It could be that your Windows 10 client is now trying to implicitly authenticate using DOMAIN\username
when you try to access the share.
Does the Raspberry Pi3 have a hostname/NETBIOS name in the samba configuration (under the global config section)? If so, you could try specifying SAMBA_NETBIOSNAME\username
when you try to authenticate to access the share.
UPDATE:
Based on the config you provided I would suggest adding netbios name = pi3
or something to that effect and then trying to sign in with pi3\username
.
You might also try playing with some of the other authentication settings found in the documentation for SAMBA. Note that you'll probably have to restart the samba daemon after making changes to the config.
For example, you might try adding auth methods = guest sam winbind
noting that guest
allows anonymous access. That way you could isolate the problem between a configuration problem and an authentication problem (assuming anonymous access would be used when you can't authenticate - I'm rusty on my SAMBA skills).
In other words, as long as you can get in with guest enabled then we know at least the v1,2,3 piece is working and you can focus on the authentication settings. Once you've finally got the settings working for non-guest access you should remove the guest access to prevent unauthorized access to your share(s).
I'd also consider adding settings to force the ntlm auth
, lanman auth
, server schannel
, and server signing
settings to mirror the settings in your Windows client.
To check the equivalent Windows settings, run "secpol.msc" and check the settings under:
Security Settings
Local Polices
Security Options
- Microsoft network client: *
- Network security: *
Microsoft network client: Digitally encrypt or sign secure channel data (always)
Microsoft network client: Digitally encrypt secure channel data (when possible)
Microsoft network client: Digitally sign secure channel data (when possible)
These settings dictate what the server schannel
and server signing
settings should be in your samba config.
Network security: LAN Manager authentication level
This setting dictates what the ntlm auth
and lanman auth
settings should be in your samba config.
For example, Send NTLMv2 response only. Refuse LM & NTLM
in your Windows settings is equivalent to ntlm auth = no
and lanman auth = no
in your samba config.
NOTE: I don't recommend changing your Windows settings unless you're comfortable troubleshooting authentication issues with the domain afterwards.
In my case (Windows 10, ancient Samba 4.2.10 on CentOS 6) what helped was setting the min protocol to SMB2, max protocol to SMB3:
[global]
min protocol = SMB2
max protocol = SMB3
client min protocol = SMB2
client max protocol = SMB3
client ipc min protocol = SMB2
client ipc max protocol = SMB3
server min protocol = SMB2
server max protocol = SMB3
And then connecting the share as a network drive (Explorer -> Home -> Easy access -> Map as drive
), putting in the share name (\\1.2.3.4\ShareName
), ticking "Connect using different credentials", then Other, and put in username in the format DOMAIN\username
.
When trying to get to the share in Explorer, it would never ask for credentials, nor was I able to specify the username with net use \\shareserver\data /user:testuser
(got System Error 58).
Best Answer
After 8 months, I finally solved the problem!
Samba share with freeipa auth
The complete set of information is at https://bgstack15.wordpress.com/2017/05/10/samba-share-with-freeipa-auth/.
On the freeipa controller:
After running the --add-sids, users need to reset their passwords, in order for freeipa to generate the ipaNTHash value of their passwords.
On the samba server:
Open the firewall ports it asks for (TCP 135,138,139,445,1024-1300; UDP 138,139,389,445)
Allow samba to read passwords
Prepare samba conf and restart samba.