samba - Jan 2018 - Access to Windows 2016 server works with IP but not with netbios name

The client is a Windows 2008 R2 server. I don't know what you mean by
classic vs. AD. I assume it's AD, but how would I check?

I see the same problem, i.e. "Access is denied" and a window to enter
the
username/password, if I use the fully qualified name.

Thanks,

Rob

On Fri, Jan 12, 2018 at 10:58 AM, Gaiseric Vandal via samba <
samba at lists.samba.org> wrote:
> Can you clarify -  are they trying to access the samba server from a Win
> 2016 machine?     Is this a classic domain or AD domain?
>
> Do you have a WINS server defined?      Can you access via a fully
> qualified domain name (e.g. myserver.mydomain.com.)     I had an issue
> several years back where users connecting over VPN could access by IP but
> not my short name.       The problem was that the VPN was blocking at least
> some netbios traffic (137-139) which meant that anything relying on netbios
> names failed.    If you could connect via IP address of fully qualified
> domain  name then you were by passing netbios name resolution issues and
> connecting directly to port 445.
>
>
>
> I have run into several issues with classic domains with SMB3 and Windows
> 10 (which presumably would apply to Win 2016 as well.) Windows 10 would try
> to negotiate SMBv3 with some servers and would fail.  (This may have been
> samba 4 servers so I don't think this applies to you.)     I also had
> problems with Win 7 and Windows 2008 and SMB v2, especially with multiple
> users connecting via remote desktop to Windows 2008.      The first use
> could map a drive but not successive users.        You may want to
> explicitly set your samba servers to use SMB v2 as the max protocol or even
> Samba 1.x.
>
>
>
> I also run into an issue with drive mapping using short name vs long name
> in a classic domain.   If my DNS domain is mycompany.com, and my samba
> domain is  TECH, then if I may a drive to myserver.mydomain.com there is
> a discrepancy between the Samba domain name and the DNS domain name.
> This didn't cause problems with Windows itself but it did with Office
2013
> after some updates.   Office would not open files determined to be from an
> untrusted source.
>
>
> I migrated away from a classic domain to a true AD domain so a lot of my
> netbios and name resolution issues went away.
>
>
>
> On 01/12/2018 10:19 AM, Rob Marshall via samba wrote:
>
>> Hi,
>>
>> I have a customer who is able to access shares using the IP address of
the
>> Samba server (running 3.6.x - sorry, can't upgrade) but when they
try to
>> access the share using the short (netbios) name, they get "access
denied"
>> and are prompted for a username/password.
>>
>> Where would I look to figure out what's going wrong?
>>
>> Thanks,
>>
>> Rob
>>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi,

I just tried again and there's a window that says something about
"looking
for credentials file..." that pops up before I get the "Access is
denied"
and the login window. I don't know what that means, but since the window is
only there very briefly I probably missed it on my earlier attempts.

Thanks,

Rob

On Fri, Jan 12, 2018 at 11:16 AM, Rob Marshall <rob.marshall17 at
gmail.com>
wrote:
> The client is a Windows 2008 R2 server. I don't know what you mean by
> classic vs. AD. I assume it's AD, but how would I check?
>
> I see the same problem, i.e. "Access is denied" and a window to
enter the
> username/password, if I use the fully qualified name.
>
> Thanks,
>
> Rob
>
> On Fri, Jan 12, 2018 at 10:58 AM, Gaiseric Vandal via samba <
> samba at lists.samba.org> wrote:
>
>> Can you clarify -  are they trying to access the samba server from a
Win
>> 2016 machine?     Is this a classic domain or AD domain?
>>
>> Do you have a WINS server defined?      Can you access via a fully
>> qualified domain name (e.g. myserver.mydomain.com.)     I had an issue
>> several years back where users connecting over VPN could access by IP
but
>> not my short name.       The problem was that the VPN was blocking at
least
>> some netbios traffic (137-139) which meant that anything relying on
netbios
>> names failed.    If you could connect via IP address of fully qualified
>> domain  name then you were by passing netbios name resolution issues
and
>> connecting directly to port 445.
>>
>>
>>
>> I have run into several issues with classic domains with SMB3 and
Windows
>> 10 (which presumably would apply to Win 2016 as well.) Windows 10 would
try
>> to negotiate SMBv3 with some servers and would fail.  (This may have
been
>> samba 4 servers so I don't think this applies to you.)     I also
had
>> problems with Win 7 and Windows 2008 and SMB v2, especially with
multiple
>> users connecting via remote desktop to Windows 2008.      The first use
>> could map a drive but not successive users.        You may want to
>> explicitly set your samba servers to use SMB v2 as the max protocol or
even
>> Samba 1.x.
>>
>>
>>
>> I also run into an issue with drive mapping using short name vs long
name
>> in a classic domain.   If my DNS domain is mycompany.com, and my samba
>> domain is  TECH, then if I may a drive to myserver.mydomain.com there
is
>> a discrepancy between the Samba domain name and the DNS domain name.
>> This didn't cause problems with Windows itself but it did with
Office 2013
>> after some updates.   Office would not open files determined to be from
an
>> untrusted source.
>>
>>
>> I migrated away from a classic domain to a true AD domain so a lot of
my
>> netbios and name resolution issues went away.
>>
>>
>>
>> On 01/12/2018 10:19 AM, Rob Marshall via samba wrote:
>>
>>> Hi,
>>>
>>> I have a customer who is able to access shares using the IP address
of
>>> the
>>> Samba server (running 3.6.x - sorry, can't upgrade) but when
they try to
>>> access the share using the short (netbios) name, they get
"access denied"
>>> and are prompted for a username/password.
>>>
>>> Where would I look to figure out what's going wrong?
>>>
>>> Thanks,
>>>
>>> Rob
>>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

