Access denied to Samba share from Windows 10
Solution 1
To access the samba share, please pay attention to:
- You had to create a system user with the same username. In this case, please issue the following command:
useradd -s /sbin/nologin benjamin
- If you are using a SELINUX-enabled system (eg: CentOS), try to temporarily disable it issuing
setenforce 0
EDIT: as the problem persists, try the following:
- maybe your Windows host is prepending your username with the wrong domain name. From the Windows machine, try to login using
localhost\benjamin
as the username - issue
pdbedit -L
and check if userbenjamin
is listed. If so, set a trivial password (you can change it later) usingsmbpasswd benjamin
- if user
benjamin
is not listed, try to recreate it issuingsmbpasswd -a benjamin
- if it does not work, delete the passwd file (it is named
passwd.tdb
; for reference, in a CentOS 6.x system it is found under/var/lib/samba/private/
). Then, recreate your user issuingsmbpasswd -a benjamin
- if it still not working, try to use the root account issuing
smbpasswd -a root
and check if you can login using the root user. Note: this is only a try. After having done with it, you must delete root's entry issuingsmbpasswd -x root
- Your last resort is to increase the verbosity of logging and see if you can find clues there. For authentication attempts, edit or add the following line on your smb.conf
log level = 2 winbind:5
, check the logs with something liketail -f /var/log/samba/log*
and try to login.
Solution 2
It is possible you need to add the user in question to your smb service in linux
sudo smbpasswd -a myuser
Solution 3
On the Windows PC, Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
to 4
Network security: LAN Manager authentication level is usually set to Send LM & NTLM - use NTLMv2 session security if negotiated
by Group policies for backup compatability with older clients.
Changing LmCompatibilityLevel
to 4 sets it to Send NTLMv2 response only
Solution 4
I was having the same problem. Eventually solved it by erasing the partition on my external HDD and remaking the filesystem. With this config I can copy&paste onto the drive without logging in from windows:
[global]
server string = Media Server
workgroup = HOME
security = user
map to guest = Bad User
name resolve order = bcast host
[Film]
path = /mnt/sda/sda1/Film
force user = smbuser
force group = smbgroup
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
public = yes
writable = yes
write list = smbuser
I set up the group and user with the following commands:
sudo groupadd --system smbgroup
sudo useradd --system --no-create-home --group smbgroup -s /bin/false smbuser
My drive had been used in a different system (I re-did the same server a couple of times) so I think there were still traces of ownership that was overriding my new persmissions so therefore, only after re-partition and re-making the filesystem the new permissions worked.
Related videos on Youtube
bak202
Updated on September 18, 2022Comments
-
bak202 over 1 year
Samba version: Version 4.1.17-Ubuntu
Ubuntu 15.10
When accessing a Samba share in windows, I can see the share but whenever I try and access it - entering the same username and password as the Samba user created with
sudo smbpasswd -a benjamin
(same as system user), I only get "Access is Denied". Here are my smb settings[global] server string = %h server (Samba, Ubuntu) #encrypt passwords = No map to guest = Bad User obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d wins support = yes name resolve order = wins lmhosts host bcast [TVShare] path = /media/MEDIA2/TV available = yes valid users = benjamin read only = no browsable = yes public = yes writable = no
Where
ls -dl /media/MEDIA2/TV/
readsdrwxrwxr-x 40 benjamin benjamin 4096 Sep 5 16:18 /media/MEDIA2/TV/
Sample log:
[2015/12/20 12:52:02, 2] ../source3/lib/tallocmsg.c:124(register_msg_pool_usage) Registered MSG_REQ_POOL_USAGE [2015/12/20 12:52:02, 2] ../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2015/12/20 12:52:02.517860, 2] ../source3/param/loadparm.c:543(max_open_files) rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) [2015/12/20 12:52:02.517954, 2] ../source3/param/loadparm.c:3582(do_section) Processing section "[TVShare]" [2015/12/20 12:52:02.518169, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=192.168.0.5 bcast=192.168.0.255 netmask=255.255.255.0 [2015/12/20 12:52:02.522658, 0] ../lib/util/become_daemon.c:136(daemon_ready) STATUS=daemon 'smbd' finished starting up and ready to serve connectionsFailed to fetch record!
-
sam_pan_mariusz over 8 yearsNo Samba version, no logs, nothing about other versions of Windows... And have you tried to mount the share from the server machine itself?
-
bak202 over 8 yearsAdded. Unable to try on other versions of windows - but thought the version may be of help
-
-
bak202 over 8 yearsThank you, the user I created is the same name/pass as an existing system user. I'll edit the question with more information
-
shodanshok over 8 yearsI've edited my answer. Give it a try.
-
bak202 over 8 yearsTried 2-5 (it did exist in pdbedit) but had the same issue. After trying one, I get a new error in Windows: "...\TVShows is not accessible. You might not have permission to use this network resource..."
-
shodanshok over 8 yearsHave you disabled SELINUX?
-
user643011 almost 6 yearsDoes this require a reboot on the client?
-
Soren about 5 yearsThank you :) creating new user with password solved my problem :)
-
Dave Burton about 4 yearsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel does not exist on my Windows 10 Home machine. What type should it be?
-
jftuga almost 4 years@DaveBurton:
REG_DWORD
-
Oliver Gaida almost 4 yearsthank you Dave, this worked for me
-
FrankyHollywood over 3 yearstried all kinds of configurations, but this was the answer I needed :)
-
endolith about 3 yearsThis doesn't do anything for me. Just says "access denied" even after a reboot
-
endolith about 3 yearsI would give this a bounty if I had any to give
-
ndemou over 2 years@shodanshok do you mind if I add to your answer, one last step regarding enabling verbose logging from serverfault.com/a/1070611/67528 ?
-
shodanshok over 2 years@ndemou sure, feel free to propose an edit to my answer.