SAMBA Client - domain authentication

Can you print out your current smb.conf?

I have seen problems with Windows 2000 machines not allowing plain text password from linux machines.  By default NT allowed plain text password and 2000 doesn't.  I think you need a registry entry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters]
"EnablePlainTextPassword"=dword:00000001

To allow a linux box into a 2000 SMB server

/etc/samba/smb.conf

# Samba config file created using SWAT
# from localhost (127.0.0.1)
# Date: 2003/12/03 12:41:41

# Global parameters
[global]
      workgroup = LINUX
      netbios name = VIPER
      server string = %h server (Samba %v)
      security = SERVER
      encrypt passwords = Yes
      update encrypted = Yes
      obey pam restrictions = Yes
      passwd program = /usr/bin/passwd %u
      passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
      syslog = 0
      log file = /var/log/samba/log.%m
      max log size = 1000
      dns proxy = No

[homes]
      comment = Home Directories
      create mask = 0700
      directory mask = 0700
      browseable = No

[printers]
      comment = All Printers
      path = /tmp
      create mask = 0700
      printable = Yes
      browseable = No

-------------------------------------------------------------------------------------

Should have mentioned also that I do not have admin access to the WIntel and therefore cannot make any registry mods etc.

Do the maintainers of this site realise that it looks crap in galeon?

frames don't work properly

Incidentally, a collegue connected successfully with a RH8 box to the same share. Unfortunately he blasted his HDD so I can't compare smb.conf files.

smbclient doesn't use the smb.conf file.

Do
smbclient -L server1 -U myusername -W DOMAIN
where DOMAIN is your AD domain and myusername is a valid user within that domain.
The corresponding smbmount options are "username=...,password=....,workgroup=....", giving the following /etc/fstab entry template:

//server1/share /mnt/server1share smbfs noauto,username=...,password=....,workgroup=.... 0 0

Be sure that the mountpoint directory exist first.
If you have reservations about having plaintext passwords in /etc/fstab you can instead use the credentials=<filename> stratagem (the file contains the username=... and password=... entries on separate lines... only root need be able to read this file) or the environment variable thing mentioned in the smbmount man-page.

-- Glenn

Glenn - how you doing?

$ smbclient -L server2 -U user.name -W DOMAIN
added interface ip=10.160.21.3 bcast=10.160.23.255 nmask=255.255.252.0
Password:  <password>
Domain=[BC] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
tree connect failed: NT_STATUS_ACCESS_DENIED

same error as before. My account is definately valid on the domain as I can see the fileserver from my WIntel box.


cheers,

Erik

did u turn on the guest account on windows system.
try to create a guest account on windows and then try to connect with the guest account.

also coult u try to mount the smb share.
smbmount or simple
mount -t smbfs -o <options>  -username=xxx,password=xxx //computer/share /mount/point

Also check this post. may be related to your problem.
https://www.experts-exchange.com/questions/20605057/Problems-connecting-SMB-Client-to-2K3-Server.html

shivsa - read the thread - I do not have admin access to the WIntel file server.

Guest accounts are disabled on the estate for security.

The mount -t smbfs command doesn't work for this server either.

>  smbclient doesn't use the smb.conf file.
... slight amendment: it uses the file, yes, but everything important can be overridden (and probably should be:-). Since you specify the domain/workgroup, the setting "security = SERVER" shouldn't have any effect (for the client. This is the only real diff I can see )... You could try commenting it though.

At the root of your trouble seems to lie the guest (non-)access restriction.
We have this working, since we allow anonymous guest, but have (reportedly... according to our AD guru:) taken steps to minimize the security ramifications it'll have. I can perhaps massage his ego so that he'll share (:-) some info.
Is the server exposed, or do you run a high security shop?

Anyway, regardless of the "browseability", you should still be able to access the shares directly with something like
mount -t smbfs -o username=user.name,password=thepassword,workgroup=BC //server2/name_of_share /mountpoint
(mkdir /mountpoint first etc etc) This will be transformed by the mount.smbfs script to a smbmount command, or /sbin/mount.smbfs might be a symbolic link to smbmount ... anyway, smbmount gets called like
smbmount //server2/name_of_share /mountpoint -o username=user.name,password=thepassword,workgroup=BC
As said, this should work...:)

Have you thought of upgrading samba? 2.2.3a isn't smoking exactly:-)... And I'm a bit ... stumped (unable to reproduce your exact situation).

-- Glenn

It's relatatively high security here I'm afraid - I'm on a massive enterprise implementation at a client site so no access to production AD configuration for anyone except the outsourced support organisation (it's a production file share).