On Fri, 12 Jan 2018 11:20:37 -0500
Rob Marshall via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I just tried again and there's a window that says something about
> "looking for credentials file..." that pops up before I get the
> "Access is denied" and the login window. I don't know what
that
> means, but since the window is only there very briefly I probably
> missed it on my earlier attempts.
> 
> Thanks,
> 
> Rob
> 
> On Fri, Jan 12, 2018 at 11:16 AM, Rob Marshall
> <rob.marshall17 at gmail.com> wrote:
> 
> > The client is a Windows 2008 R2 server. I don't know what you mean
> > by classic vs. AD. I assume it's AD, but how would I check?
> >
> > I see the same problem, i.e. "Access is denied" and a window
to
> > enter the username/password, if I use the fully qualified name.
> >
It might help if you posted the smb.conf from the Samba machine.

Rowland

If Windows is the domain controller, then it is an AD domain.       If 
you are running Samba 3 domain controller then it would be emulating an 
NT4-type domain controller. I am presuming samba 3.x machine is 
configured as a domain member?

Last year when the BADLOCK vulnerability came out, Microsoft issued 
various patches that were likely to break compatibility with Samba 
3.x.      Samba did not release a minor version upgrade for Samba 3.x to 
include this patch.      So you would have to compile the patch your self.


You can run a WINS server on Windows or Samba.      WINS is the 
equivalent of a DNS server for Netbios names in a TCP/IP environment.



Can you run "testparm -v" on your samba system?  You may  see

             smb ports = 445 139
             disable netbios = No
             wins server = (the ip address of your wins server, if you 
have one)



I found in a classic samba domain, that explicitly setting the smb ports 
value to 139 only created problems.    I don't know what would happen if 
you set to 445 only.   I don't know if the "disable netbios"
option is
available with samba 3.x.        I had a classic domain that I migrated 
to an AD domain, but I haven't tried disabling all the netbios stuff 
yet.     I would think if you could then this might get simpler.

You may also want to do some packet captures on the samba server to 
compare compare connection attempts.


Assuming the client DNS is setup that both "ping shortname" and 
"nslookup shortname" work?

What version OS is the samba system running on?





On 01/12/2018 11:16 AM, Rob Marshall wrote:
> The client is a Windows 2008 R2 server. I don't know what you mean by 
> classic vs. AD. I assume it's AD, but how would I check?
>
> I see the same problem, i.e. "Access is denied" and a window to
enter
> the username/password, if I use the fully qualified name.
>
> Thanks,
>
> Rob
>
> On Fri, Jan 12, 2018 at 10:58 AM, Gaiseric Vandal via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>>
wrote:
>
>     Can you clarify -  are they trying to access the samba server from
>     a Win 2016 machine?     Is this a classic domain or AD domain?
>
>     Do you have a WINS server defined?      Can you access via a fully
>     qualified domain name (e.g. myserver.mydomain.com
>     <http://myserver.mydomain.com>.) I had an issue several years
back
>     where users connecting over VPN could access by IP but not my
>     short name.       The problem was that the VPN was blocking at
>     least some netbios traffic (137-139) which meant that anything
>     relying on netbios names failed.    If you could connect via IP
>     address of fully qualified domain  name then you were by passing
>     netbios name resolution issues and connecting directly to port 445.
>
>
>
>     I have run into several issues with classic domains with SMB3 and
>     Windows 10 (which presumably would apply to Win 2016 as well.)
>     Windows 10 would try to negotiate SMBv3 with some servers and
>     would fail.  (This may have been samba 4 servers so I don't think
>     this applies to you.)     I also had problems with Win 7 and
>     Windows 2008 and SMB v2, especially with multiple users connecting
>     via remote desktop to Windows 2008.      The first use could map a
>     drive but not successive users.        You may want to explicitly
>     set your samba servers to use SMB v2 as the max protocol or even
>     Samba 1.x.
>
>
>
>     I also run into an issue with drive mapping using short name vs
>     long name in a classic domain.   If my DNS domain is mycompany.com
>     <http://mycompany.com>, and my samba domain is  TECH, then if I
>     may a drive to myserver.mydomain.com
>     <http://myserver.mydomain.com> there is a discrepancy between the
>     Samba domain name and the DNS domain name.     This didn't cause
>     problems with Windows itself but it did with Office 2013 after
>     some updates. Office would not open files determined to be from an
>     untrusted source.
>
>
>     I migrated away from a classic domain to a true AD domain so a lot
>     of my netbios and name resolution issues went away.
>
>
>
>     On 01/12/2018 10:19 AM, Rob Marshall via samba wrote:
>
>         Hi,
>
>         I have a customer who is able to access shares using the IP
>         address of the
>         Samba server (running 3.6.x - sorry, can't upgrade) but when
>         they try to
>         access the share using the short (netbios) name, they get
>         "access denied"
>         and are prompted for a username/password.
>
>         Where would I look to figure out what's going wrong?
>
>         Thanks,
>
>         Rob
>
>
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>     <https://lists.samba.org/mailman/options/samba>
>
>

