[Samba] Incompatibility Windows 7

Dale Schroeder dale at BriannasSaladDressing.com
Tue Aug 1 18:15:14 UTC 2017


As Gaiseric requested, here is the testparm -v diff of a working and 
nonworking member server in the NT4 domain.  I've tried to align the 
columns, but it's possible your mail client may mangle them.

The only parameter change I have tried is changing 'ntlm auth' to Yes on 
the the nonworking system.  It did not fix anything.

Thanks for looking.
Dale

*# Samba 4.2.14 (working)*                        | *# Samba 4.6.5 (not 
working)*
     >        aio max threads = 100
     >        auto services =
     client ipc signing = default                          | client ipc 
signing = if_required
     client signing = default                                | client 
signing = if_required
     debug timestamp = Yes                             <
     disable spoolss = Yes                                 | disable 
spoolss = No
     ldap page size = 1024                                | ldap page 
size = 1000
     load printers = No                                       |     load 
printers = Yes
     >        logging =
     lpq command = lpq -P'%p'                          |        lpq 
command = %p
     lprm command = lprm -P'%p' %j                 |        lprm command =
     >        lsa over netlogon = No
     >        msdfs shuffle referrals = No
     ntlm auth = Yes                                          |     ntlm 
auth = No
     only user = No                                          <
     >        password hash gpg key ids =
     preload =                                                   <
     print command = lpr -r -P'%p' %s               |        print 
command =
     print ok = No                                              <
     printcap name = /dev/null                            | printcap 
name = cups
     printing = bsd                                              |     
printing = cups
      >        rpc server port = 0
     >        server multi channel support = No
     server signing = default                              | server 
signing = if_required
     smb2 leases = No                                       | smb2 
leases = Yes
     >        smbd profiling level = off
     >        spotlight = No
     syslog = 0                                                  |     
syslog = 1
     >        timestamp logs = Yes
     use ntdb = No                                            <
     username =                                               <