I might take your advice with the upgrade, but it's not samba I really need to upgrade, is it? I don't really care about hosting shares on Linux box (ftpd works, right?) so it must be smbclient that the problem is with, or maybe some kernel config options? I don't think there is a dependency for smbclient / smbmount for the samba package if you only want to mount shares.

I have read about the anonymous guest access issue (bug?) but don't really understand it - is the problem resolved in later versions of smbclient / smbmount?

i have also tried the mount -t smbfs command in various permutations but no dice with this either.

I'm looking at bugzilla.... Nothing conclusive as of yet:).

I tend to keep samba and smbclient in "lockstep". It's (of course) the latter that needs upgrading:-).
There are binaries for debian at http://www.samba.org for more recent offerings.

-- Glenn

glenn

I upgraded to Samba 3 (all components) and smbclient now works - I can list the shares available.

This is great, but... when trying to mount:

# mount -t smbfs -o username-user.name,password=password,rw //server/share /mnt/

cli_negprot: SMB signing is mandatory and we have disabled it.
1743: protocol negotiation failed
SMB connection failed

i've seen this in some other forums and tried adding client signing = yes (as suggested) to my smb.conf but this doesn't seem to work.

looks like the earlier version of samba can handle authentication to a local host domain, but not to that host's domain controller.

is no-one prepared to give more help with this one?

otherwise I have to close, sorry.

Sorry Erik, I'm (unfortunately) very busy ATM with Real (paying) Work...
I did a quick search, and turned up a lot of errors of this kind, some more or less fitting your description...
Seems to me like the 3.0 client succeeds authentication, but the subsequent SMB protocol negotiating borks out on the default behaviour for client signing... Do you have
client signing = yes
("client use spnego = yes" should be the default already)
in your smb.conf?

If that didn't work, this post http://www.spinics.net/lists/samba/msg09710.html hints that http://www.samba.org/samba/Linux_CIFS_client.html might be your solution.

-- Glenn

thanks - i'll try it

do you have the right to join domain?

[global]
     workgroup =YOUR DOMAIN NAME
     netbios name = VIPER
     security = domain
    password server=*


then join domain, type: smbpasswd -j YOUR DOMAIN NAME -r DOMAIN DC -U ADMINISTRATOR'S NAME

after you join the domain, you shouldn't have any problem to mount the file server share

mount -t smbfs //file server name/share /mount point

remember to ask your admin to add root in the win2k domain as a user.
use file server's name then ip.

I cannot join the domain - only authenticate to shares on it to which I have been granted access.

>> remember to ask your admin to add root in the win2k domain as a user.
err... why? I already have an account on the domain controller.

looks like CIFS is the best option but I haven't had time to set it up yet.

Well, since 2.6.0 (which include CIFS vfs) is released you could combine the fun of testing out the new kernel and fixing this problem;-). As usual get it from http://www.kernel.org (... or is there already an unstable package for Debian to just apt-get?-).

-- Glenn

wow! i've been out of action for too long! never realised 2.6 was out of beta yet!

that settles it - eat my dust 2.4.23, it was good while it lasted (but here comes the daddy).

sorry for returning to this after so long

I know this is not a 2.6.1 issues thread - but I reckon you could tell me where I can find a list of required QT packages to install in order get the kernel configuration GUI to work.

the 2.4.x GUIs were fine ...

i'm on Debian 3.0 r2

Nope, sorry.... I've not used GUI method in years... (wasn't xconfig tcl/tk back then:-). menuconfig usually suit my mood:-)
Documentation/Changes should mention it, but doesn't... bummer. Don't really have time to dig today... Sorry.
It doesn't fly with what you've got then? Neither gtkconfig nor xconfig?

-- Glenn

yeah - sorry - i'm used to the GUI. i didn't know there was an option for GTK though

i will try that

thanks

Ooops... gtkconfig should be gconfig (for gtk)...

-- Glenn (a.k.a. Le Grand Typo)

tak

Right

Back to Samba - sorry again this has been such a massive thread.

I'm nw running 2.6.4 (yay!)

but smbclient still isn't working. New error message though:

  SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!

Ring any bells? Let me know if you need more info

Um, shouldn't you be using mount.cifs mount helper program (part of samba 3)... Look at the use instructions etc at http://cvs.samba.org/cgi-bin/cvsweb/cifsvfs/fs/cifs/README?rev=1.20&content-type=text/x-cvsweb-markup
mount -t cifs .....

