Samba update now requires authentication for Windows 10 machine access

crmrhm · April 18, 2016, 6:28am

System is openSUSE 13.2 64-bit, KDE, legacy BIOS

Running samba 4.1.23-31.1, in Dolphin I could click Network->Samba Shares->(workgroup name)->(name of Windows 10 machine) and got a list of six folders, one of which is shared. Clicking the shared folder, I’m in with read and write access.

With update to samba 4.2.4-34.1, when I do Network->Samba Shares->(workgroup name)->(name of Windows 10 machine), an authentication window appears wanting user name and password. The Windows 10 machine does have a user name, but no password. No matter what I put in the authentication fields, access is denied.

I rolled back to samba 4.1.23-31.1 and again have access.

the global stanza of smb.conf is

[global]
    workgroup = CANDH
    passdb backend = tdbsam
    name resolve order = bcast host lmhosts wins
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    map to guest = Bad User
    include = /etc/samba/dhcp.conf
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:
    usershare allow guests = No
    add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
    domain logons = No
    domain master = No
    ldap admin dn = 
    security = user
    wins server = 
    wins support = No

What do I do to connect with samba 4.2.4-34.1?

Thanks,
Howard

swerdna · April 18, 2016, 2:12pm

Me also, just discovered it after reading your post. I’ll try to revert as you did and get back to you. Could be a bug.

swerdna · April 18, 2016, 2:31pm

Come to think of it: My Linux boxes haven’t lost the plot when talking to each other. But last couple of days there was a spontaneous upgrade of the windows 10 computers in my house. I wonder if that’s why win 10 shares are blocked (to openSUSE).

tsu2 · April 18, 2016, 4:33pm

crmrhm:

With update to samba 4.2.4-34.1, when I do Network->Samba Shares->(workgroup name)->(name of Windows 10 machine), an authentication window appears wanting user name and password. The Windows 10 machine does have a user name, but no password. No matter what I put in the authentication fields, access is denied.

I rolled back to samba 4.1.23-31.1 and again have access.

the global stanza of smb.conf is
[global]
    workgroup = CANDH
    passdb backend = tdbsam
    name resolve order = bcast host lmhosts wins
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    map to guest = Bad User
    include = /etc/samba/dhcp.conf
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:
    usershare allow guests = No
    add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
    domain logons = No
    domain master = No
    ldap admin dn = 
    security = user
    wins server = 
    wins support = No

Is it really true that the Win10 User account you’re using to authenticate really does not have a password?
And if this is so, what kind of account is this, a local account (stored in the Win10 SAM) or an Internet-authenticated account using some Internet email address like outlook.com, hotmail.com or live.com?

And, if this is some kind of account with such minimal security, maybe you should activate the Guest account and use it instead of an ordinary User account of any type?

TSU

crmrhm · April 18, 2016, 5:20pm

Our Windows 10 machines have the recent April monthly update, and it caused no change for samba 4.1.23-31.1, so I think that is not the issue. The denied access comes with an update to samba 4.2.4-34.1.

