[Samba] Access to Windows 2016 server works with IP but not with netbios name

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Jan 12 23:32:08 UTC 2018

If Windows is the domain controller, then it is an AD domain.       If 
you are running Samba 3 domain controller then it would be emulating an 
NT4-type domain controller. I am presuming samba 3.x machine is 
configured as a domain member?

Last year when the BADLOCK vulnerability came out, Microsoft issued 
various patches that were likely to break compatibility with Samba 
3.x.      Samba did not release a minor version upgrade for Samba 3.x to 
include this patch.      So you would have to compile the patch your self.

You can run a WINS server on Windows or Samba.      WINS is the 
equivalent of a DNS server for Netbios names in a TCP/IP environment.

Can you run "testparm -v" on your samba system?  You may  see

             smb ports = 445 139
             disable netbios = No
             wins server = (the ip address of your wins server, if you 
have one)

I found in a classic samba domain, that explicitly setting the smb ports 
value to 139 only created problems.    I don't know what would happen if 
you set to 445 only.   I don't know if the "disable netbios" option is 
available with samba 3.x.        I had a classic domain that I migrated 
to an AD domain, but I haven't tried disabling all the netbios stuff 
yet.     I would think if you could then this might get simpler.

You may also want to do some packet captures on the samba server to 
compare compare connection attempts.

Assuming the client DNS is setup that both "ping shortname" and 
"nslookup shortname" work?

What version OS is the samba system running on?

On 01/12/2018 11:16 AM, Rob Marshall wrote:
> The client is a Windows 2008 R2 server. I don't know what you mean by 
> classic vs. AD. I assume it's AD, but how would I check?
> I see the same problem, i.e. "Access is denied" and a window to enter 
> the username/password, if I use the fully qualified name.
> Thanks,
> Rob
> On Fri, Jan 12, 2018 at 10:58 AM, Gaiseric Vandal via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>     Can you clarify -  are they trying to access the samba server from
>     a Win 2016 machine?     Is this a classic domain or AD domain?
>     Do you have a WINS server defined?      Can you access via a fully
>     qualified domain name (e.g. myserver.mydomain.com
>     <http://myserver.mydomain.com>.) I had an issue several years back
>     where users connecting over VPN could access by IP but not my
>     short name.       The problem was that the VPN was blocking at
>     least some netbios traffic (137-139) which meant that anything
>     relying on netbios names failed.    If you could connect via IP
>     address of fully qualified domain  name then you were by passing
>     netbios name resolution issues and connecting directly to port 445.
>     I have run into several issues with classic domains with SMB3 and
>     Windows 10 (which presumably would apply to Win 2016 as well.)
>     Windows 10 would try to negotiate SMBv3 with some servers and
>     would fail.  (This may have been samba 4 servers so I don't think
>     this applies to you.)     I also had problems with Win 7 and
>     Windows 2008 and SMB v2, especially with multiple users connecting
>     via remote desktop to Windows 2008.      The first use could map a
>     drive but not successive users.        You may want to explicitly
>     set your samba servers to use SMB v2 as the max protocol or even
>     Samba 1.x.
>     I also run into an issue with drive mapping using short name vs
>     long name in a classic domain.   If my DNS domain is mycompany.com
>     <http://mycompany.com>, and my samba domain is  TECH, then if I
>     may a drive to myserver.mydomain.com
>     <http://myserver.mydomain.com> there is a discrepancy between the
>     Samba domain name and the DNS domain name.     This didn't cause
>     problems with Windows itself but it did with Office 2013 after
>     some updates. Office would not open files determined to be from an
>     untrusted source.
>     I migrated away from a classic domain to a true AD domain so a lot
>     of my netbios and name resolution issues went away.
>     On 01/12/2018 10:19 AM, Rob Marshall via samba wrote:
>         Hi,
>         I have a customer who is able to access shares using the IP
>         address of the
>         Samba server (running 3.6.x - sorry, can't upgrade) but when
>         they try to
>         access the share using the short (netbios) name, they get
>         "access denied"
>         and are prompted for a username/password.
>         Where would I look to figure out what's going wrong?
>         Thanks,
>         Rob
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>     <https://lists.samba.org/mailman/options/samba>

More information about the samba mailing list