Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Windows 10 in Samba 3 domain: netlogon share access denied

753 views
Skip to first unread message

Marcel Ebbrecht

unread,
Jul 9, 2015, 5:10:04 AM7/9/15
to
Hi,

I got the same problem with Build 10162. I dont think it's an Samba
issue. It seems that Windows 10 dont like "\\....\netlogon". Our Samba
3.5.6 PDC works like a charm for win 7. From my Win10 PC i can access
everything except \\dc1\netlogon

Symptoms:
Accessing \\dc1\netlogon -> Auth fail
Accessing \\dc1\netlogon2 -> Works (same config!!!)
Accessing \\dc1\s1\netlogon -> Works (links to \\dc1\netlogon)

Everything works except accessing \\dc1\netlogon directly and joining
domain (no AD DC found) ... must be something special with windows 10
and I bet its:
- a reg key
- not solvable, because MS dont want us to access netlogon shares ...

Config:

[netlogon2]
comment = Network Logon Service
# browseable = no
path = /opt/netlogon
guest ok = yes
read only = no
force group = "Domain Admins"
create mode = 0665
directory mask = 0775
write list = @"Domain Admins"
# valid users = @"Domain Users" @"Domain Admins"
force user = nobody
veto files = /.DS_Store*/Thumbs.db*/~\$*/
delete veto files = no

[netlogon]
comment = Network Logon Service
# browseable = no
path = /opt/netlogon
guest ok = yes
read only = no
force group = "Domain Admins"
create mode = 0665
directory mask = 0775
write list = @"Domain Admins"
# valid users = @"Domain Users" @"Domain Admins"
force user = nobody
veto files = /.DS_Store*/Thumbs.db*/~\$*/
delete veto files = no

### DFS Config ###

[s1]
comment = DFS Share s1
path = /opt/s1
msdfs root = yes
browseable = yes
read only = yes
force group = "Domain Admins"
create mode = 0660
directory mask = 0770
valid users = @"Domain Users" @"Domain Admins"
veto files = /.DS_Store*/Thumbs.db*/~\$*/
delete veto files = no

### Link in DFS path ###
lrwxrwxrwx 1 root root 18 1. Okt 2013 Netlogon ->
msdfs:dc1\netlogon

Greetings

--
Marcel Ebbrecht <m.ebb...@dortmundit.de>
e2 consulting UG (haftungsbeschraenkt)

Geschaeftssitz:
Rheinlanddamm 201
D-44139 Dortmund

Telefon: +49 231 / 39982051
Telefax: +49 231 / 44677897
Mobil: +49 160 / 90345852
Jabber: m.ebb...@dortmundit.de
Internet: https://www.dortmundit.de

Handelsregister Dortmund HRB 24666
Geschaeftsfuehrer: Marcel Ebbrecht
Steuernummer: 314/5723/1889
USTID: DE283203942

PKI: https://ssl.dortmundit.de:18016

AGB: http://agb.dortmundit.de

Diese E-Mail und moegliche Anhaenge enthalten vertrauliche Informationen, die rechtlich besonders geschuetzt sein koennen. Wenn Sie nicht der beabsichtigte Empfaenger bzw. Adressat dieser E-mail sind und diese E-Mail etwa aufgrund eines technischen Fehlers oder eines Versehens erhalten haben, informieren Sie uns bitte sofort und loeschen Sie anschliessend die E-Mail. Das unbefugte Kopieren dieser E-Mail, etwaiger Anhaenge sowie die unbefugte Weitergabe der enthaltenen Informationen an Dritte ist nicht gestattet.

This e-mail message together with its attachments, if any, is confidential and may contain information subject to legal privilege (e.g. attorney-client-privilege). If you are not the intended recipient or have received this e-mail in error, please inform us immediately and delete this message. Any unauthorised copying of this message (and attachments) or unauthorised distribution of the information contained herein is prohibited.

Go Green! Print this email only when necessary.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

unread,
Jul 9, 2015, 6:00:03 AM7/9/15
to
what if you try to change .

msdfs:dc1\netlogon
to
msdfs:dc1.your.domain.tld\netlogon

or use
Accessing \\dc1.your.domain.tld\netlogon


greetz,

Louis


>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-...@lists.samba.org] Namens
>Marcel Ebbrecht
>Verzonden: donderdag 9 juli 2015 10:42
>Aan: sa...@lists.samba.org
>Onderwerp: [Samba] Windows 10 in Samba 3 domain: netlogon
>share access denied

Marcel Ebbrecht

unread,
Jul 9, 2015, 7:10:02 AM7/9/15
to
lets ignore the dfs and concentrate on the the direct access:

domain is foo.lan

tried:


\\dc1\netlogon
\\ip\netlogon
\\dc1.foo.lan\netlogon
\\foo.lan\netlogon

doesnt work with foo.lan\username and just username

\\dc1\netlogon2
\\ip\netlogon2
\\dc1.foo.lan\netlogon2
\\foo.lan\netlogon2

works with foo.lan\username and just username - same directory, same config, just another sharename (see config).

Tried also with guest ok ... netlogon2 works, netlogon not. Everything works except the netlogon share and joining domain :(

Can someone confirm, that Build 10162 doesnt want to connect to netlogon shares ?