-- Glenn

CONFIG_CIFS=y


When I use mount (rather than smbclient) tried both cifs and smbfs for this

mount -t cifs -o username="DOMAIN\user.name",password="password",uid=user,gid=group,rw //server/share /mnt
mount: Connection refused

and

mount -t smbfs -o username="DOMAIN\user.name",password="password",uid=user,gid=group,rw //server/share /mnt
cli_negprot: SMB signing is mandatory and we have disabled it.
1089: protocol negotiation failed
SMB connection failed

mount -t cifs -o username="user.name",password="password",domain="DOMAIN",uid=user,gid=group,rw //server/share /mnt
... perhaps would work better? The readme lists some more tips and tricks.

-- Glenn

OK - thanks but I just upgraded to an even newer version of Samba and now it appears I can connect with CIFS to the server.

Running this command (as you suggested)

mount -t cifs -o username="user.name",password="password",domain="DOMAIN",uid=user,gid=group,rw //server/share /mnt

Now gives me this mount error:
mount: cannot mount block device //feltfps0005/gengrpshare0020/ read-only

I have also tried to mount rw - same problem
mount: block device //feltfps0005/gengrpshare0020/ is write-protected, mounting read-only
mount: cannot mount block device //feltfps0005/gengrpshare0020/ read-only

My mount directory has nothing else in it, is not listed in /etc/fstab and has permissions set to 777

am I missing a block device kernel driver?

CONFIG_BLK_DEV_NBD is not set

this could be the problem.

Let me quickly reconfigure and recompile and I'll come back

(Just to make sure... You have the mount.cifs "helper executable" in /sbin?).
You're probably on to it... When you've got cifs in the kernel you should be able to increase verbosity by
echo 1 > /proc/fs/cifs/cifsFYI
... or even
echo 1 > /proc/fs/cifs/traceSMB
... But you knew this from the README;).

-- Glenn

OK I can now browse with smbclient (yay!) but still get the same

mount: cannot mount block device //feltfps0005/gengrpshare0020/ read-only

error with mount -t cifs

thoughts on this?

I don't have a helper executable

Bummer (at least a reaction, if not a true "thought":-).
Do you get this with any share? ... Probably, since I think this is a problem with mount rather than anything else... Perhaps failing to use the mount.cifs helper.

-- Glenn

Kernel log output with verbose CIFS debugging

Mar 17 11:50:07 viper kernel:  fs/cifs/cifsfs.c: Devname: //<server>/<share>/ flags: 1
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 4 with uid: 0
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c: Entering cifs_mount. Xid: 4 with: username=<user.name>,password=<password>,domain=<domain>,uid=0,gid=0
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c: Domain name set
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c: Username: <user.name>
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c: UNC: \\<server>/<share>/  
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c: Socket created
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c: Existing smb sess not found
Mar 17 11:50:07 viper kernel:  fs/cifs/transport.c: For smb_command 114
Mar 17 11:50:07 viper kernel:  fs/cifs/transport.c: Sending smb of length 47
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c: Demultiplex PID: 579
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c: Peek length rcvd: 36 with smb length: 97
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c:  Mid 0x9 matched - waking up
Mar 17 11:50:07 viper kernel:  fs/cifs/asn1.c: cls = 1 con = 0 tag = 1
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x80e3fd Time Zone: 0
Mar 17 11:50:07 viper kernel:  fs/cifs/connect.c: In sesssetup
Mar 17 11:50:07 viper kernel:  fs/cifs/transport.c: For smb_command 115
Mar 17 11:50:07 viper kernel:  fs/cifs/transport.c: Sending smb of length 228
Mar 17 11:50:08 viper kernel:  fs/cifs/connect.c: Peek length rcvd: 36 with smb length: 39
Mar 17 11:50:08 viper kernel:  fs/cifs/connect.c:  Mid 0xa matched - waking up
Mar 17 11:50:08 viper kernel: Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
Mar 17 11:50:08 viper kernel:  fs/cifs/netmisc.c:  !!Mapping smb error code 5 to POSIX err -13 !!
Mar 17 11:50:08 viper kernel:  CIFS VFS: Send error in SessSetup = -13
Mar 17 11:50:08 viper kernel:  fs/cifs/connect.c: About to exit from demultiplex thread
mount: cannot mount block device  //<server>/<share>/ read-only
viper:/var/log# Mar 17 11:50:09 viper kernel:  fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 4) rc = -13
Mar 17 11:50:09 viper kernel:  CIFS VFS: cifs_mount failed w/return code = -13

(note the "colliding comment effect" here:-) You can either get ity from the cifs page, or from the samba 3.0 sourcetree... Let's see if I can find a link ....
Here's a prebuilt one http://www.samba.org/samba/ftp/cifs-cvs/mount.cifs
and here's source http://cvs.samba.org/cgi-bin/cvsweb/samba/source/client/mount.cifs.c
and finally a manpage for mount.cifs (unformatted, need be placed in a man directory....:-) http://www.samba.org/samba/ftp/cifs-cvs/mount.cifs.8

-- Glenn

> Mar 17 11:50:08 viper kernel: Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
> Mar 17 11:50:08 viper kernel:  fs/cifs/netmisc.c:  !!Mapping smb error code 5 to POSIX err -13 !!
...
> mount: cannot mount block device  //<server>/<share>/ read-only
How very dissapointing!

