[Samba] Windows 10 in Samba 3 domain: netlogon share access denied

L.P.H. van Belle belle at bazuin.nl
Thu Jul 9 11:26:18 UTC 2015 

any messages in the windows 10 event logs, that could give some extra insight. 

according to 
https://social.technet.microsoft.com/Forums/en-US/7f5207cc-b202-47fc-bbb8-9ebe46a31961/network-logon-script-failure?forum=WinPreview2014General 

>\\foo.lan\netlogon 
should work. 

but,  https://adsecurity.org/?p=1405 
has some good info about the latest patch about hardening GPO. (which imo wil be also in windows 10 ) 
im thinking it has to do also with this 
and since win10 is not RTM yet, that can be changed. 


Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>Marcel Ebbrecht
>Verzonden: donderdag 9 juli 2015 13:02
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Windows 10 in Samba 3 domain: netlogon 
>share access denied
>
>lets ignore the dfs and concentrate on the the direct access:
>
>domain is foo.lan
>
>tried:
>
>
>\\dc1\netlogon
>\\ip\netlogon
>\\dc1.foo.lan\netlogon
>\\foo.lan\netlogon 
>
>doesnt work with foo.lan\username and just username
>
>\\dc1\netlogon2
>\\ip\netlogon2
>\\dc1.foo.lan\netlogon2
>\\foo.lan\netlogon2
>
>works with foo.lan\username and just username - same 
>directory, same config, just another sharename (see config). 
>
>Tried also with guest ok ... netlogon2 works, netlogon not. 
>Everything works except the netlogon share and joining domain :(
>
>Can someone confirm, that Build 10162 doesnt want to connect 
>to netlogon shares ? 
>
>I also created a netlogon share on one of our windows servers 
>(old 2003 testing machine) ... doesnt work, so this is 
>obviously no samba problem :( 
>
>BUT: Samba people are often more competent than microsoft 
>people on Windows ;) So is anyone here who can confirm this 
>problem and, perhaps, submit a solution ? 
>
>ty
>
>
>Am 09.07.2015 um 11:14 schrieb L.P.H. van Belle:
>> what if you try to change .
>>
>> msdfs:dc1\netlogon  
>> to 
>> msdfs:dc1.your.domain.tld\netlogon 
>>
>> or use 
>> Accessing \\dc1.your.domain.tld\netlogon 
>>
>>
>> greetz, 
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>>> Marcel Ebbrecht
>>> Verzonden: donderdag 9 juli 2015 10:42
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] Windows 10 in Samba 3 domain: netlogon 
>>> share access denied
>>>
>>> Hi,
>>>
>>> I got the same problem with Build 10162. I dont think it's an Samba
>>> issue. It seems that Windows 10 dont like 
>"\\....\netlogon". Our Samba
>>> 3.5.6 PDC works like a charm for win 7. From my Win10 PC i 
>can access
>>> everything except \\dc1\netlogon
>>>
>>> Symptoms:
>>> Accessing \\dc1\netlogon -> Auth fail
>>> Accessing \\dc1\netlogon2 -> Works (same config!!!)
>>> Accessing \\dc1\s1\netlogon -> Works (links to \\dc1\netlogon)
>>>
>>> Everything works except accessing \\dc1\netlogon directly 
>and joining
>>> domain (no AD DC found) ... must be something special with 
>windows 10
>>> and I bet its:
>>> - a reg key
>>> - not solvable, because MS dont want us to access netlogon 
>shares ...
>>>
>>> Config:
>>>
>>> [netlogon2]
>>>   comment = Network Logon Service
>>> #   browseable = no
>>>   path = /opt/netlogon
>>>   guest ok = yes
>>>   read only = no
>>>   force group = "Domain Admins"
>>>   create mode = 0665
>>>   directory mask = 0775
>>>   write list = @"Domain Admins"
>>> #   valid users = @"Domain Users" @"Domain Admins"
>>>   force user = nobody
>>>   veto files = /.DS_Store*/Thumbs.db*/~\$*/
>>>   delete veto files = no
>>>
>>> [netlogon]
>>>   comment = Network Logon Service
>>> #   browseable = no
>>>   path = /opt/netlogon
>>>   guest ok = yes
>>>   read only = no
>>>   force group = "Domain Admins"
>>>   create mode = 0665
>>>   directory mask = 0775
>>>   write list = @"Domain Admins"
>>> #   valid users = @"Domain Users" @"Domain Admins"
>>>   force user = nobody
>>>   veto files = /.DS_Store*/Thumbs.db*/~\$*/
>>>   delete veto files = no
>>>
>>> ### DFS Config ###
>>>
>>> [s1]
>>>   comment = DFS Share s1
>>>   path = /opt/s1
>>>   msdfs root = yes
>>>   browseable = yes
>>>   read only = yes
>>>   force group = "Domain Admins"
>>>   create mode = 0660
>>>   directory mask = 0770
>>>   valid users = @"Domain Users" @"Domain Admins"
>>>   veto files = /.DS_Store*/Thumbs.db*/~\$*/
>>>   delete veto files = no
>>>
>>> ### Link in DFS path ###
>>> lrwxrwxrwx 1 root   root          18  1. Okt 2013  Netlogon ->
>>> msdfs:dc1\netlogon
>>>
>>> Greetings
>>>
>>> -- 
>>> Marcel Ebbrecht <m.ebbrecht at dortmundit.de>
>>> e2 consulting UG (haftungsbeschraenkt)
>>>
>>> Geschaeftssitz:
>>> Rheinlanddamm 201
>>> D-44139 Dortmund
>>>
>>> Telefon: +49 231 / 39982051
>>> Telefax: +49 231 / 44677897
>>> Mobil: +49 160 / 90345852
>>> Jabber: m.ebbrecht at dortmundit.de
>>> Internet: https://www.dortmundit.de
>>>
>>> Handelsregister Dortmund HRB 24666
>>> Geschaeftsfuehrer: Marcel Ebbrecht
>>> Steuernummer: 314/5723/1889
>>> USTID: DE283203942
>>>
>>> PKI: https://ssl.dortmundit.de:18016
>>>
>>> AGB: http://agb.dortmundit.de
>>>
>>> Diese E-Mail und moegliche Anhaenge enthalten vertrauliche 
>>> Informationen, die rechtlich besonders geschuetzt sein 
>>> koennen. Wenn Sie nicht der beabsichtigte Empfaenger bzw. 
>>> Adressat dieser E-mail sind und diese E-Mail etwa aufgrund 
>>> eines technischen Fehlers oder eines Versehens erhalten haben, 
>>> informieren Sie uns bitte sofort und loeschen Sie 
>>> anschliessend die E-Mail. Das unbefugte Kopieren dieser 
>>> E-Mail, etwaiger Anhaenge sowie die unbefugte Weitergabe der 
>>> enthaltenen Informationen an Dritte ist nicht gestattet.
>>>
>>> This e-mail message together with its attachments, if any, is 
>>> confidential and may contain information subject to legal 
>>> privilege (e.g. attorney-client-privilege). If you are not the 
>>> intended recipient or have received this e-mail in error, 
>>> please inform us immediately and delete this message. Any 
>>> unauthorised copying of this message (and attachments) or 
>>> unauthorised distribution of the information contained herein 
>>> is prohibited.
>>>
>>> Go Green! Print this email only when necessary.
>>>
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list