Samba server:
Raspberry Pi3, running osmc media server (I believe this is a down-scaled Raspbian version).
Samba version: 4.2.10
Domain controller:
Windows 2012
Windows client:
Windows 10 Evt. 64-bit
Before I set up the domain controller and connected the Win10 client to it, I was able to access the smb shares on the smb server without problems.
After connecting the Win10 client to the AD, I can see the smb server, but I'm not able to log in ("Access denied").
EDIT: Naturally, I've tried logging in to the samba share with WORKGROUP\username, which according to some should work. It doesn't.
From what I'm reading, this is because of the smb server not supporting the smb client version (3?) used by Windows 10. So, since there is no Windows 10 help to be found, I tried this MS article for Windows 7:
https://support.microsoft.com/en-us/kb/2696547
I disabled smb version 2 and 3, and enabled version 1, as suggested in another forum. When I rebooted the machine, the Win10 client wasn't even able to SEE the smb shares. When I disabled version 1, and enabledf version 2 and 3 again, I was back to the client seeing the share but not being able to log in.
Anyone know how to fix this? It was also suggested to join the smb/linux server to the Windows domain, but since the easy solution for that doesn't work on the Pi3 architecture, I'm reluctant to try installing Kerberos and all that stuff manually, since I really don't know much about it. Also, I excpect that some essential package doesn't exist for the Pi3, and I'll be stuck halfway through with a more or less broken system.
It seems that several people claim that disabling samba 2/3 works for them. Strange that this doesn't work for me, on either the Win 10 client og the Win 2008 server. And MS seems to be more or less unwilling to help with this too – which is not uncommon, in my experience.
The smb.conf file (unchanged after the installation):
[global]
config file = /etc/samba/smb-local.conf
workgroup = WORKGROUP
security=user
follow symlinks = yes
wide links = no
unix extensions = no
lock directory = /var/cache/samba
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 1
map to guest = bad user
usershare template share = automount template
read raw = Yes
write raw = Yes
strict locking = no
min receivefile size = 16384
use sendfile = true
aio read size = 2048
aio write size = 2048
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
[osmc]
browsable = yes
read only = no
valid users = osmc
path = /home/osmc
comment = OSMC Home Directory
[automount template]
browseable = yes
-valid = no
valid users = osmc
path = %P
hide files = /$RECYCLE.BIN/System Volume Information/desktop.ini/thumbs.db/
UPDATE
I gave up on the Windows AD server, and set up a Samba DC instead. Incredibly, the EXACT same problem is present when the Windows 10 computer is logged on to the Samba domain. And the Samba DC is also unable to access the same samba share(s), getting "Access denied".
It seems that Samba is the real source of pain and suffering here, and there doesn't seem to be any way to fix it either. The solution must be to use only Windows as file servers.
Best Answer
It could be that your Windows 10 client is now trying to implicitly authenticate using
DOMAIN\username
when you try to access the share.Does the Raspberry Pi3 have a hostname/NETBIOS name in the samba configuration (under the global config section)? If so, you could try specifying
SAMBA_NETBIOSNAME\username
when you try to authenticate to access the share.UPDATE:
Based on the config you provided I would suggest adding
netbios name = pi3
or something to that effect and then trying to sign in withpi3\username
.You might also try playing with some of the other authentication settings found in the documentation for SAMBA. Note that you'll probably have to restart the samba daemon after making changes to the config.
For example, you might try adding
auth methods = guest sam winbind
noting thatguest
allows anonymous access. That way you could isolate the problem between a configuration problem and an authentication problem (assuming anonymous access would be used when you can't authenticate - I'm rusty on my SAMBA skills).In other words, as long as you can get in with guest enabled then we know at least the v1,2,3 piece is working and you can focus on the authentication settings. Once you've finally got the settings working for non-guest access you should remove the guest access to prevent unauthorized access to your share(s).
I'd also consider adding settings to force the
ntlm auth
,lanman auth
,server schannel
, andserver signing
settings to mirror the settings in your Windows client.To check the equivalent Windows settings, run "secpol.msc" and check the settings under:
These settings dictate what the
server schannel
andserver signing
settings should be in your samba config.This setting dictates what the
ntlm auth
andlanman auth
settings should be in your samba config.For example,
Send NTLMv2 response only. Refuse LM & NTLM
in your Windows settings is equivalent tontlm auth = no
andlanman auth = no
in your samba config.NOTE: I don't recommend changing your Windows settings unless you're comfortable troubleshooting authentication issues with the domain afterwards.