[Samba] Error: Access to the resource \\netbiosname has been disallowed?

Aaron Rosenblum arosenbl at mac.com
Fri Apr 15 17:57:52 GMT 2005 

Hey all,

I have a samba server running 3.0.10 and I am getting a weird response 
from PC (XP and 2K) clients.  The PCs are joined to the domain as is 
the samba server.  When any PCs try to connect using the netbios name 
or IP I get the error:

Access to the resource \\netbiosname has been disallowed.

If I unjoin the PCs from the ADS domain, they can connect fine.  I see 
no kerberos errors and smb.conf is not set up to use it so its passing 
through non kerberos auth.  The weird thing is, if I go into a user 
account in AD, click the profile tab and then add a path to a share on 
my samba box (using \\IPaddress\Sharename) it maps the drive for the 
PCs when they log in, but subsequent attempts to connect to the same 
samba server (even by IP) after login fail with the above message.

This leads me to think that there is some policy being applied to the 
PCs that is preventing them from connecting.  I looked on the domain 
controller (win2k3) and see that:

Start -> All Programs -> Administrative Tools -> Domain Controller 
Security Policy.  in Local Policies: Security Options, and set the 
following:

     * Microsoft Network Server: Digitally sign communications (always): 
DISABLED
     * Microsoft Network Server: Digitally sign communications (if 
client agrees): ENABLED

     * Microsoft Network Client: Digitally sign communications (always): 
DISABLED
     * Microsoft Network Client: Digitally sign communications (if 
server agrees): ENABLED

     * Domain Member: Digitally encrypt or sign secure data channel 
(always): DISABLED
     * Domain Member: Digitally encrypt secure data channel (when 
possible): ENABLED
     * Domain Member: Digitally sign secure data channel (when 
possible): ENABLED

And then I also checked that:

Network Security: LAN Manager authentication level: Sent NTLM response 
only

After changing these settings I did a:

gpuupdate /Force /Wait:0 to apply the settings on the domain controller.

However, my PC clients still can't connect.  Has anyone run into this 
before?  Any more policies to look for?  Is this a known issue with 
this combination?

thanks

Aaron

More information about the samba mailing list