Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] cannot connect without user/pass on Windows 10
150 views
Skip to first unread message
Bram Matthys via samba
Jan 26, 2017, 6:40:03 AM1/26/17
to
Hi,
A number of students are unable to connect to our print server from
their Windows 10 client laptop without entering a user/pass. More
precisely: If you try to connect manually to \\IP it says "Username or
password incorrect" and prompts to enter a username/password. Despite
the server setting to map all users to guest (see further down). I did a
packet dump and the client pc asks NTLMSSP_NEGOTIATE, server replies
with an NTLMSSP_CHALLENGE and then the client pc simply hangs up (TCP RST).
Now the (more) interesting bit: all this only happens when you use a
"microsoft account", not if you use a local account. With a local
account on the laptop start -> run -> \\IP will get you connected
without asking for a user / password and show the shared printers and
shares, as expected.
Any ideas? Is this fixable on the server-side? Otherwise if that is not
possible, fixable on the client-side while still permitting microsoft
accounts?
Packet dump (raw): https://www.vulnscan.org/tmp/cannotconnectsmb.pcap
Packet dump (text) below:
1 0.000000 10.0.6.178 -> 10.0.0.7 TCP 66 49939→445 [SYN] Seq=0 Win=8192
Len=0 MSS=1460 WS=256 SACK_PERM=1
2 0.000049 10.0.0.7 -> 10.0.6.178 TCP 66 445→49939 [SYN, ACK] Seq=0
Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
3 0.002343 10.0.6.178 -> 10.0.0.7 TCP 60 49939→445 [ACK] Seq=1 Ack=1
Win=65536 Len=0
4 0.002514 10.0.6.178 -> 10.0.0.7 SMB 213 Negotiate Protocol Request
5 0.002528 10.0.0.7 -> 10.0.6.178 TCP 54 445→49939 [ACK] Seq=1 Ack=160
Win=30336 Len=0
6 0.009462 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
7 0.011702 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
8 0.011936 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
9 0.016597 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup Request,
NTLMSSP_NEGOTIATE
10 0.017098 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
11 0.020411 10.0.6.178 -> 10.0.0.7 TCP 60 49939→445 [RST, ACK] Seq=504
Ack=710 Win=0 Len=0
12 0.023889 10.0.6.178 -> 10.0.0.7 TCP 66 49940→445 [SYN] Seq=0 Win=8192
Len=0 MSS=1460 WS=256 SACK_PERM=1
13 0.023932 10.0.0.7 -> 10.0.6.178 TCP 66 445→49940 [SYN, ACK] Seq=0
Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
14 0.026880 10.0.6.178 -> 10.0.0.7 TCP 60 49940→445 [ACK] Seq=1 Ack=1
Win=65536 Len=0
15 0.026922 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
16 0.026941 10.0.0.7 -> 10.0.6.178 TCP 54 445→49940 [ACK] Seq=1 Ack=179
Win=30336 Len=0
17 0.032177 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
18 0.034870 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup Request,
NTLMSSP_NEGOTIATE
19 0.035490 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
20 0.038742 10.0.6.178 -> 10.0.0.7 TCP 60 49940→445 [RST, ACK] Seq=345
Ack=504 Win=0 Len=0
21 0.202080 10.0.6.178 -> 10.0.0.7 TCP 66 49941→445 [SYN] Seq=0 Win=8192
Len=0 MSS=1460 WS=256 SACK_PERM=1
22 0.202145 10.0.0.7 -> 10.0.6.178 TCP 66 445→49941 [SYN, ACK] Seq=0
Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
23 0.204434 10.0.6.178 -> 10.0.0.7 TCP 60 49941→445 [ACK] Seq=1 Ack=1
Win=65536 Len=0
24 0.204484 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
25 0.204503 10.0.0.7 -> 10.0.6.178 TCP 54 445→49941 [ACK] Seq=1 Ack=179
Win=30336 Len=0
26 0.212382 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
27 0.214883 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup Request,
NTLMSSP_NEGOTIATE
28 0.215544 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
