[Samba] cannot connect without user/pass on Windows 10

Rowland Penny rpenny at samba.org
Thu Jan 26 14:01:23 UTC 2017 

On Thu, 26 Jan 2017 12:12:41 +0100
Bram Matthys via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> A number of students are unable to connect to our print server from 
> their Windows 10 client laptop without entering a user/pass. More 
> precisely: If you try to connect manually to \\IP it says "Username
> or password incorrect" and prompts to enter a username/password.
> Despite the server setting to map all users to guest (see further
> down). I did a packet dump and the client pc asks NTLMSSP_NEGOTIATE,
> server replies with an NTLMSSP_CHALLENGE and then the client pc
> simply hangs up (TCP RST).
> 
> Now the (more) interesting bit: all this only happens when you use a 
> "microsoft account", not if you use a local account. With a local 
> account on the laptop start -> run -> \\IP will get you connected 
> without asking for a user / password and show the shared printers and 
> shares, as expected.
> 
> Any ideas? Is this fixable on the server-side? Otherwise if that is
> not possible, fixable on the client-side while still permitting
> microsoft accounts?
> 
> Packet dump (raw): https://www.vulnscan.org/tmp/cannotconnectsmb.pcap
> 
> Packet dump (text) below:
> 1 0.000000 10.0.6.178 -> 10.0.0.7 TCP 66 49939→445 [SYN] Seq=0
> Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
> 2 0.000049 10.0.0.7 -> 10.0.6.178 TCP 66 445→49939 [SYN, ACK] Seq=0 
> Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
> 3 0.002343 10.0.6.178 -> 10.0.0.7 TCP 60 49939→445 [ACK] Seq=1 Ack=1 
> Win=65536 Len=0
> 4 0.002514 10.0.6.178 -> 10.0.0.7 SMB 213 Negotiate Protocol Request
> 5 0.002528 10.0.0.7 -> 10.0.6.178 TCP 54 445→49939 [ACK] Seq=1
> Ack=160 Win=30336 Len=0
> 6 0.009462 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
> 7 0.011702 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
> 8 0.011936 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
> 9 0.016597 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup Request, 
> NTLMSSP_NEGOTIATE
> 10 0.017098 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response, 
> Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
> 11 0.020411 10.0.6.178 -> 10.0.0.7 TCP 60 49939→445 [RST, ACK]
> Seq=504 Ack=710 Win=0 Len=0
> 12 0.023889 10.0.6.178 -> 10.0.0.7 TCP 66 49940→445 [SYN] Seq=0
> Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
> 13 0.023932 10.0.0.7 -> 10.0.6.178 TCP 66 445→49940 [SYN, ACK] Seq=0 
> Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
> 14 0.026880 10.0.6.178 -> 10.0.0.7 TCP 60 49940→445 [ACK] Seq=1 Ack=1 
> Win=65536 Len=0
> 15 0.026922 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
> 16 0.026941 10.0.0.7 -> 10.0.6.178 TCP 54 445→49940 [ACK] Seq=1
> Ack=179 Win=30336 Len=0
> 17 0.032177 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol
> Response 18 0.034870 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup
> Request, NTLMSSP_NEGOTIATE
> 19 0.035490 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response, 
> Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
> 20 0.038742 10.0.6.178 -> 10.0.0.7 TCP 60 49940→445 [RST, ACK]
> Seq=345 Ack=504 Win=0 Len=0
> 21 0.202080 10.0.6.178 -> 10.0.0.7 TCP 66 49941→445 [SYN] Seq=0
> Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
> 22 0.202145 10.0.0.7 -> 10.0.6.178 TCP 66 445→49941 [SYN, ACK] Seq=0 
> Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
> 23 0.204434 10.0.6.178 -> 10.0.0.7 TCP 60 49941→445 [ACK] Seq=1 Ack=1 
> Win=65536 Len=0
> 24 0.204484 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
> 25 0.204503 10.0.0.7 -> 10.0.6.178 TCP 54 445→49941 [ACK] Seq=1
> Ack=179 Win=30336 Len=0
> 26 0.212382 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol
> Response 27 0.214883 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup
> Request, NTLMSSP_NEGOTIATE
> 28 0.215544 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response, 
> Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
> 29 0.218612 10.0.6.178 -> 10.0.0.7 TCP 60 49941→445 [RST, ACK]
> Seq=345 Ack=504 Win=0 Len=0
> 30 0.222053 10.0.6.178 -> 10.0.0.7 TCP 66 49942→445 [SYN] Seq=0
> Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
> 31 0.222120 10.0.0.7 -> 10.0.6.178 TCP 66 445→49942 [SYN, ACK] Seq=0 
> Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
> 32 0.224036 10.0.6.178 -> 10.0.0.7 TCP 60 49942→445 [ACK] Seq=1 Ack=1 
> Win=65536 Len=0
> 33 0.224074 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
> 34 0.224086 10.0.0.7 -> 10.0.6.178 TCP 54 445→49942 [ACK] Seq=1
> Ack=179 Win=30336 Len=0
> 35 0.230810 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol
> Response 36 0.233314 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup
> Request, NTLMSSP_NEGOTIATE
> 37 0.234009 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response, 
> Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
> 38 0.237069 10.0.6.178 -> 10.0.0.7 TCP 60 49942→445 [RST, ACK]
> Seq=345 Ack=504 Win=0 Len=0
> 
> Server config:
> [global]
> workgroup = MLHJ
> interfaces = anet jnet print wifi lo
> bind interfaces only = Yes
> server role = standalone server
> map to guest = Bad User
> obey pam restrictions = Yes
> syslog = 0
> log file = /var/log/samba/smb.log
> printcap name = /etc/printcap
> dns proxy = No
> panic action = /usr/share/samba/panic-action %d
> idmap config * : backend = tdb
> printing = bsd
> print command = /usr/local/scripts/print "%p" "%s" "%I" "%m" "%U"
> "%J" 
> 2>&1|logger -p lpr.debug -t samba-print
> 
> 
> [printers]
> comment = All Printers
> path = /var/spool/samba
> create mask = 0700
> guest ok = Yes
> printable = Yes
> print ok = Yes
> browseable = No
> 
> 
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> guest ok = Yes
> 
> # smbd -V
> Version 4.2.14-Debian
> 
> Regards,
> 
> Bram
> 

Do your users exist on the printserver ?

If you look in 'man smb.conf' under 'map to guest (G)' you will find
this:

Bad User - Means user logins with an invalid password are
rejected, unless the username does not exist, in which case it
is treated as a guest login and mapped into the guest
account.

So, if the user does exist and uses an incorrect password it will be
rejected, but if the user doesn't exist, it will be SILENTLY mapped to
guest.

Rowland

More information about the samba mailing list