Problem accessing samba share

Latest response

Hi all,

I have samba 4.6.2 on RHEL 7.

We have a production server still on Windows 2003 R2.

I need the Windows server to access one of the Samba shares, but I'm having problems. It was previously connected to a Samba share on a RHEL6 platform with older Samba.

I have tried the share credentials from a Windows 10 box with success, so I suspect I either need to increase Samba 4's compatibility level (if possible via the config) or change something in the Windows server's registry/policy.

Does anyone have any experience with this, and/or any advice?

My smb.conf:

"
[global]
security = user
passdb backend = tdbsam

case sensitive      = yes
dns proxy           = No
domain master       = No
#encrypt passwords  = yes
map to guest        = Bad User
load printers       = no
local master        = No
log file            = /var/log/samba/%m.log
log level           = 1
max log size        = 50
preferred master    = No
server string       = DB3 Samba Server
smb ports           = 139 445
unix extensions     = no
workgroup           = xxxxx

[edi]
browseable = no
create mode = 0700
directory mask = 0700
follow symlinks = yes
path = /sambashares/edi
read only = No
guest ok = No
valid users = jbloggs, ediuser
wide links = yes
"

Thank you

Elliot

Responses

This is what's logged by samba when the attempt to mount the share fails:

" [2017/11/04 17:44:26.486273, 1] ../source3/smbd/service.c:502(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED "

I think Windows 2003 is the last SMBv1-only version of server-oriented Windows, and since the WannaCry ransomware attacks, most modern SMB clients and servers by now should have SMBv1 disabled by default.

To enable server-side SMBv1 in Samba, the parameter you might need is

server min protocol = NT1

Update: also, Windows 2003 does not use NTLMv2 by default, and the default settings of modern Samba versions disable NTLMv1 as it is no longer secure. So, you'll need to either enable NTLMv2 on Windows 2003 by doing something similar to this or allow the use of NTLMv1 in Samba 4.5 or above by smb.conf setting:

ntlm auth = yes

If your set-up involves Kerberos (e.g. the Samba server is joined to a Windows Active Directory domain), then you'll also need to check that the Kerberos on the RHEL 7 host is configured to allow the legacy Kerberos encryption types: DES-CBC-CRC, DES-CBC-MD5 and/or RC4-HMAC. Windows 2003 won't support Kerberos enctypes newer than that, and these types are considered as no longer secure by modern Kerberos implementations.

To view the current state of all Samba options, including those that are not specified in the configuration file and thus are using built-in defaults, use testparm -sv | less.

Hi Matti,

Thanks for your helpful reply.

I fixed it by enabling NTLMv2 via the local security policy, as per your link.

Oddly, had to do the same thing on a Windows 2012 server too.

Cheers.

Perhaps someone had downgraded the setting on the Windows 2012 server earlier. for example to allow it to communicate with the 2003 R2 server without making any modifications to the old server.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.