I have a Samba share on a LAN with 2008 PDC/DNS. Smb authenticates with AD and I have several Win7 Machines that can connect fine.
I recently added a couple of new computers to the LAN which were imaged the same way (same software, etc.; different hardware so different drivers) as the other machines and they have the same policies set.
I can not get the new machines to connect to the samba share no matter what. I am always met with either Unspecified Error 0x80004005
or Network Path not found
.
I've turned off the firewall; set LANMAN auth to respond to NTLM only/send LM & NTLM responses/use NTLM session security if negotiated in Local Sec Policy > SEcurity Options; tried both ip and hostname to connect.
SMB log shows that authentication succeeds; but then connection is immediately killed by the client.
tcpdump shows nothing remarkable except that when trying to connect from the client via hostname there is an unknown packet type error:
ack 201 win 255 NBT Session Packet: Unknown packet type 0xABData: (41 bytes)
Here's a couple of lines from that error:
11:18:37.964991 IP 001-client.domain.local.49372 > smb.domain.local.netbios-ssn: P 1670:2146(476) ack 201 win 255 NBT Session Packet: Unknown packet type 0xABData: (41 bytes)
[000] AA 46 96 FA D5 99 33 75 0C C4 20 CE 26 42 F3 61 \252F\226\372\325\2313u \014\304 \316&B\363a
[010] F0 8C FB 65 18 17 40 A5 DB 42 BB 94 37 53 92 EC \360\214\373e\030\027@\245 \333B\273\2247S\222\354
[020] 55 98 7F C4 AE 3D 6B 10 C4 U\230\177\304\256=k\020 \304
11:18:37.964998 IP smb.domain.local.netbios-ssn > 001-client.domain.local.49372: . ack 2146 win 100
[edit for strike: this turned out to be an issue with arp cache and the client being issued an old ip from dhcp that previously belonged to another machine]
I'm also getting this error consistently:
[2012/09/10 11:50:00.529650, 2] smbd/sesssetup.c:1413(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
Here's smb.conf just in case (though don't see how if other machines are working fine):
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
server string = domain|smb share
interfaces = eth1
security = ADS
password server = 192.168.1.3
log level = 2
log file = /var/log/samba/%m.log
smb ports = 139
strict locking = no
load printers = No
local master = No
domain master = No
wins server = 192.168.1.3
wins support = Yes
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
[samba-share1]
comment = SMB Share
path = /home/share/smb/
valid users = @"MYDOMAIN+Domain Users"
admin users = @"MYDOMAIN+Domain Admins"
guest ok = no
read only = No
create mask = 0765
force directory mode = 0777
Any ideas what else I could try or look for? Or what might be the problem?
Thanks.
Noticed on the other machines that Local Security Policy > LAN Manager authentication level was Not Defined. There is no way to set it as such through the LSP editor, so had to go into regedit and delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel
However, this didn't solve the issue. Am now met with Accessing the resource '\\smb\share' has been disallowed
. or Unspecified Error
depending on who I'm logged in as (regular user == former; admin == latter)
It's incredibly frustrating when you ask a question on SF and in the interim keep searching for answers only to find a couple of hours later your own question is repeatedly the first google result ;)
I ran Wireshark on the client, and so far as I can tell everything on the Samba end is working correctly. I see in a Negotiate Protocol Request an NT Status of STATUS_SUCCESS (which may very well be the authentication success, but don't know).
Everything is pointing to an issue on the Client itself. On other machines, everything works as expected. Including a VM running on my box. It works using both admin and regular user credentials.
NB the client I'm trying to get this working on has Firewall off and no a/v etc for the time being while trying to work this out.
I've updated the NIC driver and there is only 1 iface available. DNS is working and I've matched up all the settings I can find to the working VM and other working machines.
Getting desperate so any ideas would be awesome.
So the issue seems to have been that secpol was set to Digitally Sign Communications (Always).
To fix: Secpol.msc > Local Policies > Security Options > Microsoft network client: Digitally sign communications (always) => Disable
Thanks.
edit:
as the-wabbit said, it is better to update samba to handle the requirement rather than disable it so as to maintain security.
Try to to enable only SMB 2 or 3 on server or just on windows client. In the registry set value on 1 for: AllowInsecureGuestAuth
in key:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
If the Samba server runs SMBv1, then new machines with Win10 have a problem, since they're missing the SMBv1 client function. To enable that function, follow this guide from windowscentral.com:
Set the following registry value to 1
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\AllowInsecureGuestAuth
If its not there create the value as a DWORD
I got 0x80004005
permission error:
for another reason I have no active Client for Microsoft Networks
in my WiFi dangle Network panel
and:
and possibly:
In my case this was caused by the server's firewall allowing TCP port 139, but blocking port 445. It seems that Windows 10 always uses port 445, not 139.
User contributions licensed under CC BY-SA 3.0