I also created a netlogon share on one of our windows servers (old 2003 testing machine) ... doesnt work, so this is obviously no samba problem :(

BUT: Samba people are often more competent than microsoft people on Windows ;) So is anyone here who can confirm this problem and, perhaps, submit a solution ?

ty

L.P.H. van Belle

unread,
Jul 9, 2015, 7:30:03 AM7/9/15
to
any messages in the windows 10 event logs, that could give some extra insight.

according to
https://social.technet.microsoft.com/Forums/en-US/7f5207cc-b202-47fc-bbb8-9ebe46a31961/network-logon-script-failure?forum=WinPreview2014General

>\\foo.lan\netlogon
should work.

but, https://adsecurity.org/?p=1405
has some good info about the latest patch about hardening GPO. (which imo wil be also in windows 10 )
im thinking it has to do also with this
and since win10 is not RTM yet, that can be changed.


Greetz,

Louis


>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-...@lists.samba.org] Namens
>Marcel Ebbrecht

>Verzonden: donderdag 9 juli 2015 13:02
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Windows 10 in Samba 3 domain: netlogon

Marcel Ebbrecht

unread,
Jul 9, 2015, 10:10:03 AM7/9/15
to
Louis was right :)

Solution: GPEDIT.MSC -> Computer -> Administrative templates -> Network
-> Networkprovider -> Hardened UNC Paths

Added

\\foo.lan\netlogon and Value:
RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0

also added this for \\dc1\... and \\dc1.e2c.lan\... works :)

Better call samba people when having problems with windows ;)

L.P.H. van Belle

unread,
Jul 9, 2015, 10:40:03 AM7/9/15
to
I'm just smart with my external memory (google)
Googled this within 3 minutes. ;-)
and you know, i never installed/used windows 10 ;-) (yet)
starting with that after my holiday.. and when samba 4.2.3 is in sernet.

but your welkom and happy it works for you.
And i now have a new GPO setting tested by you... Thanks !
_
/(|
( :
__\ \ _____
(____) `|
(____)| |
(____).__|
(___)__.|_____

;-)

Greetz,

Louis


>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-...@lists.samba.org] Namens
>Marcel Ebbrecht

>Verzonden: donderdag 9 juli 2015 16:05
>Aan: sa...@lists.samba.org
>CC: m.end...@dortmundit.de


>Onderwerp: Re: [Samba] Windows 10 in Samba 3 domain: netlogon
>share access denied
>

John Drescher

unread,
Jul 9, 2015, 11:20:02 AM7/9/15
to
> I got the same problem with Build 10162. I dont think it's an Samba
> issue. It seems that Windows 10 dont like "\\....\netlogon". Our Samba
> 3.5.6 PDC works like a charm for win 7. From my Win10 PC i can access
> everything except \\dc1\netlogon

Hmm. On 2 test boxes I am now getting no login servers available on
10162 (while it worked for previous builds and I do not experience
that on my windows 7 or 8.x machines). 10130 crashed just after the
login was accepted if the network cables were connected ( I have 2
networks at work gigabit private to samba doman only + internet
corporate network ). After I pulled the network cables to let 10130 in
I experienced the same netlogin problem. My PDC and BDCs are samba
4.2.2.

John

Marc Muehlfeld

unread,
Jul 9, 2015, 12:00:03 PM7/9/15
to
Hello John,

Am 09.07.2015 um 17:08 schrieb John Drescher:
> Hmm. On 2 test boxes I am now getting no login servers available on
> 10162 (while it worked for previous builds and I do not experience
> that on my windows 7 or 8.x machines). 10130 crashed just after the
> login was accepted if the network cables were connected ( I have 2
> networks at work gigabit private to samba doman only + internet
> corporate network ). After I pulled the network cables to let 10130 in
> I experienced the same netlogin problem. My PDC and BDCs are samba
> 4.2.2.


I've renamed the old "Registry changes for NT4-style domains" page in
the wiki, because Win10 in an Samba NT4 domain requires also an smb.conf
setting. Otherwise you will stop at the "No logon servers available"
problem. To cover everything on one page, a page rename was required.

https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains

Regards,
Marc

John Drescher

unread,
Jul 9, 2015, 12:10:03 PM7/9/15
to
> I've renamed the old "Registry changes for NT4-style domains" page in
> the wiki, because Win10 in an Samba NT4 domain requires also an smb.conf
> setting. Otherwise you will stop at the "No logon servers available"
> problem. To cover everything on one page, a page rename was required.
>
> https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains

Thanks a lot. I have server max protocol = SMB3 on all 3 DCs. I will
adjust and try later.

John

John Drescher

unread,
Jul 9, 2015, 3:10:03 PM7/9/15
to
I verified that "server max protocol = NT1" on samba-4.2.2 fixed the
issue for me.

Thanks,
John

On Thu, Jul 9, 2015 at 11:59 AM, John Drescher <dresc...@gmail.com> wrote:
>> I've renamed the old "Registry changes for NT4-style domains" page in
>> the wiki, because Win10 in an Samba NT4 domain requires also an smb.conf
>> setting. Otherwise you will stop at the "No logon servers available"
>> problem. To cover everything on one page, a page rename was required.
>>
>> https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains
>
> Thanks a lot. I have server max protocol = SMB3 on all 3 DCs. I will
> adjust and try later.
>
> John

--
John M. Drescher

0 new messages