Hi all, I'm running a small Samba based AD, consisting of one Samba DC and one Samba Fileserver (AD member). I use rfc2307 and manually give the users their UID (there aren't many). This setup used to work well at the beginning but with every Samba update (I run a rolling release), I seem to stumble upon new issues. I hope someone can help me with the latest one. I have a folder on the fileserver, let's call it \\FILESERVER\SHARE, that I wish to use for scanner output. I checked and checked again, both share permissions (everyone=full control) as well as NTFS permissions seem correct, and yet I can't get my network scanner to connect to it. It keeps complaining about unsuccessful authentication. I checked user access with smbclient, it works. If I hook up another laptop to the network and just browse the network and open the folder, the credentials work too. However, I can do the same type of browsing with the scanner but the exact same credentials don't work. Just as one more test, I used VLC on my Android phone to browse the network and I also cannot get into the folders although I'm using the correct credentials. Does anyone know what my problem could be? I don't think it will help but just in case attaching my smb.conf (from the member). [global] netbios name = FILESERVER workgroup = WORKGROUP security = ADS realm = WORKGROUP.EXAMPLE.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab username map = /etc/samba/samba_usermap idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config WORKGROUP:backend = ad idmap config WORKGROUP:schema_mode = rfc2307 idmap config WORKGROUP:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [share] path = /srv/samba/share comment = "Common Files" guest ok = no writeable = yes acl_xattr:ignore system acls = yes
On 11/21/2016 8:21 AM, Viktor Trojanovic via samba wrote:> Hi all, > > I'm running a small Samba based AD, consisting of one Samba DC and one > Samba Fileserver (AD member). > > I use rfc2307 and manually give the users their UID (there aren't many). > > This setup used to work well at the beginning but with every Samba update > (I run a rolling release), I seem to stumble upon new issues. I hope > someone can help me with the latest one. > > I have a folder on the fileserver, let's call it \\FILESERVER\SHARE, that I > wish to use for scanner output. I checked and checked again, both share > permissions (everyone=full control) as well as NTFS permissions seem > correct, and yet I can't get my network scanner to connect to it. It keeps > complaining about unsuccessful authentication. > > I checked user access with smbclient, it works. If I hook up another laptop > to the network and just browse the network and open the folder, the > credentials work too. However, I can do the same type of browsing with the > scanner but the exact same credentials don't work. Just as one more test, I > used VLC on my Android phone to browse the network and I also cannot get > into the folders although I'm using the correct credentials. > > Does anyone know what my problem could be? I don't think it will help but > just in case attaching my smb.conf (from the member). > > [global] > > netbios name = FILESERVER > workgroup = WORKGROUP > security = ADS > realm = WORKGROUP.EXAMPLE.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > username map = /etc/samba/samba_usermap > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config WORKGROUP:backend = ad > idmap config WORKGROUP:schema_mode = rfc2307 > idmap config WORKGROUP:range = 10000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > > [share] > path = /srv/samba/share > comment = "Common Files" > guest ok = no > writeable = yes > acl_xattr:ignore system acls = yesYou most likely need to add 'ntlm auth = yes' in your global config section of smb.conf. -- - James
Thanks for the hint, James.
In that case, I assume the man page for smb.conf is outdated. According to
the manual, "ntlm auth = yes" is the default. Running testparm -sv
reveals,
however, that it is set to "no" by default.
Having said that, changing it to yes didn't bring me further, yet, the
scanner still can't connect.
This is now the output of testparm -sv | grep auth
Server role: ROLE_DOMAIN_MEMBER
ldap server require strong auth = Yes
allow dcerpc auth level connect = No
auth methods client lanman auth = No
client NTLMv2 auth = Yes
client plaintext auth = No
lanman auth = No
ntlm auth = Yes
raw NTLMv2 auth = No
Any other ideas?
On Mon, Nov 21, 2016 at 2:29 PM, lingpanda101 <lingpanda101 at gmail.com>
wrote:
> On 11/21/2016 8:21 AM, Viktor Trojanovic via samba wrote:
>
>> Hi all,
>>
>> I'm running a small Samba based AD, consisting of one Samba DC and
one
>> Samba Fileserver (AD member).
>>
>> I use rfc2307 and manually give the users their UID (there aren't
many).
>>
>> This setup used to work well at the beginning but with every Samba
update
>> (I run a rolling release), I seem to stumble upon new issues. I hope
>> someone can help me with the latest one.
>>
>> I have a folder on the fileserver, let's call it
\\FILESERVER\SHARE, that
>> I
>> wish to use for scanner output. I checked and checked again, both share
>> permissions (everyone=full control) as well as NTFS permissions seem
>> correct, and yet I can't get my network scanner to connect to it.
It keeps
>> complaining about unsuccessful authentication.
>>
>> I checked user access with smbclient, it works. If I hook up another
>> laptop
>> to the network and just browse the network and open the folder, the
>> credentials work too. However, I can do the same type of browsing with
the
>> scanner but the exact same credentials don't work. Just as one more
test,
>> I
>> used VLC on my Android phone to browse the network and I also cannot
get
>> into the folders although I'm using the correct credentials.
>>
>> Does anyone know what my problem could be? I don't think it will
help but
>> just in case attaching my smb.conf (from the member).
>>
>> [global]
>>
>> netbios name = FILESERVER
>> workgroup = WORKGROUP
>> security = ADS
>> realm = WORKGROUP.EXAMPLE.COM
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> username map = /etc/samba/samba_usermap
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> idmap config WORKGROUP:backend = ad
>> idmap config WORKGROUP:schema_mode = rfc2307
>> idmap config WORKGROUP:range = 10000-99999
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = Yes
>>
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>>
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>>
>> [share]
>> path = /srv/samba/share
>> comment = "Common Files"
>> guest ok = no
>> writeable = yes
>> acl_xattr:ignore system acls = yes
>>
>
>
> You most likely need to add 'ntlm auth = yes' in your global config
> section of smb.conf.
>
> --
> - James
>
>