Windows 10 cannot connect to Linux Samba shares, except from SMB1/CIFS

0

I have an issue under Windows 10 to access some Linux Samba shares with following error:

Check the spelling of the name. Otherwise, there might be a problem with your network. To try to identify and resolve network problems click Diagnose.
Error code: 0x80070035
The network path was not found

I can successfully browse from an old openSUSE 12.1 that uses only SMB1/CIFS but not from a more recent openSUSE Leap 15, except if I force NT1 protocol (that is for SMB1/CIFS) on its side, in /etc/samba/smb.conf global section:

[global]
...
min protocol = NT1
max protocol = NT1

For information, by default min protocol is LANMAN1 and max protocol is SMB3, that range then includes NT1 protocol (see SMB protocol min max values available?):

$ testparm --parameter-name="min protocol"
[...]
LANMAN1
$ testparm --parameter-name="max protocol"
[...]
SMB3

And I can access these shared folders from another Linux computer without forcing protocol with following command for example I can list folders:

smbclient -L MyLeap15Computer -N

Or connect to tmp shared folder with:

smbclient //MyLeap15Computer /tmp -N

I also confirmed that SMB2 and 3 are actually active with How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows, and also been able to access them from another Windows 10. And from the computer on which I cannot access them I successfully ping MyLeap15Computer.

Anyway, technically I can access my shared folders by forcing NT1 protocol, but since it should be possible I want to be able to access them from SMB2 or SMB3 since there are security issues in SMB1/CIFS (and then deactivate it in Windows 10 too), also, since I can access them from another Windows 10 without forcing this protocol it then should be something in Windows configuration but I cannot manage to see which since everything appears active on both.

And finally, even if issue seems to be more on client side, here is the server condifuration, /etc/samba/smb.conf without forcing to NT1 protocol (this configuration accepts guest users, then no credentials have to be given for connection):

[global]
workgroup = WORKGROUP
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = bad user
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = yes
usershare max shares = 100
winbind offline logon = yes
winbind refresh tickets = yes
create mask = 777
directory mask = 777
delete readonly = yes

[tmp]
comment = Temp folder
path = /tmp
browseable = yes
writable = yes
read only = no
guest ok = yes
mangled names = no

Edit: here are more information after what suggested @JW0914, what was suggested did not work but I found something interesting in server logs (added log level = 3 to /etc/samba/smb.conf global section then looked on /var/log/samba/log.smbd after having tried connection):

  check_ntlm_password:  Checking password for unmapped user [DOMAIN]\[USER]@[Windows10Computer] with the new password interface
[2020/02/05 14:21:23.845849,  3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[USER]@[Windows10Computer]
[2020/02/05 14:21:23.845879,  3] ../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'USER' in passdb.
[2020/02/05 14:21:23.845890,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [USER] -> [USER] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2020/02/05 14:21:23.845910,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [DOMAIN]\[USER] at [Wed, 05 Feb 2020 14:21:23.845900 CET] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [Windows10Computer] remote host [ipv4:172.168.0.69:56937] mapped to [DOMAIN]\[USER]. local host [ipv4:172.168.0.99:445]
[...]
  No such user USER [DOMAIN] - using guest account
[2020/02/05 14:21:23.847182,  3] ../source3/smbd/server_exit.c:244(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)

I see server is trying to authenticate with user logged in Windows 10, but since not existing it falls back to guest user but connection is reset just after. In the other side, with a computer for which it is working, when logged with same domain/user and accessing successfully I have quite the same logs (different computer name and IP) but at the end:

  No such user USER [DOMAIN] - using guest account
[2020/02/05 14:43:21.147396,  3] ../lib/util/access.c:365(allow_access)
  Allowed connection from 192.168.0.77 (192.168.0.77)

I'm looking into it but I would be glad if anybody has a clue on what is happening.

Edit2: after a quick look I found a workaround on Windows 10 fall update and samba guest account but when trying net use command I have following issue, then this is my company that may have change security on newer computer (both used are on the same domain but the one not working comes from a newer installation):

You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

Thanks

linux
windows-10
network-shares
samba
file-sharing
asked on Super User Feb 5, 2020 by gluttony • edited Feb 5, 2020 by gluttony

3 Answers

0

Finally, thanks to Can't access shared folder because of organization's security policies, I found a way to override this:

  • From regedit go to HKLM\SOFTWARE\Policies\Microsoft\Windows
  • Create a new Key LanmanWorkstation and within it a new DWORD named AllowInsecureGuestAuth with value 1
  • Reboot

Of course not to do without your company approval, I just did it to test but I'm working with our IT to see how we can manage this.

answered on Super User Feb 5, 2020 by gluttony • edited Feb 5, 2020 by JW0914
0

In my case (Windows 10, ancient Samba 4.2.10 on CentOS 6) what helped was setting the min protocol to SMB2, max protocol to SMB3:

[global]

min protocol = SMB2
max protocol = SMB3

client min protocol = SMB2
client max protocol = SMB3

client ipc min protocol = SMB2
client ipc max protocol = SMB3

server min protocol = SMB2
server max protocol = SMB3

And then connecting the share as a network drive (Explorer -> Home -> Easy access -> Map as drive), putting in the share name (\\1.2.3.4\ShareName), ticking "Connect using different credentials", then Other, and put in username in the format DOMAIN\username.

When trying to get to the share in Explorer, it would never ask for credentials, nor was I able to specify the username with net use \\shareserver\data /user:testuser (got System Error 58).

answered on Super User Mar 10, 2020 by hydrandt
0

In my case, disabling connections on port 139/TCP helped a lot for error 0x80070035 at first connection of Windows 10 client to samba Ubuntu 20.04

[global]
...
smb ports = 445
...

Now connections to the samba server from my home Windows 10 PCs are quicker than ever.

But I really don't know which side effects this will introduce.

answered on Super User Dec 31, 2020 by giox069

User contributions licensed under CC BY-SA 3.0