SAMBA shares suddenly not accessible from windows

zombieagain · 2017-10-03 20:05:47

Hi Guys,

I need some suggestions on this one. I had Samba working without issues for months, but a few days back, I noticed that my windows laptops cannot access the share anymore. If I try I receive the message ".... is not accessible. You might not have permission.... We can't sign you in with this credential..." I'm scratching my head a little but because I haven't changed anything in the server...
Shares are still perfectly accessible from my Arch laptop and from the Nvidia Shield TV.

This is the smb.conf:

[global]
        workgroup = WORKGROUP
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        security = domain
        wins support = No

[Storage_Pool]
        comment = mergerfs
        guest ok = Yes
        inherit acls = Yes
        path = /home/joy/shares/Storage_Pool
        read only = No
        vfs objects =

testparm output:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Can't find include file /etc/samba/dhcp.conf
Processing section "[Storage_Pool]"
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        logon drive = P:
        logon home = \\%L\%U\.9xprofile
        logon path = \\%L\profiles\.msprofile
        printcap name = cups
        map to guest = Bad User
        security = DOMAIN
        idmap config * : backend = tdb
        include = /etc/samba/dhcp.conf
        cups options = raw


[Storage_Pool]
        comment = mergerfs
        path = /home/joy/shares/Storage_Pool
        guest ok = Yes
        inherit acls = Yes
        read only = No

smbd service status from systemctl:

● smbd.service - Samba SMB/CIFS server
   Loaded: loaded (/usr/lib/systemd/system/smbd.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2017-10-03 12:40:24 PDT; 22min ago
  Process: 908 ExecStart=/usr/bin/smbd -D (code=exited, status=0/SUCCESS)
 Main PID: 909 (smbd)
    Tasks: 4 (limit: 4915)
   Memory: 13.9M
   CGroup: /system.slice/smbd.service
           ├─909 /usr/bin/smbd -D
           ├─914 /usr/bin/smbd -D
           ├─917 /usr/bin/smbd -D
           └─925 /usr/bin/smbd -D

Oct 03 12:52:46 JOY-SERVER smbd[2356]: [2017/10/03 12:52:46.598228,  0] ../source3/smbd/trans2.c:3451(smbd_do_qfsinfo)
Oct 03 12:52:46 JOY-SERVER smbd[2356]:   smbd_do_qfsinfo: not an allowed info level (0x105) on IPC$.
Oct 03 12:52:48 JOY-SERVER smbd[2365]: [2017/10/03 12:52:48.414165,  0] ../source3/smbd/trans2.c:3451(smbd_do_qfsinfo)
Oct 03 12:52:48 JOY-SERVER smbd[2365]:   smbd_do_qfsinfo: not an allowed info level (0x201) on IPC$.
Oct 03 12:52:48 JOY-SERVER smbd[2365]: [2017/10/03 12:52:48.415811,  0] ../source3/smbd/trans2.c:3451(smbd_do_qfsinfo)
Oct 03 12:52:48 JOY-SERVER smbd[2365]:   smbd_do_qfsinfo: not an allowed info level (0x105) on IPC$.
Oct 03 12:52:52 JOY-SERVER smbd[2365]: [2017/10/03 12:52:52.332675,  0] ../source3/smbd/trans2.c:3451(smbd_do_qfsinfo)
Oct 03 12:52:52 JOY-SERVER smbd[2365]:   smbd_do_qfsinfo: not an allowed info level (0x201) on IPC$.
Oct 03 12:52:52 JOY-SERVER smbd[2365]: [2017/10/03 12:52:52.335438,  0] ../source3/smbd/trans2.c:3451(smbd_do_qfsinfo)
Oct 03 12:52:52 JOY-SERVER smbd[2365]:   smbd_do_qfsinfo: not an allowed info level (0x105) on IPC$.

any suggestions on what to check?
Thanks!

seth · 2017-10-03 20:34:42

Wild guess, try adding

min protocol = NT1

to the global section and restart the service.

If this "fixes" it, try to do some on the windows end (make it use SMBv2 or up)
The remove that key again.

zombieagain · 2017-10-04 07:01:27

Thanks! I tried this and didn't work, unfortunately...
I was able to fix the problem anyway by changing:

security = domain

to

security = user

I'm not sure what this all means, but it is working now... I truly have no idea why it worked for months with the old configuration and it stopped working a few days ago...

seth · 2017-10-04 07:23:36

From "man 5 smb.conf":

           SECURITY = USER

           If server role is not specified, this is the default security setting in Samba. With user-level security a client
           must first "log-on" with a valid username and password (which can be mapped using the username map parameter).
           Encrypted passwords (see the encrypted passwords parameter) can also be used in this security mode. Parameters
           such as user and guest only if set are then applied and may change the UNIX user to use on this connection, but
           only after the user has been successfully authenticated.

           Note that the name of the resource being requested is not sent to the server until after the server has
           successfully authenticated the client. This is why guest shares don't work in user level security without
           allowing the server to automatically map unknown users into the guest account. See the map to guest parameter for
           details on doing this.

           SECURITY = DOMAIN

           This mode will only work correctly if net(8) has been used to add this machine into a Windows NT Domain. It
           expects the encrypted passwords parameter to be set to yes. In this mode Samba will try to validate the
           username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly the same way that
           a Windows NT Server would do.

           Note that a valid UNIX user must still exist as well as the account on the Domain Controller to allow Samba to
           have a valid UNIX account to map file access to.

           Note that from the client's point of view security = domain is the same as security = user. It only affects how
           the server deals with the authentication, it does not in any way affect what the client sees.

           Note that the name of the resource being requested is not sent to the server until after the server has
           successfully authenticated the client. This is why guest shares don't work in user level security without
           allowing the server to automatically map unknown users into the guest account. See the map to guest parameter for
           details on doing this.

           See also the password server parameter and the encrypted passwords parameter.

I could imagine this happened with the same security measures or even indeed is related to the SMB protocol version in use (and the switch wasn't effective in the server or refused/cached in the client)
You could also try the mx protocol version to enforce the NT1 version, check the smb logs and reboot rather than reload the service (where I'm not sure why this should make a difference but another user said he had to do this do effectively switch the used cifs version on the client)

Arch Linux

#1 2017-10-03 20:05:47

SAMBA shares suddenly not accessible from windows

#2 2017-10-03 20:34:42

Re: SAMBA shares suddenly not accessible from windows

#3 2017-10-04 07:01:27

Re: SAMBA shares suddenly not accessible from windows

#4 2017-10-04 07:23:36

Re: SAMBA shares suddenly not accessible from windows

Board footer