[Samba] Windows 10 in Samba 3 domain: netlogon share access denied

Marcel Ebbrecht m.ebbrecht at dortmundit.de
Thu Jul 9 14:04:39 UTC 2015 

Louis was right :)

Solution: GPEDIT.MSC -> Computer -> Administrative templates -> Network 
-> Networkprovider -> Hardened UNC Paths

Added

\\foo.lan\netlogon and Value:  
RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0

also added this for \\dc1\... and \\dc1.e2c.lan\... works :)

Better call samba people when having problems with windows ;)

Am 09.07.2015 um 13:26 schrieb L.P.H. van Belle:
> any messages in the windows 10 event logs, that could give some extra insight.
>
> according to
> https://social.technet.microsoft.com/Forums/en-US/7f5207cc-b202-47fc-bbb8-9ebe46a31961/network-logon-script-failure?forum=WinPreview2014General
>
>> \\foo.lan\netlogon
> should work.
>
> but,  https://adsecurity.org/?p=1405
> has some good info about the latest patch about hardening GPO. (which imo wil be also in windows 10 )
> im thinking it has to do also with this
> and since win10 is not RTM yet, that can be changed.
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Marcel Ebbrecht
>> Verzonden: donderdag 9 juli 2015 13:02
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Windows 10 in Samba 3 domain: netlogon
>> share access denied
>>
>> lets ignore the dfs and concentrate on the the direct access:
>>
>> domain is foo.lan
>>
>> tried:
>>
>>
>> \\dc1\netlogon
>> \\ip\netlogon
>> \\dc1.foo.lan\netlogon
>> \\foo.lan\netlogon
>>
>> doesnt work with foo.lan\username and just username
>>
>> \\dc1\netlogon2
>> \\ip\netlogon2
>> \\dc1.foo.lan\netlogon2
>> \\foo.lan\netlogon2
>>
>> works with foo.lan\username and just username - same
>> directory, same config, just another sharename (see config).
>>
>> Tried also with guest ok ... netlogon2 works, netlogon not.
>> Everything works except the netlogon share and joining domain :(
>>
>> Can someone confirm, that Build 10162 doesnt want to connect
>> to netlogon shares ?
>>
>> I also created a netlogon share on one of our windows servers
>> (old 2003 testing machine) ... doesnt work, so this is
>> obviously no samba problem :(
>>
>> BUT: Samba people are often more competent than microsoft
>> people on Windows ;) So is anyone here who can confirm this
>> problem and, perhaps, submit a solution ?
>>
>> ty
>>
>>
>> Am 09.07.2015 um 11:14 schrieb L.P.H. van Belle:
>>> what if you try to change .
>>>
>>> msdfs:dc1\netlogon
>>> to
>>> msdfs:dc1.your.domain.tld\netlogon
>>>
>>> or use
>>> Accessing \\dc1.your.domain.tld\netlogon
>>>
>>>
>>> greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Marcel Ebbrecht
>>>> Verzonden: donderdag 9 juli 2015 10:42
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] Windows 10 in Samba 3 domain: netlogon
>>>> share access denied
>>>>
>>>> Hi,
>>>>
>>>> I got the same problem with Build 10162. I dont think it's an Samba
>>>> issue. It seems that Windows 10 dont like
>> "\\....\netlogon". Our Samba
>>>> 3.5.6 PDC works like a charm for win 7. From my Win10 PC i
>> can access
>>>> everything except \\dc1\netlogon
>>>>
>>>> Symptoms:
>>>> Accessing \\dc1\netlogon -> Auth fail
>>>> Accessing \\dc1\netlogon2 -> Works (same config!!!)
>>>> Accessing \\dc1\s1\netlogon -> Works (links to \\dc1\netlogon)
>>>>
>>>> Everything works except accessing \\dc1\netlogon directly
>> and joining
>>>> domain (no AD DC found) ... must be something special with
