Windows 10 64 domain computer cannot access Linux (Raspberry Pi3) samba share

active-directoryraspbiansambawindows 10

Samba server:
Raspberry Pi3, running osmc media server (I believe this is a down-scaled Raspbian version).
Samba version: 4.2.10

Domain controller:
Windows 2012

Windows client:
Windows 10 Evt. 64-bit

Before I set up the domain controller and connected the Win10 client to it, I was able to access the smb shares on the smb server without problems.

After connecting the Win10 client to the AD, I can see the smb server, but I'm not able to log in ("Access denied").

EDIT: Naturally, I've tried logging in to the samba share with WORKGROUP\username, which according to some should work. It doesn't.

From what I'm reading, this is because of the smb server not supporting the smb client version (3?) used by Windows 10. So, since there is no Windows 10 help to be found, I tried this MS article for Windows 7:

https://support.microsoft.com/en-us/kb/2696547

I disabled smb version 2 and 3, and enabled version 1, as suggested in another forum. When I rebooted the machine, the Win10 client wasn't even able to SEE the smb shares. When I disabled version 1, and enabledf version 2 and 3 again, I was back to the client seeing the share but not being able to log in.

Anyone know how to fix this? It was also suggested to join the smb/linux server to the Windows domain, but since the easy solution for that doesn't work on the Pi3 architecture, I'm reluctant to try installing Kerberos and all that stuff manually, since I really don't know much about it. Also, I excpect that some essential package doesn't exist for the Pi3, and I'll be stuck halfway through with a more or less broken system.

It seems that several people claim that disabling samba 2/3 works for them. Strange that this doesn't work for me, on either the Win 10 client og the Win 2008 server. And MS seems to be more or less unwilling to help with this too – which is not uncommon, in my experience.

The smb.conf file (unchanged after the installation):

[global]

config file = /etc/samba/smb-local.conf

workgroup = WORKGROUP
security=user
follow symlinks = yes
wide links = no
unix extensions = no
lock directory = /var/cache/samba
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 1
map to guest = bad user
usershare template share = automount template

read raw = Yes
write raw = Yes
strict locking = no
min receivefile size = 16384
use sendfile = true
aio read size = 2048
aio write size = 2048
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072

[osmc]
browsable = yes
read only = no
valid users = osmc
path = /home/osmc
comment = OSMC Home Directory

[automount template]
browseable = yes
-valid = no
valid users = osmc
path = %P
hide files = /$RECYCLE.BIN/System Volume Information/desktop.ini/thumbs.db/

UPDATE

I gave up on the Windows AD server, and set up a Samba DC instead. Incredibly, the EXACT same problem is present when the Windows 10 computer is logged on to the Samba domain. And the Samba DC is also unable to access the same samba share(s), getting "Access denied".

It seems that Samba is the real source of pain and suffering here, and there doesn't seem to be any way to fix it either. The solution must be to use only Windows as file servers.

Best Answer

It could be that your Windows 10 client is now trying to implicitly authenticate using DOMAIN\username when you try to access the share.

Does the Raspberry Pi3 have a hostname/NETBIOS name in the samba configuration (under the global config section)? If so, you could try specifying SAMBA_NETBIOSNAME\username when you try to authenticate to access the share.

UPDATE:
Based on the config you provided I would suggest adding netbios name = pi3 or something to that effect and then trying to sign in with pi3\username.

You might also try playing with some of the other authentication settings found in the documentation for SAMBA. Note that you'll probably have to restart the samba daemon after making changes to the config.

For example, you might try adding auth methods = guest sam winbind noting that guest allows anonymous access. That way you could isolate the problem between a configuration problem and an authentication problem (assuming anonymous access would be used when you can't authenticate - I'm rusty on my SAMBA skills).

In other words, as long as you can get in with guest enabled then we know at least the v1,2,3 piece is working and you can focus on the authentication settings. Once you've finally got the settings working for non-guest access you should remove the guest access to prevent unauthorized access to your share(s).

I'd also consider adding settings to force the ntlm auth, lanman auth, server schannel, and server signing settings to mirror the settings in your Windows client.

To check the equivalent Windows settings, run "secpol.msc" and check the settings under:

Security Settings
  Local Polices
    Security Options
      - Microsoft network client: *
      - Network security: *

Microsoft network client: Digitally encrypt or sign secure channel data (always)
Microsoft network client: Digitally encrypt secure channel data (when possible)
Microsoft network client: Digitally sign secure channel data (when possible)

These settings dictate what the server schannel and server signing settings should be in your samba config.

Network security: LAN Manager authentication level

This setting dictates what the ntlm auth and lanman auth settings should be in your samba config.

For example, Send NTLMv2 response only. Refuse LM & NTLM in your Windows settings is equivalent to ntlm auth = no and lanman auth = no in your samba config.

NOTE: I don't recommend changing your Windows settings unless you're comfortable troubleshooting authentication issues with the domain afterwards.

Related Question