On 07/28/2017 3:43 PM, Dale Schroeder via samba wrote:
> Thank you, Gaiseric, for this invaluable input.
>
> Preliminary results: (1) smbclient to any nonworking system gives the 
> same 'no logon server' error as before, while using to a working 
> member or the PDC give the expected output.  (2) net rpc testjoin from 
> a working member returns an OK, while from a nonworking member returns 
> nothing.
>
> When I get in front of the domain, I will run diffs on the output of 
> testparm from working and nonworking systems, then report the results.
>
> Thanks again.
>
> Dale
>
>
> On 07/28/2017 2:38 PM, Gaiseric Vandal via samba wrote:
>>
>> my member file server  sanitized samba config .  (samba 4.4.14) I 
>> have the idmapping entries to force consistency between machines.
>>
>>
>> Can you try "smbclient -L \\someserver" from various samba machines?  
>> That make shake out if there is some version incompatibility.
>>
>> Can you try "net rpc testjoin" on a member server?
>>
>> Can you run "testparm -v" on a problem server and compare to a good 
>> server?   Defaults may have changed.
>>
>> ----------------------------------------------------------
>>
>>
>> #======================= Global Settings 
>> =====================================
>> [global]
>>
>> #  5/28/17 - disable nt pipe support
>> nt pipe support = no
>>
>> syslog = 3
>>
>> # 10/8/16 for badlock idr
>>         client signing = auto
>>         client ipc signing = auto
>> #
>>
>>    workgroup = MYDOMAIN
>>
>> # server string is the equivalent of the NT Description field
>>
>>    server string = FileServer1
>>
>> # set the netbios name in case change unix host name
>>     netbios name = FILESERVER1
>>
>> # Security mode. Defines in which mode Samba will operate. Possible
>> # values are share, user, server, domain and ads. Most people will want
>> # user level security. See the Samba-HOWTO-Collection for details.
>>    security = domain
>>
>> #IDMAPPING
>>
>>     idmap config * : backend  = tdb
>>     idmap config * : range =  5000-6000
>>
>>
>>     idmap config MYDOMAIN : backend  = nss
>>     idmap config MYDOMAIN : range = 100-2000
>>
>>
>> # winbind use default domain = yes
>> # winbind trusted domains only = yes
>> log level = 5
>>
>>
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> #winbind rpc only = yes
>>
>>
>> # This option is important for security. It allows you to restrict
>> # connections to machines which are on your local network. The
>> # following example restricts access to two C class networks and
>> # the "loopback" interface. For more examples of the syntax see
>> # the smb.conf man page
>> ;   hosts allow = 192.168.1. 192.168.2. 127.
>>
>> # If you want to automatically load your printer list rather
>> # than setting them up individually then you'll need this
>>    load printers = yes
>>
>> # you may wish to override the location of the printcap file
>> ;   printcap name = /etc/printcap
>>
>> # on SystemV system setting printcap name to lpstat should allow
>> # you to automatically obtain a printer list from the SystemV spool
>> # system
>> ;   printcap name = lpstat
>>
>> # It should not be necessary to specify the print system type unless
>> # it is non-standard. Currently supported print systems include:
>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx
>> ;   printing = cups
>>
>> # Uncomment this if you want a guest account, you must add this to 
>> /etc/passwd
>> # otherwise the user "nobody" is used
>> ;  guest account = pcguest
>>
>> # this tells Samba to use a separate log file for each machine
>> # that connects
>>    log file = /var/samba/log/log.%m
>>
>> # Put a capping on the size of the log files (in Kb).
>>    max log size = 50
>>
>> # Use password server option only with security = server
>> # The argument list may include:
>> #   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
>> # or to auto-locate the domain controller/s
>> #   password server = *
>> ;   password server = <NT-Server-Name>
>>
>> # Use the realm option only with security = ads
>> # Specifies the Active Directory realm the host is part of
>> ;   realm = MY_REALM
>>
>> # Backend to store user information in. New installations should
>> # use either tdbsam or ldapsam. smbpasswd is available for backwards
>> # compatibility. tdbsam requires no further configuration.
>>    #passdb backend = smbpasswd
>>    passdb backend = tdbsam
>>
>> # Using the following line enables you to customise your configuration
>> # on a per machine basis. The %m gets replaced with the netbios name
>> # of the machine that is connecting.
>> # Note: Consider carefully the location in the configuration file of
>> #       this line.  The included file is read at that point.
>> ;  include = /usr/sfw/lib/smb.conf.%m
>>
>> # Configure Samba to use multiple interfaces
>> # If you have multiple network interfaces then you must list them
>> # here. See the man page for details.
>> ;   interfaces = 192.168.12.2/24 192.168.13.2/24
>>
>> # Browser Control Options:
>> # set local master to no if you don't want Samba to become a master
>> # browser on your network. Otherwise the normal election rules apply
>> ;   local master = no
>>
>> # OS Level determines the precedence of this server in master browser