>> windows 10
>>>> and I bet its:
>>>> - a reg key
>>>> - not solvable, because MS dont want us to access netlogon
>> shares ...
>>>> Config:
>>>>
>>>> [netlogon2]
>>>>    comment = Network Logon Service
>>>> #   browseable = no
>>>>    path = /opt/netlogon
>>>>    guest ok = yes
>>>>    read only = no
>>>>    force group = "Domain Admins"
>>>>    create mode = 0665
>>>>    directory mask = 0775
>>>>    write list = @"Domain Admins"
>>>> #   valid users = @"Domain Users" @"Domain Admins"
>>>>    force user = nobody
>>>>    veto files = /.DS_Store*/Thumbs.db*/~\$*/
>>>>    delete veto files = no
>>>>
>>>> [netlogon]
>>>>    comment = Network Logon Service
>>>> #   browseable = no
>>>>    path = /opt/netlogon
>>>>    guest ok = yes
>>>>    read only = no
>>>>    force group = "Domain Admins"
>>>>    create mode = 0665
>>>>    directory mask = 0775
>>>>    write list = @"Domain Admins"
>>>> #   valid users = @"Domain Users" @"Domain Admins"
>>>>    force user = nobody
>>>>    veto files = /.DS_Store*/Thumbs.db*/~\$*/
>>>>    delete veto files = no
>>>>
>>>> ### DFS Config ###
>>>>
>>>> [s1]
>>>>    comment = DFS Share s1
>>>>    path = /opt/s1
>>>>    msdfs root = yes
>>>>    browseable = yes
>>>>    read only = yes
>>>>    force group = "Domain Admins"
>>>>    create mode = 0660
>>>>    directory mask = 0770
>>>>    valid users = @"Domain Users" @"Domain Admins"
>>>>    veto files = /.DS_Store*/Thumbs.db*/~\$*/
>>>>    delete veto files = no
>>>>
>>>> ### Link in DFS path ###
>>>> lrwxrwxrwx 1 root   root          18  1. Okt 2013  Netlogon ->
>>>> msdfs:dc1\netlogon
>>>>
>>>> Greetings
>>>>
>>>> -- 
>>>> Marcel Ebbrecht <m.ebbrecht at dortmundit.de>
>>>> e2 consulting UG (haftungsbeschraenkt)
>>>>
>>>> Geschaeftssitz:
>>>> Rheinlanddamm 201
>>>> D-44139 Dortmund
>>>>
>>>> Telefon: +49 231 / 39982051
>>>> Telefax: +49 231 / 44677897
>>>> Mobil: +49 160 / 90345852
>>>> Jabber: m.ebbrecht at dortmundit.de
>>>> Internet: https://www.dortmundit.de
>>>>
>>>> Handelsregister Dortmund HRB 24666
>>>> Geschaeftsfuehrer: Marcel Ebbrecht
>>>> Steuernummer: 314/5723/1889
>>>> USTID: DE283203942
>>>>
>>>> PKI: https://ssl.dortmundit.de:18016
>>>>
>>>> AGB: http://agb.dortmundit.de
>>>>
>>>> Diese E-Mail und moegliche Anhaenge enthalten vertrauliche
>>>> Informationen, die rechtlich besonders geschuetzt sein
>>>> koennen. Wenn Sie nicht der beabsichtigte Empfaenger bzw.
>>>> Adressat dieser E-mail sind und diese E-Mail etwa aufgrund
>>>> eines technischen Fehlers oder eines Versehens erhalten haben,
>>>> informieren Sie uns bitte sofort und loeschen Sie
>>>> anschliessend die E-Mail. Das unbefugte Kopieren dieser
>>>> E-Mail, etwaiger Anhaenge sowie die unbefugte Weitergabe der
>>>> enthaltenen Informationen an Dritte ist nicht gestattet.
>>>>
>>>> This e-mail message together with its attachments, if any, is
>>>> confidential and may contain information subject to legal
>>>> privilege (e.g. attorney-client-privilege). If you are not the
>>>> intended recipient or have received this e-mail in error,
>>>> please inform us immediately and delete this message. Any
>>>> unauthorised copying of this message (and attachments) or
>>>> unauthorised distribution of the information contained herein
>>>> is prohibited.
>>>>
>>>> Go Green! Print this email only when necessary.
>>>>
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

More information about the samba mailing list