That implies that samba system is not properly joined to the domain anymore.

On 01/12/2018 11:20 AM, Rob Marshall wrote:
> Hi,
>
> I just tried again and there's a window that says something about 
> "looking for credentials file..." that pops up before I get the 
> "Access is denied" and the login window. I don't know what
that means,
> but since the window is only there very briefly I probably missed it 
> on my earlier attempts.
>
> Thanks,
>
> Rob
>
> On Fri, Jan 12, 2018 at 11:16 AM, Rob Marshall 
> <rob.marshall17 at gmail.com <mailto:rob.marshall17 at
gmail.com>> wrote:
>
>     The client is a Windows 2008 R2 server. I don't know what you mean
>     by classic vs. AD. I assume it's AD, but how would I check?
>
>     I see the same problem, i.e. "Access is denied" and a window
to
>     enter the username/password, if I use the fully qualified name.
>
>     Thanks,
>
>     Rob
>
>     On Fri, Jan 12, 2018 at 10:58 AM, Gaiseric Vandal via samba
>     <samba at lists.samba.org <mailto:samba at
lists.samba.org>> wrote:
>
>         Can you clarify -  are they trying to access the samba server
>         from a Win 2016 machine?     Is this a classic domain or AD
>         domain?
>
>         Do you have a WINS server defined?      Can you access via a
>         fully qualified domain name (e.g. myserver.mydomain.com
>         <http://myserver.mydomain.com>.) I had an issue several years
>         back where users connecting over VPN could access by IP but
>         not my short name.       The problem was that the VPN was
>         blocking at least some netbios traffic (137-139) which meant
>         that anything relying on netbios names failed.    If you could
>         connect via IP address of fully qualified domain  name then
>         you were by passing netbios name resolution issues and
>         connecting directly to port 445.
>
>
>
>         I have run into several issues with classic domains with SMB3
>         and Windows 10 (which presumably would apply to Win 2016 as
>         well.) Windows 10 would try to negotiate SMBv3 with some
>         servers and would fail.  (This may have been samba 4 servers
>         so I don't think this applies to you.)     I also had problems
>         with Win 7 and Windows 2008 and SMB v2, especially with
>         multiple users connecting via remote desktop to Windows 2008.
>              The first use could map a drive but not successive users.
>         You may want to explicitly set your samba servers to use SMB
>         v2 as the max protocol or even Samba 1.x.
>
>
>
>         I also run into an issue with drive mapping using short name
>         vs long name in a classic domain.   If my DNS domain is
>         mycompany.com <http://mycompany.com>, and my samba domain is 
>         TECH, then if I may a drive to myserver.mydomain.com
>         <http://myserver.mydomain.com> there is a discrepancy between
>         the Samba domain name and the DNS domain name.     This didn't
>         cause problems with Windows itself but it did with Office 2013
>         after some updates.   Office would not open files determined
>         to be from an untrusted source.
>
>
>         I migrated away from a classic domain to a true AD domain so a
>         lot of my netbios and name resolution issues went away.
>
>
>
>         On 01/12/2018 10:19 AM, Rob Marshall via samba wrote:
>
>             Hi,
>
>             I have a customer who is able to access shares using the
>             IP address of the
>             Samba server (running 3.6.x - sorry, can't upgrade) but
>             when they try to
>             access the share using the short (netbios) name, they get
>             "access denied"
>             and are prompted for a username/password.
>
>             Where would I look to figure out what's going wrong?
>
>             Thanks,
>
>             Rob
>
>
>
>
>         -- 
>         To unsubscribe from this list go to the following URL and read the
>         instructions: https://lists.samba.org/mailman/options/samba
>         <https://lists.samba.org/mailman/options/samba>
>
>
>