>> # elections. The default value should be reasonable
>> ;   os level = 33
>>
>> # Domain Master specifies Samba to be the Domain Master Browser. This
>> # allows Samba to collate browse lists between subnets. Don't use this
>> # if you already have a Windows NT domain controller doing this job
>> ;   domain master = yes
>>
>> # Preferred Master causes Samba to force a local browser election on 
>> startup
>> # and gives it a slightly higher chance of winning the election
>> ;   preferred master = yes
>>
>> # Enable this if you want Samba to be a domain logon server for
>> # Windows95 workstations.
>> ;   domain logons = yes
>>
>> # if you enable domain logons then you may want a per-machine or
>> # per user logon script
>> # run a specific logon batch file per workstation (machine)
>> ;   logon script = %m.bat
>> # run a specific logon batch file per username
>> ;   logon script = %U.bat
>>
>> # Where to store roving profiles (only for Win95 and WinNT)
>> #        %L substitutes for this servers netbios name, %U is username
>> #        You must uncomment the [Profiles] share below
>> ;   logon path = \\%L\Profiles\%U
>>
>> # Windows Internet Name Serving Support Section:
>> # WINS Support - Tells the NMBD component of Samba to enable it's 
>> WINS Server
>> ;   wins support = yes
>>
>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client
>> #    Note: Samba can be either a WINS Server, or a WINS Client, but 
>> NOT both
>> ;   wins server = w.x.y.z
>>    wins server = 192.168.x.x
>>
>> # WINS Proxy - Tells Samba to answer name resolution queries on
>> # behalf of a non WINS capable client, for this to work there must be
>> # at least one    WINS Server on the network. The default is NO.
>> ;   wins proxy = yes
>>
>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
>> # via DNS nslookups. The default is NO.
>>    dns proxy = no
>>
>>
>> #============================ Share Definitions 
>> ==============================
>>
>> ...
>>
>> [archived_projects]
>>         path = /ArchiveProjectsPool1
>>         #valid users = @engr, ssc
>>         read only = No
>>         hide special files = Yes
>>         map archive = No
>>         guest ok = yes
>>
>>
>>
>> [dept]
>>         msdfs root = yes
>>         path = /DataPool1/Dept
>>         # valid users = @group1,someuser
>>         read only = No
>>         hide special files = Yes
>>         map archive = No
>>         inherit permissions = Yes
>>         inherit acls = Yes
>>        vfs objects = zfsacl
>>         nfs4:acedup = merge
>>         nfs4:chown = yes
>>         nfs4: mode = special
>>         mapread only = no
>>         ea support = yes
>>         store dos attributes = yes
>>         create mask = 0770
>>         force create mode = 0600
>>         directory mask = 0775
>>         force directory mode = 0600
>>         zfsacl: acesort = dontcare
>> ,...
>> # Un-comment the following and create the netlogon directory for 
>> Domain Logons
>> ; [netlogon]
>> ;   comment = Network Logon Service
>> ;   path = /usr/local/sambanetlogon
>> ;   guest ok = yes
>> ;   writable = no
>> ;   share modes = no
>>
>>
>> # Un-comment the following to provide a specific roving profile share
>> # the default is to use the user's home directory
>> ;[Profiles]
>> ;    path = /usr/local/samba/profiles
>> ;    browseable = no
>> ;    guest ok = yes
>>
>>
>> # NOTE: If you have a BSD-style print system there is no need to
>> # specifically define each individual printer
>> [printers]
>>    comment = All Printers
>>    path = /var/spool/samba
>>    browseable = no
>> # Set public = yes to allow user 'guest account' to print
>>    guest ok = no
>>    writable = no
>>    printable = yes
>>
>> # This one is useful for people to share files
>> ;[tmp]
>> ;   comment = Temporary file space
>> ;   path = /tmp
>> ;   read only = no
>> ;   public = yes
>>
>> # A publicly accessible directory, but read only, except for people in
>> # the "staff" group
>> ;[public]
>> ;   comment = Public Stuff
>> ;   path = /home/samba
>> ;   public = yes
>> ;   writable = no
>> ;   printable = no
>> ;   write list = @staff
>>
>> # Other examples.
>> #
>> # A private printer, usable only by fred. Spool data will be placed 
>> in fred's
>> # home directory. Note that fred must have write access to the spool 
>> directory,
>> # wherever it is.
>> ;[fredsprn]
>> ;   comment = Fred's Printer
>> ;   valid users = fred
>> ;   path = /homes/fred
>> ;   printer = freds_printer
>> ;   public = no
>> ;   writable = no
>> ;   printable = yes
>>
>> # A private directory, usable only by fred. Note that fred requires 
>> write
>> # access to the directory.
>> ;[fredsdir]
>> ;   comment = Fred's Service
>> ;   path = /usr/somewhere/private
>> ;   valid users = fred
>> ;   public = no
>> ;   writable = yes
>> ;   printable = no
>>
>> # a service which has a different directory for each machine that 
>> connects
>> # this allows you to tailor configurations to incoming machines. You 
>> could
>> # also use the %U option to tailor it by user name.
>> # The %m gets replaced with the machine name that is connecting.
>> ;[pchome]
>> ;  comment = PC Directories
>> ;  path = /usr/pc/%m
>> ;  public = no
>> ;  writable = yes
>>
>> # A publicly accessible directory, read/write to all users. Note that 