On a slightly different tack, you say
>  OK I can now browse with smbclient (yay!) but still get the same
... So whatif you use smbclient in its "textmode ftp-looking" mode to actually access the share? Does that work too?
Would be a little fall in the right direction, since then you'd at least be able to up/download files....:-).

-- Glenn

Alright, let's re-synchronise here:

I had already downloaded and installed the mount helper, but this makes no difference - I get the same output from the kernel log except now there is a "permission denied" error from mount.cifs. There is some sort of logon problem here - keep seeing that NT_STATUS_LOGON failure message as if it's a wrong username/password (which it clearly is not)

Yes, smbclient does work and I can use those "FTP-like" commands but it's a bit rubbish - I'll settle for it if there's no way to get this working but I can't believe that to be the case. If it works on RH8 with an old kernel and Samba, it's damn well gonna work on Debian with the latest version of the kernel, Samba and CIFS. RH8, by the way, does not appear to use CIFS at all, yet can still connect to this server!

.... Ok, this is new, and potentially important, information... At least as far as I rememnber this thread (yeah, I'm lazy... didn't take the time to read through it again:-). Might be wrong though.

We made a great leap in versions here (from "mumified" to "bleeding edge":-) and probably jumped past the version RH8 uses (which BTW uses smbfs in the kernel).
This also tells us that we strictly speaking shouldn't need CIFS kernel support. Hohum, and now... with the smbclient working, if you use smbmount (which is what the mount.smbfs mount helper should do... on some distros it's even just a link to smbmount) or
mount -t smbfs username="user.name",password="password",workgroup="DOMAIN",uid=user,gid=group,rw //server/share /mnt
it comes back with pretty much the same error? (Sorry for the repetitions Erik... Things seem to have changed a lot, so we need cover some "old ground" again)

While you try this, I might have some moments to look through the thread again.

-- Glenn

Thanks Glenn - you're right - my mount.smbfs is a symlink to smbmount. I'm pretty sure smbclient wouldn't work here without CIFS in the kernel - this was the situation before and the main reason for me to upgrade.

And yes, pretty much I still get the original error if I try to use mount -t smbfs or smbmount
cli_negprot: SMB signing is mandatory and we have disabled it.
1095: protocol negotiation failed
SMB connection failed

My smb.conf file did get overwritten when i upgraded today but I added:
client signing = yes
client use spnego = yes
as you suggested some time ago.
I have also just now posted a question to the samba and cifs mailing lists with a link to this thread so hopefully those guys can give some helpful input.

Ok... Just one more "stupid thing"... The user.name isn't locked out or somesuch? Perhaps due to the ... test activity...:-)? The same user that works with smbclient?

Over to CIFS... You could try forcing PackeSigning (by setting it to 2)
echo 2 > /proc/fs/cifs/PacketSigningEnabled
and/or setting spnego with
echo 1 > /proc/fs/cifs/ExtendedSecurity
or even
echo 1 > /proc/fs/cifs/NTLMV2Enabled

cifs vfs really doesn't read the smb.conf for these things.

-- Glenn

Account is not locked, and unfortunately none of those options worked :(

Then I'm out of ideas... Sorry.

