Windows 7 and Samba 3.5.2

The network is the forum.

Moderators: Steel, notfred

Windows 7 and Samba 3.5.2

Postposted on Mon Apr 18, 2011 3:10 pm

I just posted a topic on ServerFault on an issue I'm having getting a Windows 7 PC that's attached to a domain to connect to any Samba share.

It's quite ridiculous too and infuriating because it can connect to shares that it owns under Active Directory just fine. Anybody have any bright ideas? Additional info and stuff is available in the SF link (like the smb.conf file).

Thanks.
Image
Nitrodist
Grand Gerbil Poohbah
 
Posts: 3280
Joined: Wed Jul 19, 2006 1:51 am
Location: Minnesota

Re: Windows 7 and Samba 3.5.2

Postposted on Mon Apr 18, 2011 6:13 pm

Try adding
client ntlmv2 auth = yes
to your SMB.conf and that might resolve it. Window 7 does have much tighter default security.
ekul
Gerbil
 
Posts: 81
Joined: Thu Jan 17, 2008 1:25 pm

Re: Windows 7 and Samba 3.5.2

Postposted on Mon Apr 18, 2011 7:35 pm

Will do tomorrow, thanks.
Image
Nitrodist
Grand Gerbil Poohbah
 
Posts: 3280
Joined: Wed Jul 19, 2006 1:51 am
Location: Minnesota

Re: Windows 7 and Samba 3.5.2

Postposted on Mon Apr 18, 2011 7:39 pm

Couple of notes and basic questions.

First, set "log level=4" and try the connection again. It will likely tell you exactly why the connection isn't proceeding. You just have to interpret the log entries.

Now, for the basic stuff. You aren't specifying a security mode so it is going to default to "security = user". This means that the user must have and account defined in the smbpasswd file, and that account must match exactly the Unix account for the user. Assuming all these are verified, the next step would be the log files from a connection attempt with the log level raised. I'm certainly not a Samba expert, but I oversee about 100 or so Samba servers in my day job, so I might be able to give you some hints.

--SS
SecretSquirrel
Gerbil Jedi
Gold subscriber
 
 
Posts: 1717
Joined: Tue Jan 01, 2002 7:00 pm
Location: The Colony, TX (Dallas suburb)

Re: Windows 7 and Samba 3.5.2

Postposted on Thu May 19, 2011 9:22 am

Found out the problem thanks to a co-worker looking into it.

The problem is that within our environment, by default, Windows 7 required all SMB packets to be signed. Samba servers, however, do not. So there are two ways to fix this: turn off client signing in Win7 or add a flag to the smb.conf file in the global section as this: 'server signing = auto'. (we were using Samba 3.5.2).

For Windows 7, you can 'fix' this policy by making it more lenient -- going from requiring digital signatures to optionally using it if the server agrees.

Here's how you can use it:

The local windows security policy changes are as follows:
Start menu
type GPEdit.msc
Browse to Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options
Look for "Microsoft network client: Digitally sign communications (always)" and change it to Disabled

You may also need to do the same for "Microsoft network client: Digitally sign communications (if server agrees)". In theory this should be negotiated during the negotiate/challenge phase of NTLM but it may fail; NTLM doesn't explicitly demand any real negotiation.
Image
Nitrodist
Grand Gerbil Poohbah
 
Posts: 3280
Joined: Wed Jul 19, 2006 1:51 am
Location: Minnesota

Re: Windows 7 and Samba 3.5.2

Postposted on Thu May 19, 2011 9:59 am

Your option to have Samba do the signing would be a more perferable outcome. An extra defense against man in the middle attacks would be worth it. Even if it is internal only traffic, let us not forget our own employees are our greatest security threat.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3549
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Windows 7 and Samba 3.5.2

Postposted on Thu May 19, 2011 11:05 am

Absolutely. That's what we're doing.
Image
Nitrodist
Grand Gerbil Poohbah
 
Posts: 3280
Joined: Wed Jul 19, 2006 1:51 am
Location: Minnesota


Return to Networking

Who is online

Users browsing this forum: No registered users and 1 guest