suffix = dc=frenetic,dc=lan
     ldap ssl = no
     ldap user suffix = ou=People
     panic action = /usr/share/samba/panic-action %d
     create mask = 0775
     directory mask = 02775
     hide files = /Maildir/desktop.ini/RECYCLER/PUTTY.RND/lost+found/
     veto oplock files = /*.doc/*.xls/*.mdb/*.MDB/*.pst/*.PST/
     csc policy = disable
     wide links = Yes

[netlogon]
     comment = Network Logon Service
     path = /etc/samba/netlogon
     write list = @admins
     read only = No
     guest ok = Yes

[homes]
     comment = Home Directories
     read only = No
     create mask = 0700
     directory mask = 0700
     profile acls = Yes
     browseable = No

etc. (other shares work OK)


$ /usr/sbin/smbd --version
Version 3.5.6

$ getfacl /etc/samba/netlogon/
-bash: getfacl: command not found

We don't use ACLs on the server. The Unix permissions on the directory are

$ stat /etc/samba/netlogon/
...
Access: (0775/drwxrwxr-x)  Uid: (    0/    root)   Gid: ( 1001/ admins)


Everything is fine with Win7 clients. On Win10, all I did before joining the
domain
was set the 2 registry keys under ...\LanmanWorkstation\Parameters :
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001

And in ...\LanmanWorkstation, "DependOnService" replace
"RMRxSmb20" with "RMRxSmb10"
in the list.

KPK: This sounds exactly like the problem we saw with our domain. The issue
was that the services LanmanServer and LanmanWorkstation had the Parameter
EnableSecuritySignature disabled on our domain controllers. 

If you have the same issue, set EnableSecuritySignature to 1 and
RequireSecuritySignature to 0 (unless you want to require security
signature) for both LanmanServer and LanmanWorkstation under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. 

Reboot your servers and you will have access to NETLOGON and SYSVOL and your
domain logon will work as expected.

IL: www.mstarlabs.com



--
View this message in context:
http://samba.2283325.n4.nabble.com/Windows-10-in-Samba-3-domain-netlogon-share-access-denied-tp4687451p4690104.html
Sent from the Samba - General mailing list archive at Nabble.com.

Still had the same problem with the release build of Win10. The solution posted
by
Marcel on July 9 worked:
> Solution: GPEDIT.MSC -> Computer -> Administrative templates ->
Network ->
> Networkprovider -> Hardened UNC Paths
- Set on "Enabled".
- Under options, click on the "Show..." button
- Under "Value name", enter: \\servername\netlogon ( or \\*\netlogon )
- Under "Value" enter: RequireMutualAuthentication=0,
RequireIntegrity=0



-------- Original Message --------
> I just joined a Windows 10 (build 10130) to our Samba 3 domain. It seems to
work. I
> can login, a home directory is created on the server, and I can access
shares.
>
> All shares are OK, except "netlogon". Logon scripts don't
run, and I cannot open
> the netlogon share. I get "Access denied" and a prompt to enter
my username and
> password, which keeps coming back.
>
> At the command prompt, if I do "dir \\server\netlogon", I just
get "Network access
> is denied." but listing other shares is fine.
>
> Any ideas?
>