Unable to access samba shared folder on Windows 7

windows-7 linux networking samba redhat-enterprise-linux
15,320

The solution for the poster was by changing the LAN Manager authentication level to Send NTLMv2 response only from Send LM & NTLM - use NTLMv2 session security if negotiated.

Apparently Samba mismanaged the session security negotiations with Windows, so they couldn't agree on the algorithm for passwords. Once the poster dictated the security method, things worked.

As to why this happened - the best answer I can come up with is that it was caused by some unknown incompatibility between the Linux and Windows implementations of the SMB protocol

[Old answer]

Try this on the W7 client :

In the Local Group Policy Editor, go to:

Local Computer Policy->Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options

Find the policy named Microsoft network client: Digitally sign communications (always).

If this is Enabled, change it to Disabled. Be sure and restart your computer for the change to take effect, as pressing Apply in the Policy Editor is not sufficient.

As a side-note, I used the following settings the last time I externalized a Samba share. Try them, and if they solve the problem then modify them one-by-one to yours until you encounter the problem:

path = /my/share/path
available = yes
browsable = yes
public = yes
read only = no
writable = yes
Share:
15,320

Related videos on Youtube

Pravesh Parekh
Author by

Pravesh Parekh

Working in the field of computational neuroscience, a biotechnologist by training, I am interested in literature, into fiction writing, a theatre enthusiast, particularly interested in direction and script writing, an avid gamer, love "playing around" on my laptop, and a photographer.

Updated on September 18, 2022

Comments

  • Pravesh Parekh
    Pravesh Parekh over 1 year

    I have a server running RHEL. In the network are three workstations: two linux (RHEL) and one Windows 7. I am using samba to share a storage device (connected to the server) with the workstations. For more than a year this has worked out fine. However, after updating the server yesterday, I am unable to access the shared folder on the Windows workstation.

    Specifically, Windows does not recognize the password anymore. When I click on "Map network drive", enter path to the shared folder, and enter my credentials, Windows tells me "The specified network password is not correct". I can access the shared folders on both the Linux workstations though.

    Here is what I have checked and confirmed:

    • Ensured that LAN Manager authentication level is set to " Send LM & NTLM - use NTLMv2 session security if negotiated." [from here]
    • Ensured that I can access the shared folder on both the Linux workstations
    • Created a new shared folder and can access that too on both the Linux workstations
    • Ensured that I can ping the server from my Windows workstation
    • Ensured that date and time are correct on all machines
    • Tried rebooting everything (and hoping that the problem goes away)

    Expected behaviour: I would like Windows to access the shared folder

    What is not happening: Windows is unable to access the shared folder

    I would like to re-iterate that the folder was accessible before the update (two days back). My current version of samba is 4.6.2 and RHEL is 7.4.

    Here are bits and pieces from the smb.conf file (complete file below):

    #======================= Global Settings =====================================

[global]

# ----------------------- Network-Related Options -------------------------
    workgroup = MSHOME
    server string = Samba Server Version %v

# ----------------------- Standalone Server Options ------------------------
    security = user
    passdb backend = tdbsam

    [MBIAL_STORAGE]
    path = /run/media/MBIAL/MBIAL_STORAGE
    guest ok = yes
    browseable = yes
    writable = yes
    valid_users = MBIAL
    # write list = test
    # valid users = test

    where MBIAL_STORAGE is the name of the shared folder. The Linux workstations are accessing this using smb://IP_ADDRESS/mbial_storage with MBIAL as the username and MSHOME as the workgroup. I have tried giving Windows MSHOME\MBIAL as the username but that did not work as well.

    Here is the complete smb.conf file:

    # This is the main Samba configuration file. For detailed information about the
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
# number of configurable options, most of which are not shown in this example.
#
# The Official Samba 3.2.x HOWTO and Reference Guide contains step-by-step
# guides for installing, configuring, and using Samba:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# The Samba-3 by Example guide has working examples for smb.conf. This guide is
# generated daily: http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# In this file, lines starting with a semicolon (;) or a hash (#) are
# comments and are ignored. This file uses hashes to denote commentary and
# semicolons for parts of the file you may wish to configure.
#
# Note: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
# and groupadd family of binaries. Run the following command as the root user to
# turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings =====================================

[global]

# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
# max protocol = used to define the supported protocol. The default is NT1. You
# can set it to SMB2 if you want experimental SMB2 support.
#
    workgroup = MSHOME
    server string = Samba Server Version %v

;   netbios name = MYSERVER

;   interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 10.11.1.152 10.11.1.151 127.0.0.1
;   hosts allow = 127. 192.168.12. 192.168.13. 10.11.1.152 10.11.1.151

;   max protocol = SMB2

# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#

    # log files split per-machine:
    log file = /var/log/samba/log.%m
    # maximum size of 50KB per log file, then rotate:
    max log size = 50
    debuglevel = 7
# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#

    security = user
    passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.