>> all files
>> # created in the directory by users will be owned by the default 
>> user, so
>> # any user with access can delete any other user's files. Obviously this
>> # directory must be writable by the default user. Another user could 
>> of course
>> # be specified, in which case all files would be owned by that user 
>> instead.
>> ;[public]
>> ;   path = /usr/somewhere/else/public
>> ;   public = yes
>> ;   only guest = yes
>> ;   writable = yes
>> ;   printable = no
>>
>> # The following two entries demonstrate how to share a directory so 
>> that two
>> # users can place files there that will be owned by the specific 
>> users. In this
>> # setup, the directory should be writable by both users and should 
>> have the
>> # sticky bit set on it to prevent abuse. Obviously this could be 
>> extended to
>> # as many users as required.
>> ;[myshare]
>> ;   comment = Mary's and Fred's stuff
>> ;   path = /usr/somewhere/shared
>> ;   valid users = mary fred
>> ;   public = no
>> ;   writable = yes
>> ;   printable = no
>> ;   create mask = 0765
>> -------------------------------------------------------
>>
>>
>> On 07/28/17 14:57, Dale Schroeder via samba wrote:
>>> There have been a rash of NT4 threads lately on this list, so I will 
>>> try to resurrect my problem once more and hope that someone is looking.
>>>
>>> I believe that there has to be more to it than the parameters listed 
>>> below, because I've tried those parameters, the max/min protocol 
>>> parameter options, and every other incantation postulated on this 
>>> list.  Regardless of what I've tried, member servers above 4.2.x 
>>> absolutely will not allow access to shares with the stated fixes. 
>>> [Please note that this problem started pre-badlock patches, 
>>> immediately after upgrading to 4.3.x.]
>>>
>>> For me, (1) an NT4 PDC (ver. 4.6.5) with a share, allows access from 
>>> linux and Windows 7 clients; however, (2) shares on 4.6.5 member 
>>> servers are inaccessible (NT_STATUS_NO_LOGON_SERVERS error).  (3) 
>>> Shares on member servers running 4.2.x are accessible from linux and 
>>> Win7.
>>>
>>> Is there anyone at all who is willing to share their 'working' NT4 
>>> global config?  I would appreciate it very much.
>>>
>>> Thanks,
>>> Dale
>>>
>>>
>>> On 07/21/2017 8:15 AM, Gaiseric Vandal via samba wrote:
>>>> In October,  when samba was patched for "badlock" I had to set the 
>>>> following
>>>>
>>>>
>>>>         client signing = auto
>>>>         client ipc signing = auto
>>>>          server signing = auto
>>>>
>>>>
>>>> otherwise some of the signing behavior was defaulting on on. You 
>>>> may want to try turning some of the signing options to auto or off.
>>>>
>>>> I am also using NT1 as the min and max server and client 
>>>> protocol.   SMB 2.x causes problems.
>>>>
>>>> I am running Samba 4.4.14 on my domain controllers and key file 
>>>> servers.  I think Samba 4.2.x is end-of-life so at some point there 
>>>> will be some windows update that will break compatibility.    I had 
>>>> Samba 3.6.x running last year and I couldn't keep it working anymore.
>>>>
>>>>
>>>>
>>>>
>>>> On 07/21/17 08:32, Manon JEANJEAN via samba wrote:
>>>>> Hello again,
>>>>>
>>>>> False Server max protocol = NT1 doesn't work because all my server 
>>>>> fell there are 20 minutes.
>>>>> So it's necessary to find a new idea.
>>>>>
>>>>> Thank you.
>>>>>
>>>>> -----Message d'origine-----
>>>>> De : Manon JEANJEAN via samba [mailto:samba at lists.samba.org]
>>>>> Envoyé : vendredi 21 juillet 2017 11:47
>>>>> À : samba at lists.samba.org
>>>>> Objet : Re: [Samba] Incompatibility Windows 7
>>>>>
>>>>> Hello everybody
>>>>>
>>>>> Ok Marco, I'm reassured to look you have the same problem.
>>>>> My friend speak of NTML for my problem, it can help me?
>>>>> What is NTML?
>>>>>
>>>>> Thank you
>>>>>
>>>>>
>>>>>> -----Message d'origine-----
>>>>>> De : Marco Gaiarin via samba [mailto:samba at lists.samba.org] Envoyé :
>>>>>> vendredi 21 juillet 2017 11:27 À : samba at lists.samba.org Objet : Re:
>>>>>> [Samba] Incompatibility Windows 7
>>>>>> Mandi! Manon JEANJEAN via samba
>>>>>   > In chel di` si favelave...
>>>>>
>>>>>> I'm still in these situation, a samba4 NT-like domains with 
>>>>>> windows 7 pro clients.
>>>>>> The error reads : There are currently no log on servers available to
>>>>>> service the log on request
>>>>>> I'm hitting this also i, recurring but ''random''; apart 
>>>>>> effectively troubled box (eg, a box that boot bad, do an 
>>>>>> automatic rollback from a restore point and so lost the machine 
>>>>>> account) i hit errors like these, normally in twin with user 
>>>>>> password change troubles.
>>>>>> Tipically it sufficies to look at windows updates, most of the 
>>>>>> time the box have some update stuck or half-installed, and so a 
>>>>>> windows update runnign and a reboot fix the trouble.
>>>>>> All these sort of troubles start last autumn by the infamous 
>>>>>> KB3167679 update, that broke for a month or so NT domains.
>>>>>
>>>>>> Rowland, i've not set:
>>>>>     Server max protocol = NT1
>>>>>
>>>>>   >but, as stated, these trouble are spot and random...
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
>
>





More information about the samba mailing list