[Samba] Windows XP & greyed-out Guest user password prompt

Wed Mar 30 01:23:39 GMT 2005

(replying to self again)
Update:
The Windows XP (SP2, BTW) client tries three times to log in to the 
Samba server with the Windows username, which is different from the 
Samba username. As one would expect, Samba replies to each of the three 
requests with a "STATUS_WRONG_PASSWORD" message, and in the same packets 
the Action segment reads 0x0001 "Guest: Logged in as GUEST". If a new XP 
user is created with the same username and password as the Samba 
account, the problem goes away. But if either the XP username or the XP 
password differs from Samba's info, the user is never prompted for the 
real username or password.

Unfortunately, we have situations where the desired behavior is for 
Windows to allow the Samba username to be different from the Windows XP 
client username, and prompt for a different username if the 
currently-logged-in username/pw fails. Instead, XP forces a guest login.

I'd think that this is purely a client issue, except that when I try 
this with a Windows 2000 server or a 2003 server, I'm prompted for a 
username AND password if the Windows XP uid/pw fails.

For what it's worth, Samba returns "STATUS_WRONG_PASSWORD" errors (even 
if the Samba user doesn't exist), while the Windows 2000 server returns 
"STATUS_LOGON_FAILURE" errors.

-Jules

Jules Agee wrote:
> (replying to self)
> I'd appreciate any response at all (including RTFM, but a pointer to 
> which FM I should R again would be very appreciated).
> 
> Again, we're running Samba 3.0.7 on Debian Sarge, and this problem 
> doesn't appear when we connect to Windows file servers, so I thought 
> someone here might have some information that might help me track down 
> the solution. Thanks for your time!
> 
> Jules Agee wrote:
> 
>> Hi, we've been using Samba for a while, and are just now starting to 
>> switch our desktop computers to Windows XP. We are having a problem 
>> where connections to our Samba server fail, and the user is presented 
>> with a password prompt asking for a password for user Guest. They 
>> can't select a different user.
>>
>> I've searched the Microsoft knowledgebase, and the Samba list 
>> archives, and there are others who have seen this problem, but none of 
>> the suggestions presented seem to help. We are currently using 
>> "security = share" because there are some legacy scripts that depend 
>> on not getting prompted for a username to access some read-only shares 
>> we have set up. But just for troubleshooting, I have tried setting 
>> "security = user" and "map to guest = Bad User" but XP still presents 
>> the guest password prompt and the user still isn't allowed to specify 
>> their username. We are not using a domain controller.
>>
>> Everything works great when using a Windows 2000 client. In XP, 
>> mapping a drive to the Samba share works fine. From XP's command 
>> prompt, if the user's Windows login and password match what's in our 
>> LDAP directory (and they usually do), it lets them right in -- the 
>> user doesn't even get a password dialog when they do this:
>> "net use \\fileserver.example.com\share /user:joebob" But if you just 
>> set up a shortcut to \\fileserver.example.com\share or if you try to 
>> connect from the "run" line, it fails & tries to force them to login 
>> with the guest account.
>>
>> If anyone has any suggestions, or can even make a guess at an 
>> explanation for this behavior, I'd really appreciate it.
>>
>> Thanks!
>>
>> -Jules
>> julesa at pcf.com
>>
>> smb.conf, slightly sanitized:
>> [global]
>>         admin users = jane,joe,bob
>>     security = share
>>     encrypt passwords = true
>>         ldap suffix = "o=internet"
>>         ldap admin dn="cn=Administrator,o=internet"
>>     passdb backend = ldapsam:"ldaps://ldap1.example.com 
>> ldaps://ldap2.example.com"
>>     guest account = nobody
>>     invalid users = root
>>         workgroup = IS
>>         netbios name = fileserver.example.com
>>         server string = File Server
>>         name resolve order = host bcast
>>         socket options = SO_KEEPALIVE,TCP_NODELAY
>>         oplocks = yes
>>         kernel oplocks = yes
>>         level2 oplocks = no
>>         encrypt passwords = yes
>>         create mask = 770
>>         directory mask = 0770
>>         log level = 2
>>         log file = /var/log/samba/%m.log
>>         max log size = 10000
>>         map to guest = Bad Password
>>         load printers = no
>>         delete veto files = yes
>>         hide files = /Icon?/
>>         veto files = /.AppleDouble/.AppleDesktop/Network Trash 
>> Folder/TheVolumeSettingsFolder/TheFindByContentFolder/
>>     dns proxy = no
>>     log file = /var/log/samba/log.%m.
>>     max log size = 1000
>>     syslog = 0
>>     panic action = /usr/share/samba/panic-action %d
>>     preserve case = yes
>>
>> [private]
>>     comment = Your Private Home Directory
>>     path = /home/%u
>>     group = default
>>     writable = yes
>>     create mask = 0700
>>     directory mask = 0700
>>
>> [IS]
>>         comment = Information Systems
>>         path = /var/local/fileshare/IS
>>         nt acl support = no
>>         create mask = 777
>>         directory mask = 0777
>>         read only = No
>>         group = IS
>>         valid users = @IS, at ISAnalyst, at SupportAnalyst, at SystemAdmin
>>
>> [updates]
>>         comment = Software Updates
>>         path = /var/local/fileshare/admin/updates
>>         browsable = no
>>         create mask = 774
>>         group = SystemAdmin
>>         directory mask = 0775
>>         nt acl support = no
>>         read only = yes
>>         guest ok = yes
>>
>>
>>
> 