The samba update wants to do

# Status             Package                        | Summary                                  | Installed (Available)     |       Size
[Autodelete]         libpdb0                        | Samba3 password database library         | 4.1.23-31.1               |  213.4 KiB
[Autodelete]         libpdb0-32bit                  | Samba3 password database library         | 4.1.23-31.1               |  207.0 KiB
[Autoupdate]         libdcerpc-binding0             | Some samba library                       | 4.1.23-31.1 (4.2.4-34.1)  |  126.0 KiB
[Autoupdate]         libdcerpc-binding0-32bit       | Some samba library                       | 4.1.23-31.1 (4.2.4-34.1)  |  125.4 KiB
[Autoupdate]         libdcerpc0                     | Distributed Computing Environment Rem... | 4.1.23-31.1 (4.2.4-34.1)  |  202.0 KiB
[Autoupdate]         libdcerpc0-32bit               | Distributed Computing Environment Rem... | 4.1.23-31.1 (4.2.4-34.1)  |  205.4 KiB
[Autoupdate]         libgensec0                     | Samba generic security library           | 4.1.23-31.1 (4.2.4-34.1)  |  162.1 KiB
[Autoupdate]         libgensec0-32bit               | Samba generic security library           | 4.1.23-31.1 (4.2.4-34.1)  |  165.4 KiB
[Autoupdate]         libndr-krb5pac0                | NDR marshallers for the KRB5 PAC formats | 4.1.23-31.1 (4.2.4-34.1)  |   42.0 KiB
[Autoupdate]         libndr-krb5pac0-32bit          | NDR marshallers for the KRB5 PAC formats | 4.1.23-31.1 (4.2.4-34.1)  |   37.4 KiB
[Autoupdate]         libndr-nbt0                    | NDR marshallers for NBT formats          | 4.1.23-31.1 (4.2.4-34.1)  |   86.0 KiB
[Autoupdate]         libndr-nbt0-32bit              | NDR marshallers for NBT formats          | 4.1.23-31.1 (4.2.4-34.1)  |   89.4 KiB
[Autoupdate]         libndr-standard0               | NDR marshallers for the standard set ... | 4.1.23-31.1 (4.2.4-34.1)  |    3.1 MiB
[Autoupdate]         libndr-standard0-32bit         | NDR marshallers for the standard set ... | 4.1.23-31.1 (4.2.4-34.1)  |    3.2 MiB
[Autoupdate]         libndr0                        | Network Data Representation library      | 4.1.23-31.1 (4.2.4-34.1)  |   86.0 KiB
[Autoupdate]         libndr0-32bit                  | Network Data Representation library      | 4.1.23-31.1 (4.2.4-34.1)  |   89.4 KiB
[Autoupdate]         libnetapi0                     | Samba netapi Library                     | 4.1.23-31.1 (4.2.4-34.1)  |  402.0 KiB
[Autoupdate]         libnetapi0-32bit               | Samba netapi Library                     | 4.1.23-31.1 (4.2.4-34.1)  |  441.3 KiB
[Autoupdate]         libregistry0                   | Windows-style registry library           | 4.1.23-31.1 (4.2.4-34.1)  |  138.4 KiB
[Autoupdate]         libsamba-credentials0          | Samba credential management library      | 4.1.23-31.1 (4.2.4-34.1)  |   70.0 KiB
[Autoupdate]         libsamba-credentials0-32bit    | Samba credential management library      | 4.1.23-31.1 (4.2.4-34.1)  |   69.3 KiB
[Autoupdate]         libsamba-hostconfig0           | Host-wide Samba configuration library    | 4.1.23-31.1 (4.2.4-34.1)  |  176.5 KiB
[Autoupdate]         libsamba-hostconfig0-32bit     | Host-wide Samba configuration library    | 4.1.23-31.1 (4.2.4-34.1)  |  154.4 KiB
[Autoupdate]         libsamba-util0                 | Samba utility function library           | 4.1.23-31.1 (4.2.4-34.1)  |  210.5 KiB
[Autoupdate]         libsamba-util0-32bit           | Samba utility function library           | 4.1.23-31.1 (4.2.4-34.1)  |  209.6 KiB
[Autoupdate]         libsamdb0                      | Samba's SAM database library             | 4.1.23-31.1 (4.2.4-34.1)  |   90.6 KiB
[Autoupdate]         libsamdb0-32bit                | Samba's SAM database library             | 4.1.23-31.1 (4.2.4-34.1)  |   85.7 KiB
[Autoupdate]         libsmbclient-raw0              | Samba4's raw SMB client library          | 4.1.23-31.1 (4.2.4-34.1)  |  222.0 KiB
[Autoupdate]         libsmbclient-raw0-32bit        | Samba4's raw SMB client library          | 4.1.23-31.1 (4.2.4-34.1)  |  225.3 KiB
[Autoupdate]         libsmbclient0                  | Samba Client Library                     | 4.1.23-31.1 (4.2.4-34.1)  |  146.0 KiB
[Autoupdate]         libsmbconf0                    | Samba3 configuration library             | 4.1.23-31.1 (4.2.4-34.1)  |  463.6 KiB
[Autoupdate]         libsmbconf0-32bit              | Samba3 configuration library             | 4.1.23-31.1 (4.2.4-34.1)  |  462.4 KiB
[Autoupdate]         libsmbldap0                    | Samba LDAP protocol helper function l... | 4.1.23-31.1 (4.2.4-34.1)  |   42.0 KiB
[Autoupdate]         libsmbldap0-32bit              | Samba LDAP protocol helper function l... | 4.1.23-31.1 (4.2.4-34.1)  |   41.3 KiB
[Autoupdate]         libtevent-util0                | Samba tevent <-> system status code c... | 4.1.23-31.1 (4.2.4-34.1)  |   10.0 KiB
[Autoupdate]         libtevent-util0-32bit          | Samba tevent <-> system status code c... | 4.1.23-31.1 (4.2.4-34.1)  |    9.3 KiB
[Autoupdate]         libwbclient0                   | Samba libwbclient Library                | 4.1.23-31.1 (4.2.4-34.1)  |   54.0 KiB
[Autoupdate]         libwbclient0-32bit             | Samba libwbclient Library                | 4.1.23-31.1 (4.2.4-34.1)  |   53.3 KiB
[Autoupdate]         samba                          | A SMB/CIFS File, Print, and Authentic... | 4.1.23-31.1 (4.2.4-34.1)  |    1.4 MiB
[Autoupdate]         samba-32bit                    | A SMB/CIFS File, Print, and Authentic... | 4.1.23-31.1 (4.2.4-34.1)  |   25.3 KiB
[Autoupdate]         samba-client                   | Samba Client Utilities                   | 4.1.23-31.1 (4.2.4-34.1)  |    2.9 MiB
[Autoupdate]         samba-client-32bit             | Samba Client Utilities                   | 4.1.23-31.1 (4.2.4-34.1)  |    9.3 KiB
[Autoupdate]         samba-libs                     | Samba libraries                          | 4.1.23-31.1 (4.2.4-34.1)  |   12.0 MiB
[Autoupdate]         samba-libs-32bit               | Samba libraries                          | 4.1.23-31.1 (4.2.4-34.1)  |   11.7 MiB
[Autoupdate]         samba-winbind                  | Winbind Daemon and Tool                  | 4.1.23-31.1 (4.2.4-34.1)  |    1.5 MiB
[Autoupdate]         samba-winbind-32bit            | Winbind Daemon and Tool                  | 4.1.23-31.1 (4.2.4-34.1)  |   68.0 KiB
[Autoinstall]        libsamba-passdb0               | Samba3 password database library         | (4.2.4-34.1)              |  218.0 KiB
[Autoinstall]        libsamba-passdb0-32bit         | Samba3 password database library         | (4.2.4-34.1)              |  213.4 KiB

