[Samba] Windows 10 in Samba 3 domain: netlogon share access denied

L.P.H. van Belle belle at bazuin.nl
Thu Jul 9 14:34:11 UTC 2015 

I'm just smart with my external memory (google) 
Googled this within 3 minutes. ;-) 
and you know, i never installed/used windows 10 ;-) (yet) 
starting with that after my holiday.. and when samba 4.2.3 is in sernet. 

but your welkom and happy it works for you. 
And i now have a new GPO setting tested by you... Thanks ! 
            _
           /(|
          (  :
         __\  \  _____
       (____)  `|
      (____)|   |
       (____).__|
        (___)__.|_____

;-) 

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>Marcel Ebbrecht
>Verzonden: donderdag 9 juli 2015 16:05
>Aan: samba at lists.samba.org
>CC: m.endtricht at dortmundit.de
>Onderwerp: Re: [Samba] Windows 10 in Samba 3 domain: netlogon 
>share access denied
>
>Louis was right :)
>
>Solution: GPEDIT.MSC -> Computer -> Administrative templates 
>-> Network 
>-> Networkprovider -> Hardened UNC Paths
>
>Added
>
>\\foo.lan\netlogon and Value:  
>RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0
>
>also added this for \\dc1\... and \\dc1.e2c.lan\... works :)
>
>Better call samba people when having problems with windows ;)
>
>Am 09.07.2015 um 13:26 schrieb L.P.H. van Belle:
>> any messages in the windows 10 event logs, that could give 
>some extra insight.
>>
>> according to
>> 
>https://social.technet.microsoft.com/Forums/en-US/7f5207cc-b202
>-47fc-bbb8-9ebe46a31961/network-logon-script-failure?forum=WinP
>review2014General
>>
>>> \\foo.lan\netlogon
>> should work.
>>
>> but,  https://adsecurity.org/?p=1405
>> has some good info about the latest patch about hardening 
>GPO. (which imo wil be also in windows 10 )
>> im thinking it has to do also with this
>> and since win10 is not RTM yet, that can be changed.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Marcel Ebbrecht
>>> Verzonden: donderdag 9 juli 2015 13:02
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Windows 10 in Samba 3 domain: netlogon
>>> share access denied
>>>
>>> lets ignore the dfs and concentrate on the the direct access:
>>>
>>> domain is foo.lan
>>>
>>> tried:
>>>
>>>
>>> \\dc1\netlogon
>>> \\ip\netlogon
>>> \\dc1.foo.lan\netlogon
>>> \\foo.lan\netlogon
>>>
>>> doesnt work with foo.lan\username and just username
>>>
>>> \\dc1\netlogon2
>>> \\ip\netlogon2
>>> \\dc1.foo.lan\netlogon2
>>> \\foo.lan\netlogon2
>>>
>>> works with foo.lan\username and just username - same
>>> directory, same config, just another sharename (see config).
>>>
>>> Tried also with guest ok ... netlogon2 works, netlogon not.
>>> Everything works except the netlogon share and joining domain :(
>>>
>>> Can someone confirm, that Build 10162 doesnt want to connect
>>> to netlogon shares ?
>>>
>>> I also created a netlogon share on one of our windows servers
>>> (old 2003 testing machine) ... doesnt work, so this is
>>> obviously no samba problem :(
>>>
>>> BUT: Samba people are often more competent than microsoft
>>> people on Windows ;) So is anyone here who can confirm this
>>> problem and, perhaps, submit a solution ?
>>>
>>> ty
>>>
>>>
>>> Am 09.07.2015 um 11:14 schrieb L.P.H. van Belle:
>>>> what if you try to change .
>>>>
>>>> msdfs:dc1\netlogon
>>>> to
>>>> msdfs:dc1.your.domain.tld\netlogon
>>>>
>>>> or use
>>>> Accessing \\dc1.your.domain.tld\netlogon
>>>>
>>>>
>>>> greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>>> Marcel Ebbrecht
>>>>> Verzonden: donderdag 9 juli 2015 10:42
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: [Samba] Windows 10 in Samba 3 domain: netlogon
>>>>> share access denied
>>>>>
>>>>> Hi,
>>>>>
>>>>> I got the same problem with Build 10162. I dont think 
>it's an Samba
>>>>> issue. It seems that Windows 10 dont like
>>> "\\....\netlogon". Our Samba
>>>>> 3.5.6 PDC works like a charm for win 7. From my Win10 PC i