29 0.218612 10.0.6.178 -> 10.0.0.7 TCP 60 49941→445 [RST, ACK] Seq=345
Ack=504 Win=0 Len=0
30 0.222053 10.0.6.178 -> 10.0.0.7 TCP 66 49942→445 [SYN] Seq=0 Win=8192
Len=0 MSS=1460 WS=256 SACK_PERM=1
31 0.222120 10.0.0.7 -> 10.0.6.178 TCP 66 445→49942 [SYN, ACK] Seq=0
Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
32 0.224036 10.0.6.178 -> 10.0.0.7 TCP 60 49942→445 [ACK] Seq=1 Ack=1
Win=65536 Len=0
33 0.224074 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
34 0.224086 10.0.0.7 -> 10.0.6.178 TCP 54 445→49942 [ACK] Seq=1 Ack=179
Win=30336 Len=0
35 0.230810 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
36 0.233314 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup Request,
NTLMSSP_NEGOTIATE
37 0.234009 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
38 0.237069 10.0.6.178 -> 10.0.0.7 TCP 60 49942→445 [RST, ACK] Seq=345
Ack=504 Win=0 Len=0
Server config:
[global]
workgroup = MLHJ
interfaces = anet jnet print wifi lo
bind interfaces only = Yes
server role = standalone server
map to guest = Bad User
obey pam restrictions = Yes
syslog = 0
log file = /var/log/samba/smb.log
printcap name = /etc/printcap
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
printing = bsd
print command = /usr/local/scripts/print "%p" "%s" "%I" "%m" "%U" "%J"
2>&1|logger -p lpr.debug -t samba-print
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
guest ok = Yes
# smbd -V
Version 4.2.14-Debian
Regards,
Bram
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
A number of students are unable to connect to our print server from
their Windows 10 client laptop without entering a user/pass. More
precisely: If you try to connect manually to \\IP it says "Username or
password incorrect" and prompts to enter a username/password. Despite
the server setting to map all users to guest (see further down). I did a
packet dump and the client pc asks NTLMSSP_NEGOTIATE, server replies
with an NTLMSSP_CHALLENGE and then the client pc simply hangs up (TCP RST).
Now the (more) interesting bit: all this only happens when you use a
"microsoft account", not if you use a local account. With a local
account on the laptop start -> run -> \\IP will get you connected
without asking for a user / password and show the shared printers and
shares, as expected.
Any ideas? Is this fixable on the server-side? Otherwise if that is not
possible, fixable on the client-side while still permitting microsoft
accounts?
Packet dump (raw): https://www.vulnscan.org/tmp/cannotconnectsmb.pcap
Packet dump (text) below:
1 0.000000 10.0.6.178 -> 10.0.0.7 TCP 66 49939→445 [SYN] Seq=0 Win=8192
Len=0 MSS=1460 WS=256 SACK_PERM=1
2 0.000049 10.0.0.7 -> 10.0.6.178 TCP 66 445→49939 [SYN, ACK] Seq=0
Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
3 0.002343 10.0.6.178 -> 10.0.0.7 TCP 60 49939→445 [ACK] Seq=1 Ack=1
Win=65536 Len=0
4 0.002514 10.0.6.178 -> 10.0.0.7 SMB 213 Negotiate Protocol Request
5 0.002528 10.0.0.7 -> 10.0.6.178 TCP 54 445→49939 [ACK] Seq=1 Ack=160
Win=30336 Len=0
6 0.009462 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
7 0.011702 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
8 0.011936 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
9 0.016597 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup Request,
NTLMSSP_NEGOTIATE
10 0.017098 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
11 0.020411 10.0.6.178 -> 10.0.0.7 TCP 60 49939→445 [RST, ACK] Seq=504
Ack=710 Win=0 Len=0
12 0.023889 10.0.6.178 -> 10.0.0.7 TCP 66 49940→445 [SYN] Seq=0 Win=8192
Len=0 MSS=1460 WS=256 SACK_PERM=1
13 0.023932 10.0.0.7 -> 10.0.6.178 TCP 66 445→49940 [SYN, ACK] Seq=0
Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
14 0.026880 10.0.6.178 -> 10.0.0.7 TCP 60 49940→445 [ACK] Seq=1 Ack=1
Win=65536 Len=0
15 0.026922 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
16 0.026941 10.0.0.7 -> 10.0.6.178 TCP 54 445→49940 [ACK] Seq=1 Ack=179
Win=30336 Len=0
17 0.032177 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
18 0.034870 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup Request,
NTLMSSP_NEGOTIATE
19 0.035490 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
20 0.038742 10.0.6.178 -> 10.0.0.7 TCP 60 49940→445 [RST, ACK] Seq=345
Ack=504 Win=0 Len=0
21 0.202080 10.0.6.178 -> 10.0.0.7 TCP 66 49941→445 [SYN] Seq=0 Win=8192
Len=0 MSS=1460 WS=256 SACK_PERM=1
22 0.202145 10.0.0.7 -> 10.0.6.178 TCP 66 445→49941 [SYN, ACK] Seq=0
Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
23 0.204434 10.0.6.178 -> 10.0.0.7 TCP 60 49941→445 [ACK] Seq=1 Ack=1
Win=65536 Len=0
24 0.204484 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
25 0.204503 10.0.0.7 -> 10.0.6.178 TCP 54 445→49941 [ACK] Seq=1 Ack=179
Win=30336 Len=0
26 0.212382 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
27 0.214883 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup Request,
NTLMSSP_NEGOTIATE
28 0.215544 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
29 0.218612 10.0.6.178 -> 10.0.0.7 TCP 60 49941→445 [RST, ACK] Seq=345
Ack=504 Win=0 Len=0
30 0.222053 10.0.6.178 -> 10.0.0.7 TCP 66 49942→445 [SYN] Seq=0 Win=8192
Len=0 MSS=1460 WS=256 SACK_PERM=1
31 0.222120 10.0.0.7 -> 10.0.6.178 TCP 66 445→49942 [SYN, ACK] Seq=0
Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
32 0.224036 10.0.6.178 -> 10.0.0.7 TCP 60 49942→445 [ACK] Seq=1 Ack=1
Win=65536 Len=0
33 0.224074 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
34 0.224086 10.0.0.7 -> 10.0.6.178 TCP 54 445→49942 [ACK] Seq=1 Ack=179
Win=30336 Len=0
35 0.230810 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
36 0.233314 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup Request,
NTLMSSP_NEGOTIATE
37 0.234009 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
38 0.237069 10.0.6.178 -> 10.0.0.7 TCP 60 49942→445 [RST, ACK] Seq=345
Ack=504 Win=0 Len=0
Server config:
[global]
workgroup = MLHJ
interfaces = anet jnet print wifi lo
bind interfaces only = Yes
server role = standalone server
map to guest = Bad User
obey pam restrictions = Yes
syslog = 0
log file = /var/log/samba/smb.log
printcap name = /etc/printcap
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
printing = bsd
print command = /usr/local/scripts/print "%p" "%s" "%I" "%m" "%U" "%J"
2>&1|logger -p lpr.debug -t samba-print
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
guest ok = Yes
# smbd -V
Version 4.2.14-Debian
Regards,
Bram
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
Jan 26, 2017, 9:10:04 AM1/26/17
to
If you look in 'man smb.conf' under 'map to guest (G)' you will find
this:
Bad User - Means user logins with an invalid password are
rejected, unless the username does not exist, in which case it
is treated as a guest login and mapped into the guest
account.
So, if the user does exist and uses an incorrect password it will be
rejected, but if the user doesn't exist, it will be SILENTLY mapped to
guest.
Rowland
Bram Matthys via samba
Jan 26, 2017, 10:40:05 AM1/26/17
to
Op 26-1-2017 om 15:01 schreef Rowland Penny via samba:
Right, I understand what you are after, but no: the user does not exist
on the server.
Also, looking at the packet dump, the username isn't even sent (yet).
Best regards,
Bram
on the server.
Also, looking at the packet dump, the username isn't even sent (yet).
Best regards,
Bram
0 new messages