;   security = domain
;   passdb backend = tdbsam
;   realm = MY_REALM

;   password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
;   security = user
;   passdb backend = tdbsam

;   domain master = yes
;   domain logons = yes

    # the following login script name is determined by the machine name
    # (%m):
;   logon script = %m.bat
    # the following login script name is determined by the UNIX user used:
;   logon script = %u.bat
;   logon path = \\%L\Profiles\%u
    # use an empty path to disable profile support:
;   logon path =

    # various scripts can be used on a domain controller or a stand-alone
    # machine to add or delete corresponding UNIX accounts:

;   add user script = /usr/sbin/useradd "%u" -n -g users
;   add group script = /usr/sbin/groupadd "%g"
;   add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;   delete user script = /usr/sbin/userdel "%u"
;   delete user from group script = /usr/sbin/userdel "%u" "%g"
;   delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
;   local master = no
;   os level = 33
;   preferred master = yes

#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.

;   wins support = yes
;   wins server = w.x.y.z
;   wins proxy = yes

;   dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#

    load printers = no
    cups options = raw

;   printcap name = /etc/printcap
    # obtain a list of printers automatically on UNIX System V systems:
;   printcap name = lpstat
;   printing = cups

# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.

;   map archive = no
;   map hidden = no
;   map read only = no
;   map system = no
;   store dos attributes = yes


#============================ Share Definitions ==============================

[homes]
    comment = Home Directories
    browseable = no
    writable = yes
;   valid users = %S
;   valid users = MYDOMAIN\%S

[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = yes
    guest ok = no
    writable = yes
    printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons:
;   [netlogon]
;   comment = Network Logon Service
;   path = /var/lib/samba/netlogon
;   guest ok = yes
;   writable = yes
;   share modes = yes


# Un-comment the following to provide a specific roving profile share.
# The default is to use the user's home directory:
;   [Profiles]
;   path = /var/lib/samba/profiles
;   browseable = yes
;   guest ok = yes

    [MBIAL_STORAGE]
    path = /run/media/MBIAL/MBIAL_STORAGE
    guest ok = yes
    browseable = yes
    writable = yes
    valid_users = MBIAL
    # write list = test
    # valid users = test

    Would really appreciate any insight into the matter. I am hoping that this is something really trivial and stupid which I am overlooking!

    • Astara
      Astara over 6 years
      I don't suppose you've tried a restore point, or trying to uninstall recent updates in the past week, or restoring a system image? Those would be first things to try. I assume your samba hasn't changed in the past few months (or since you last rebooted Windows?)... Also, is your samba share on a public or home net with Win7? Or is Win7 accessing the share over an internal net or over the internet? Oh...you are also running selinux? Ug... that can complicate matters I'd expect...
    • Pravesh Parekh
      Pravesh Parekh over 6 years
      @Astara Hello, actually I never updated my Windows workstation. Only the server was updated. So no updates to uninstall. Indeed, samba config has not changed since the past year and the Windows WS was rebooted only after the problem started. The samba share network is set as home on the Windows workstation.
    • Pravesh Parekh
      Pravesh Parekh over 6 years
      Hello again, this is absolutely bonkers but I edited the LAN Manager authentication level to "Send NTLMv2 response only" and I am able to access the folder now. Setting it back to " Send LM & NTLM - use NTLMv2 session security if negotiated." makes the folder inaccessible. Is this reflective of some change in the way samba works now? Or does it mean that there is something wrong with my samba configuration?
    • Pravesh Parekh
      Pravesh Parekh over 6 years
      I see a similar answer here now: superuser.com/a/1129426 (missed it before).
  • Pravesh Parekh
    Pravesh Parekh over 6 years
    Hi, thanks for the reply. I checked the policy but it is already disabled. Changing the LAN Manager authentication level to "Send NTLMv2 response only" from "Send LM & NTLM - use NTLMv2 session security if negotiated." seems to solve the problem. Do you have any suggestions why?
  • harrymc
    harrymc over 6 years
    See this link. Apparently your Samba uses the outdated LAN Manager method with the weak LM hash algorithm for passwords. The reason might be poor defaults in smb.conf.
  • Pravesh Parekh
    Pravesh Parekh over 6 years
    Pardon my naivety but what I understood is that only using NTLMv2 is better and the recommended option. So that means that once my samba got updated (along with RHEL), it has stopped using the older and weaker LM hash method for passwords? Would that be correct? Then I no longer need to do anything further, I guess? I am given to understand that client lanman auth and lanman auth are set to no by default and client NTLMv2 auth is set to yes by default. I do not see these entries in my conf file so I guess that the defaults are being applied?
  • harrymc
    harrymc over 6 years
    My previous comment was too hastily written. NTLMv2 is better, but apparently your Samba mismanaged the session security negotiations with Windows, so couldn't agree on the algorithm for passwords. Once you dictated the security method things worked. Why? The best answer is some unknown incompatibility between the Linux/Windows implementations of the protocol.
  • Pravesh Parekh
    Pravesh Parekh over 6 years
    Ah well! Thank you very much for helping me out though. Could you please incorporate this into your answer so that I can go ahead and accept it? Thanks again
  • harrymc
    harrymc over 6 years
    Done as requested.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot log in to Samba shares on Windows from different domain
Connecting with SMBCLIENT to Windows 7 produces error: "protocol negotiation failed: ERRDOS:ERRnomem"
Ubuntu can see network work group but can't see Ubuntu from windows
Connecting to Windows7 share gives mount error
Kali Linux 2019.3 Wi-Fi Driver Issue
Cannot resolve hostname "raspberrypi" on home network
Windows 7 can't connect to samba share on Linux
Weirdly I can't ping my Gateway from linux virtual machines
Unable to connect to samba shared folder via windows
Connect to samba server remotely