>>> can access
>>>>> everything except \\dc1\netlogon
>>>>>
>>>>> Symptoms:
>>>>> Accessing \\dc1\netlogon -> Auth fail
>>>>> Accessing \\dc1\netlogon2 -> Works (same config!!!)
>>>>> Accessing \\dc1\s1\netlogon -> Works (links to \\dc1\netlogon)
>>>>>
>>>>> Everything works except accessing \\dc1\netlogon directly
>>> and joining
>>>>> domain (no AD DC found) ... must be something special with
>>> windows 10
>>>>> and I bet its:
>>>>> - a reg key
>>>>> - not solvable, because MS dont want us to access netlogon
>>> shares ...
>>>>> Config:
>>>>>
>>>>> [netlogon2]
>>>>>    comment = Network Logon Service
>>>>> #   browseable = no
>>>>>    path = /opt/netlogon
>>>>>    guest ok = yes
>>>>>    read only = no
>>>>>    force group = "Domain Admins"
>>>>>    create mode = 0665
>>>>>    directory mask = 0775
>>>>>    write list = @"Domain Admins"
>>>>> #   valid users = @"Domain Users" @"Domain Admins"
>>>>>    force user = nobody
>>>>>    veto files = /.DS_Store*/Thumbs.db*/~\$*/
>>>>>    delete veto files = no
>>>>>
>>>>> [netlogon]
>>>>>    comment = Network Logon Service
>>>>> #   browseable = no
>>>>>    path = /opt/netlogon
>>>>>    guest ok = yes
>>>>>    read only = no
>>>>>    force group = "Domain Admins"
>>>>>    create mode = 0665
>>>>>    directory mask = 0775
>>>>>    write list = @"Domain Admins"
>>>>> #   valid users = @"Domain Users" @"Domain Admins"
>>>>>    force user = nobody
>>>>>    veto files = /.DS_Store*/Thumbs.db*/~\$*/
>>>>>    delete veto files = no
>>>>>
>>>>> ### DFS Config ###
>>>>>
>>>>> [s1]
>>>>>    comment = DFS Share s1
>>>>>    path = /opt/s1
>>>>>    msdfs root = yes
>>>>>    browseable = yes
>>>>>    read only = yes
>>>>>    force group = "Domain Admins"
>>>>>    create mode = 0660
>>>>>    directory mask = 0770
>>>>>    valid users = @"Domain Users" @"Domain Admins"
>>>>>    veto files = /.DS_Store*/Thumbs.db*/~\$*/
>>>>>    delete veto files = no
>>>>>
>>>>> ### Link in DFS path ###
>>>>> lrwxrwxrwx 1 root   root          18  1. Okt 2013  Netlogon ->
>>>>> msdfs:dc1\netlogon
>>>>>
>>>>> Greetings
>>>>>
>>>>> -- 
>>>>> Marcel Ebbrecht <m.ebbrecht at dortmundit.de>
>>>>> e2 consulting UG (haftungsbeschraenkt)
>>>>>
>>>>> Geschaeftssitz:
>>>>> Rheinlanddamm 201
>>>>> D-44139 Dortmund
>>>>>
>>>>> Telefon: +49 231 / 39982051
>>>>> Telefax: +49 231 / 44677897
>>>>> Mobil: +49 160 / 90345852
>>>>> Jabber: m.ebbrecht at dortmundit.de
>>>>> Internet: https://www.dortmundit.de
>>>>>
>>>>> Handelsregister Dortmund HRB 24666
>>>>> Geschaeftsfuehrer: Marcel Ebbrecht
>>>>> Steuernummer: 314/5723/1889
>>>>> USTID: DE283203942
>>>>>
>>>>> PKI: https://ssl.dortmundit.de:18016
>>>>>
>>>>> AGB: http://agb.dortmundit.de
>>>>>
>>>>> Diese E-Mail und moegliche Anhaenge enthalten vertrauliche
>>>>> Informationen, die rechtlich besonders geschuetzt sein
>>>>> koennen. Wenn Sie nicht der beabsichtigte Empfaenger bzw.
>>>>> Adressat dieser E-mail sind und diese E-Mail etwa aufgrund
>>>>> eines technischen Fehlers oder eines Versehens erhalten haben,
>>>>> informieren Sie uns bitte sofort und loeschen Sie
>>>>> anschliessend die E-Mail. Das unbefugte Kopieren dieser
>>>>> E-Mail, etwaiger Anhaenge sowie die unbefugte Weitergabe der
>>>>> enthaltenen Informationen an Dritte ist nicht gestattet.
>>>>>
>>>>> This e-mail message together with its attachments, if any, is
>>>>> confidential and may contain information subject to legal
>>>>> privilege (e.g. attorney-client-privilege). If you are not the
>>>>> intended recipient or have received this e-mail in error,
>>>>> please inform us immediately and delete this message. Any
>>>>> unauthorised copying of this message (and attachments) or
>>>>> unauthorised distribution of the information contained herein
>>>>> is prohibited.
>>>>>
>>>>> Go Green! Print this email only when necessary.
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list