-- Glenn

Note: You should install Active Directory on the server, run Windows Update to load the latest updates from Microsoft, and then reboot the server before disabling SMB signing as described below.
Preferred method to disable SMB signing
Microsoft has a help topic that describes how to disable SMB signing on domain controllers so that clients (such as PCs or RocketVault™) that do not have this capability can connect to the server. You can view this Microsoft help topic by starting Help and Support on the server console and searching for "smb signing". An excerpt from the Microsoft help topic is shown below:
1.      Open Active Directory Users and Computers.
2.      In the console tree, right-click Domain Controllers, click Properties, and then click the Group Policy tab.
3.      Click Default Domain Controllers Policy, and then click Edit.
4.      Under Security Options, right-click Microsoft network server: Digitally sign communications (always), click Properties, and then click Disabled.
Alternative method to disable SMB signing
If you do not want to use the preferred method described above, you can edit the Windows registry directly, as described below:
1.      Start Registry Editor (Regedt32.exe).
2.      Locate and select the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Service\lanmanserver\parameters
3.      Double-click the RequireSecuritySignature value, type 0 in the Value data box, and then click OK.
4.      Double-click the EnableSecuritySignature value, type 0 in the Value data box, and then click OK.
5.      Quit Registry Editor.
6.      Reboot the server for the Registry changes to take effect.
Note: You can edit the registry by using Registry Editor (Regedit.exe or Regedt32.exe). If you use Registry Editor incorrectly, you can cause serious problems that may require you to reinstall your operating system. Microsoft does not guarantee that problems that you cause by using Registry Editor incorrectly can be resolved. Use Registry Editor at your own risk. Before you modify the registry, make sure to back up the registry, and make sure that you understand how to restore the registry if a problem occurs. For additional information about backing up and restoring the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Windows Server 2003.


If it works for you, please let me know and I have a question that you can help me answer too

adnano,

I'm sorry this is a really long thread and you may not have seen it near the top, but administrative access to this machine (well, all machines on this domain) is impossible. Thanks for your input though.

If you raise your issue in a new thread and post the link here I'll have a look and see if what i've learned from this can help you.

Oh...I have posted my question under LinuxNet as it was relating to mounting Windows 2003 or XP server using CIFS....

but here is the link.................

https://www.experts-exchange.com/questions/20925060/mounting-Windows-all-version-using-CIFS-on-kernel-2-4.html

I really need to get this working....................:=)

Thanks Glenn for all your time and help

i can cope with smbclient, it suits my needs for now. Mounting the share was more of a "nice to have".

I'll keep tweaking config files until it works - i think the only way forward here is "trial & error" fixing.

One more note about samba and digital signing.  Once you change the security options per adnano's post, you do not have to reboot.  Domain controller policies refresh automatically every 5 minutes by default. Or you can use the DOS command line and type in "gpupdate" and the policy change will refresh immediately.

I know this is "closed", but the answer is to use cifs as the mount type instead of smbfs.  Example: mount -t cifs -o username=<username>,password=<skeeter> //server/directory /mnt/mountpoint/

Sorry, one more thing I forgot to add to my comment above:  this is in the case one is trying to access a Windows 2003 Server directory.  SMB signing is turned on by "default" in Win 2003 server when a share is created, so making the above change to your mount will enable samba to talk to the Win 2003 share.

Hm, guys (or gals, what do I know:) .... You're commenting on an issue approximately one and a half year old.
What was the true state of things back then and what is now just don't match. Nice "addendum info" though, so thanks for that.

-- Glenn

Glenn,

It's an issue we are just running into.  Do you have any new info you would like to share?  We would love to hear it.

Are you saying you have no admin rights (on the DCs) and run into the problems described above? With cifs too? I'd have thought they'd solved that by now... Or perhaps that is exactly what you are saying(?).

-- Glenn

Hi Glenn,

We have admin rights to both machines.  I think I should put this in a new thread, but cifs seems to be unreliable (weird synching problems with the Win2003 Server).  We can "mount" if you will, but some times the refresh time on the directory list is very slow (ls -l can take up to 12 minutes), and it appears we can have only one cifs-type mount at a time.  Also, we don't want to mess with putting AD on the 2003 box because it's over-kill for what we need it for.  We've discussed running a cron-job that touches all the files in the share so that cifs (or Samba, I'm not sure which would be in charge of this portion) wakes up and says "oh yeah, I've got new files, I have changed files, or I have less files", as you will.  I've seen a thread on this in the aims group lists http://marc.theaimsgroup.com/?l=samba-technical&m=112471315417425&w=2 which describes similar anomalies we are seeing.  I think I will start a new thread/question on this.  If you could give any new help/insite, I'll definitely give you the points.  Also, any new news about whether or not smbfs will work with smb signing yet, or will it never work with smb signing?

Thanks Glenn!

Tami (girl)

Are you trying to do something similar to what Saman Benham is? If so, youd probably have the same oplocking woes:-(... Unless it's been fixed in a recent cifs version...
https://bugzilla.samba.org/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&product=CifsVFS&content= does give any immediate hint that it *isn't* fixed though:).
I wouldn't hold my breath regarding smbfs and "new features"... CIFS is more or less here to replace it.

-- Glenn (man)

this is an ancient question and should have been deleted a long time ago.

please do not post further comments here. i will move to close it down.