[Samba] Windows 10 clients slow remapping drives and somewhat inconsistent in reconnecting to the saved map drives

Thu Jun 7 14:25:30 UTC 2018

On Thu, 7 Jun 2018 14:14:50 +0000
"Werthmuller, Derek via samba" <samba at lists.samba.org> wrote:

> Hello,
> I'm a long term samba user through many different flavors from
> FreeBSD to Linux.  My latest is using Ubuntu 16.04 with its older
> version of the 4.2 series of samba as an AD DC and separate 4.2
> series file server.  In my small test environment the Samba 4.2 AD DC
> and the Samba 4.2 file server are different LXC containers on the
> same host.

I have to ask, why 4.2 ?? you would be better off using Ubuntu 18.04
which would get you 4.7.6. 4.2 is EOL as far as Samba is concerned.

> 
> I've worked through many of the configuration guides to get the POSIX
> attributes in the samba AD directory by provisioning with
> -use-rfc2307.  And creating new accounts with appropriate samba-tool
> add user commands; sudo samba-tool user add <username>
> --uid-number=<userUID> gid-number=<userGID>
> home-directory=/homes/<username> login-shell=/bin/bash (So we can
> migrate the contents of older linux file servers and not have to
> change the uid/gid for files, and a few of the systems are
> interactive linux systems)
> 
> SSSD OR winbind based Linux authentication with AD backend works out
> fine for those Ubuntu systems that are not file servers.
> 
> The challenge I am facing is with Windows 10 clients mapping drives
> are somewhat inconsistent in either their ability to reconnect or how
> quickly they remap the drives.  Windows 10 in this case is 1607
> LTSB.  The Windows 10 and 7 are mobile and not domain members, so
> they remember connections to quickly reconnect drives.  Fileserver is
> configured to support both win7 and win10 clients.  Windows 7 clients
> don't seem to exhibit any of these issues.  The slow connection takes
> about 5-8 seconds to open the drive in file explorer after logging
> into desktop and selecting the drive from the remembered
> connections.  When this fails I get one of the two errors below.
> 
> The two primary errors that the windows 10 client receives are:
> 1)  "The account is not authorized to log in from this station"  -
> not true I see this issue mostly after the windows 10 system comes
> out of sleep mode.  And the only way to get the connection to succeed
> is reboot the windows 10 client.
> 
> 2)  "there is a time and/or date difference between the client and
> server"  - yes by like 3 seconds I see this issue mostly after the
> windows 10 system has been powered off.  If I check the time between
> the fileserver and the windows 10 client I see up to 3 second time
> difference.  IF I get the windows 10 client to update its time from
> the network time server the connection reconnects fine then. The
> windows clients are not dual boot systems, they use just the single
> OS. # I thought that the time difference could be up to 5 minutes #
> TimeZones seem to be set properly on the Servers and client Windows
> systeminfo reports: Time Zone:                 (UTC-05:00) Eastern
> Time (US & Canada) Adjust for Daylight savings
> 
> 
> Here is the relevant portions of the samba file server config:
> My ideal config makes use of the highest level of security features
> available while maintaining compatibility between the two different
> client versions of windows and the samba server.
> 
> ntlm auth = no
> lanman auth = no
> raw NTLMv2 auth = no
> # Ref:  https://www.samba.org/samba/security/CVE-2016-2111.html
> #client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> realm = dom.example.com
> security = ADS
> encrypt passwords = yes
> # min signaling
> server signaling = mandatory
> min protocol = SMB2_10
> #client min protocol = SMB2
> max protocol = SMB3
> dedicated keytab file = /etc/krb5.keytab
> 
> Diagnostic suggestions?  Recommended configuration changes?

Yes, upgrade ;-)

Rowland