The first two files which are Autodeleted, and the last two which are Autoinstalled are password libraries, so I suspect those changes are the problem.

It’s really true - no password. It is a local account.

Thanks,
Howard

crmrhm · April 18, 2016, 7:58pm

After the samba update and revert, I had to do

sudo smbpasswd -a howard

to get myself back so I could reach this box from others.

Did you have to do anything after the update so the Linux boxes had samba users?

Regards,
Howard

swerdna · April 19, 2016, 3:49am

crmrhm:

After the samba update and revert, I had to do
sudo smbpasswd -a howard
to get myself back so I could reach this box from others.

Did you have to do anything after the update so the Linux boxes had samba users?

Regards,
Howard

No, nothing, because I have the win10 share set to

folder security ==> everyone ==> full control
folder share ==> everyone ==> full control

[yes I do know this is guest-access to-the-max]

swerdna · April 19, 2016, 4:51am

Well I’ve found my problem and it’s different from yours. My link to win10 from my Leap42 achieves access to win10 if I disable the SuSEfirewall2

I do have interfaces in external zone + allow netbios + samba client + samba server. So there’s a bug for me, different from yours.

And furthermore, if I leave the firewall on and use the IP address I get access, which implies my problem is in the naming (nmd/nmbd) software.

crmrhm · April 19, 2016, 5:46am

Can the Win10 machine access the Linux box running updated samba?

Howard

swerdna · April 19, 2016, 12:15pm

Yes… That direction has never failed

swerdna · April 19, 2016, 12:30pm

Something odd has occurred, a bug in the smb/nmb networking (of my Leap installation). I have fixed it like this:

Yast ==> Firewall ==> Interfaces ==> External Zone
and
Yast ==> Firewall ==> Interfaces ==> Allowed Services ==> Netbios Server + Samba Client + Samba Client

That’s the normal setup for Samba.

Since the upgrades in Samba RPMs I now need this additional configuration:

Yast ==> Firewall ==> Custom Rules ==> External Zone + Source Network = w.x.y.z/24 + Protocol = UDP

Which takes me back to the good old days of openSUSE 11 (when it was necessary)

FYI versions

john@leap421:~> rpm -qa | grep samba
samba-winbind-32bit-4.2.4-9.2.x86_64
yast2-samba-client-3.1.15-10.2.noarch
libsamba-hostconfig0-4.2.4-9.2.x86_64
samba-libs-32bit-4.2.4-9.2.x86_64
samba-client-4.2.4-9.2.x86_64
libsamba-credentials0-32bit-4.2.4-9.2.x86_64
samba-client-32bit-4.2.4-9.2.x86_64
libsamba-util0-32bit-4.2.4-9.2.x86_64
libsamba-credentials0-4.2.4-9.2.x86_64
samba-doc-4.2.4-15.1.noarch
libsamba-passdb0-32bit-4.2.4-9.2.x86_64
libsamba-hostconfig0-32bit-4.2.4-9.2.x86_64
libsamba-util0-4.2.4-9.2.x86_64
samba-winbind-4.2.4-9.2.x86_64
yast2-samba-server-3.1.14-16.1.noarch
samba-32bit-4.2.4-9.2.x86_64
libsamba-passdb0-4.2.4-9.2.x86_64
samba-libs-4.2.4-9.2.x86_64
samba-4.2.4-9.2.x86_64

This additional add on of the UDP implies a bug is operating.

