Discussion:
[Samba] Windows 10 in Samba 3 domain: netlogon share access denied
MI
10 years ago
Permalink
I just joined a Windows 10 (build 10130) to our Samba 3 domain. It seems to work. I
can login, a home directory is created on the server, and I can access shares.

All shares are OK, except "netlogon". Logon scripts don't run, and I cannot open the
netlogon share. I get "Access denied" and a prompt to enter my username and password,
which keeps coming back.

At the command prompt, if I do "dir \\server\netlogon", I just get "Network access is
denied." but listing other shares is fine.

Any ideas?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
John Drescher
10 years ago
Permalink
Post by MI
All shares are OK, except "netlogon". Logon scripts don't run, and I cannot
open the netlogon share. I get "Access denied" and a prompt to enter my
username and password, which keeps coming back.
At the command prompt, if I do "dir \\server\netlogon", I just get "Network
access is denied." but listing other shares is fine.
Any ideas?
I had the same behavior when I tested this.

John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Daniel Carrasco Marín
10 years ago
Permalink
...
Hi,

Please, post your smb.cfg and the output of the command "getfacl
NetLogonFolder".

Greetings!!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
MI
10 years ago
Permalink
Please, post your smb.cfg and the output of the command "getfacl NetLogonFolder".
Here is the samba config.

$ testparm -s
...
Server role: ROLE_DOMAIN_PDC
[global]
workgroup = FRENETIC
netbios name = JANUS
server string = %h server
interfaces = 127.0.0.0/8, 192.168.44.0/24, 10.44.0.0/24
bind interfaces only = Yes
map to guest = Bad User
passdb backend = ldapsam
log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 2000
time server = Yes
unix extensions = No
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = logon-%a.bat
logon path = \\%N\%U\profile-%a
logon drive = H:
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = "cn=admin,dc=frenetic,dc=lan"
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=frenetic,dc=lan
ldap ssl = no
ldap user suffix = ou=People
panic action = /usr/share/samba/panic-action %d
create mask = 0775
directory mask = 02775
hide files = /Maildir/desktop.ini/RECYCLER/PUTTY.RND/lost+found/
veto oplock files = /*.doc/*.xls/*.mdb/*.MDB/*.pst/*.PST/
csc policy = disable
wide links = Yes

[netlogon]
comment = Network Logon Service
path = /etc/samba/netlogon
write list = @admins
read only = No
guest ok = Yes

[homes]
comment = Home Directories
read only = No
create mask = 0700
directory mask = 0700
profile acls = Yes
browseable = No

etc. (other shares work OK)


$ /usr/sbin/smbd --version
Version 3.5.6

$ getfacl /etc/samba/netlogon/
-bash: getfacl: command not found

We don't use ACLs on the server. The Unix permissions on the directory are

$ stat /etc/samba/netlogon/
...
Access: (0775/drwxrwxr-x) Uid: ( 0/ root) Gid: ( 1001/ admins)


Everything is fine with Win7 clients. On Win10, all I did before joining the domain
was set the 2 registry keys under ...\LanmanWorkstation\Parameters :
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001

And in ...\LanmanWorkstation, "DependOnService" replace "RMRxSmb20" with "RMRxSmb10"
in the list.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
IanLewis
10 years ago
Permalink
KPK: This sounds exactly like the problem we saw with our domain. The issue
was that the services LanmanServer and LanmanWorkstation had the Parameter
EnableSecuritySignature disabled on our domain controllers.

If you have the same issue, set EnableSecuritySignature to 1 and
RequireSecuritySignature to 0 (unless you want to require security
signature) for both LanmanServer and LanmanWorkstation under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

Reboot your servers and you will have access to NETLOGON and SYSVOL and your
domain logon will work as expected.

IL: www.mstarlabs.com



--
View this message in context: http://samba.2283325.n4.nabble.com/Windows-10-in-Samba-3-domain-netlogon-share-access-denied-tp4687451p4690104.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
MI
10 years ago
Permalink
Still had the same problem with the release build of Win10. The solution posted by
Solution: GPEDIT.MSC -> Computer -> Administrative templates -> Network ->
Networkprovider -> Hardened UNC Paths
- Set on "Enabled".
- Under options, click on the "Show..." button
- Under "Value name", enter: \\servername\netlogon ( or \\*\netlogon )
- Under "Value" enter: RequireMutualAuthentication=0, RequireIntegrity=0



-------- Original Message --------
I just joined a Windows 10 (build 10130) to our Samba 3 domain. It seems to work. I
can login, a home directory is created on the server, and I can access shares.
All shares are OK, except "netlogon". Logon scripts don't run, and I cannot open
the netlogon share. I get "Access denied" and a prompt to enter my username and
password, which keeps coming back.
At the command prompt, if I do "dir \\server\netlogon", I just get "Network access
is denied." but listing other shares is fine.
Any ideas?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...