Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Samba Configuration Problem


  • Please log in to reply
7 replies to this topic

#1 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:38 PM

Posted 24 June 2008 - 08:27 PM

Hello.

I am trying to get SAMBA setup on my file server, but no matter what I do, every single logon always returns "Access Denied." This is odd, because the connection is denied even before I have gotten a chance to enter a password. The SMB.CONF I'm using is here:

[global]
workgroup = WORKGROUP
guest ok = yes
hide dot files = no
admin users = billy
map to guest = Bad User
restrict anonymous = 0
unix password sync = yes
browseable = true
readonly = false
announce as = MUSICMAN File Server
auth methods = guest sam
client lanman auth = yes
client ntlmv2 auth = yes
csc policy = disabled

[homes]
valid users = billy, max, dad

[filesystemroot]
path = /

[music]
path = /music
valid users = billy, dad

Let me add that none of the popular GUI tools are an option here, as this machine has no X Server or Window Manager installed; I have SSH access to it only.

I can verify that each of these unix usernames exists.

My client machine is running Windows Vista Ultimate SP1. I have tried modification of the "Lan Manager Authentication Level" setting, which has no effect.
I don't want to modify this setting anyway, as I have personally cracked many LM and NTLM passwords, and trust neither protocol. Ideally, I would like to get smbd to play nice with Vista machines without reconfiguring the clients.

Any ideas?

Billy3

EDIT: I forgot to add that I have a Windows XP Professional SP3 machine, and it all works okay there.

EDIT2: Also, I am correctly restarting samba after configuration changes (sudo /etc/init.d/samba restart). The Vista machine connects to Windows XP servers without a problem.

Edited by Billy O'Neal, 24 June 2008 - 08:58 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:38 PM

Posted 25 June 2008 - 09:41 AM

The Windows XP machine connects to Samba without problems?

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Topic Starter

  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:38 PM

Posted 25 June 2008 - 10:01 AM

Hello, Groovicus.

Yes, it does :thumbsup:

I think that narrows it down to something with NTLM2 authentication (Which vista has on by default, while XP does not), but I think the line "client ntlmv2 auth = yes" should allow an NTLM2 session.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:38 PM

Posted 25 June 2008 - 10:12 AM

What version of Samba are you using?

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Topic Starter

  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:38 PM

Posted 25 June 2008 - 10:47 AM

Hello, Groovicus.

This is the latest samba version I can get with Ubuntu 8.04 Server.

The smbstatus command prints:
Samba version 3.0.28a


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:38 PM

Posted 25 June 2008 - 11:02 AM

That version supports NTLM2. The only other thing I can think of is to force the Vista Machine to use both NTLM and NTLM2. The setting is in...umm....... secpol.msc (I think). I an't remember which setting to change, but it should say something like "Use NTLM2 only"; change that to "use NTLM2 if accessible." Again, I can't remember right off the top of my head, and my notes are not accessible.

If that fails, then check your firewall settings and workgroup settings.

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Topic Starter

  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:38 PM

Posted 25 June 2008 - 11:36 AM

I have tried modification of the "Lan Manager Authentication Level" setting, which has no effect.

:thumbsup:

Alright, I guess it's something I did... I'll try turning off LANMAN authentication and see of that works :flowers:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Topic Starter

  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:38 PM

Posted 25 June 2008 - 11:59 AM

Well... I think I got it to work.

It turns out that the client kept trying to connect to this directory:
\\musicman\IPC$

When it did, it used the anonymous account to connect. So when I went to connect to anything else, Vista kept using the anonymous account without prompting. And the result is the Samba server understandably telling it "I don't think so".

It also turns out that "client ntlm2 auth" is the wrong settng. What I needed to set was "ntlmv2 auth". The client specifier refers to the smbclient program, while, without client it refers to the server.

Thanks again,
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users