BUT: I don’t know at all whether this relates to your issue. It simply seemed the same in the beginning of this thread but now seems somewhat divergent.

crmrhm · April 19, 2016, 6:21pm

I agree, there are different issues.

I did more testing, and find a Linux box with updated samba 4.2.4-34.1 can access other Linux machines (all which have passwords) and a Windows 10 machine which has a password. However, access is denied to the Windows 10 machine without a password. Access to the non-password Win10 box works with samba 4.1.23-31.1.

Your samba-4.2.4-9.2 and my 4.2.4-34.1 seem to be supplied with different bugs.

Regards,
Howard

crmrhm · April 19, 2016, 7:14pm

Bug report for samba 4.2.4-34.1 is at 11859 – Samba 4.2.4-34.1 cannot access Windows 10 machine with no password set
Regards,
Howard

crmrhm · April 20, 2016, 2:06am

I added the repository at http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_13.2/ and installed samba-4.4.2-4.1, but it had the same behavior as 4.2.4-34.1: access denied to the Windows 10 machine with no password.
Howard

swerdna · April 20, 2016, 5:16am

Have you set the win10 shared folder for guest access?

crmrhm · April 20, 2016, 7:27am

I tried that with 4.2.4-34.1 with no change in function. I’ll try soon with 4.4.2-4.1 and report.
Howard

swerdna · April 20, 2016, 11:35am

Don’t forget to edit both the “share” functionsad the “security” functions

swerdna · April 20, 2016, 2:12pm

Well this is interesting: I have a Tumbleweed installation that hasn’t been updated for a good while. It was using samba-4.3.6-1.1.x86_64 and it was seeing and accessing the win10 share no trouble.

So I ran zypper dup and checked what samba I had after that. It is now samba-4.4.2-1.1.x86_64. And I straight away after the upgrade I was getting the request for a username/password pair. And regardless of what credentials I entered, there was no access.

So I applied the fix I had mentioned a few posts earlier when I had issues with my Leap4,21 [Yast ==> Firewall ==> Custom Rules ==> External Zone + Source Network = w.x.y.z/24 + Protocol = UDP].

And that fixed my new issue in updated Tumbleweed without a need to supply credentials.

So: there is a bug in the Samba upgrades for Leap and Tumbleweed whereupon credentials are asked without a cause for credentials and opening a UDP channel (which I think relates to “name resolution”) fixed it (for me).

Maybe you should try it out.

crmrhm · April 21, 2016, 5:51am

At first I did only the “share” tab, so after the reminder I did the “security” tab. With both 4.2.4-34.1 and 4.4.2-4.1, no change in function - still get the authentication window, then access denied.
Howard

crmrhm · April 21, 2016, 6:08am

swerdna:

Well this is interesting: I have a Tumbleweed installation that hasn’t been updated for a good while. It was using samba-4.3.6-1.1.x86_64 and it was seeing and accessing the win10 share no trouble.

So I ran zypper dup and checked what samba I had after that. It is now samba-4.4.2-1.1.x86_64. And I straight away after the upgrade I was getting the request for a username/password pair. And regardless of what credentials I entered, there was no access.

So I applied the fix I had mentioned a few posts earlier when I had issues with my Leap4,21 [Yast ==> Firewall ==> Custom Rules ==> External Zone + Source Network = w.x.y.z/24 + Protocol = UDP].

And that fixed my new issue in updated Tumbleweed without a need to supply credentials.

So: there is a bug in the Samba upgrades for Leap and Tumbleweed whereupon credentials are asked without a cause for credentials and opening a UDP channel (which I think relates to “name resolution”) fixed it (for me).

Maybe you should try it out.

Interesting indeed. I tried [Yast ==> Firewall ==> Custom Rules ==> External Zone + Source Network = w.x.y.z/24 + Protocol = UDP] with samba 4.2.4-34.1 with no change in behavior. For w.x.y.z, I used the router’s IP address, 192.168.1.1. That did not help. I then updated to samba 4.4.2-4.1 and still no access. I added a rule with w.x.y.z = 192.168.1.153, the Win10 machine’s current local IP address, but still no access.

Are either of those the correct Source Network IPs?

I hunted through the router’s settings for anything that might block UDP, but found nothing. Did I likely miss anything?

Does your win10 share have a password? I can access Win10 if there is a password but cannot access the one machine with no password.

I must say, YaST2 does a splendid job moving between these three samba versions.

Regards,
Howard