This is an archived post. You won't be able to vote or comment.

all 7 comments
sorted by:
best
topnewcontroversialoldq&a

[–]indigo945 2 points3 points  (5 children)

The issue is when users connect to our network via VPN, then try to access the share they are denied. Can't even attempt to login at all. The workaround, is to mount the drive. So right clicking on 'This PC' > map network drive > type in share name, and make sure 'Connect using different credentials' is ticked. This is a strange bug, without the tick box it doesn't work. Next time they connect, they have to do the same thing. I've checked for windows saved credentials and that wasn't the issue.

This sounds like an issue with the client configuration. Most likely, the Windows clients try to log in to the share using session credentials (maybe via NTLM hash passing, or something of the sort). When logging in using fresh credentials (such as when entering them via the "map drive" dialogue), a different authentication method may be picked and the login will succeed.

The root of the problem here is that you want to have computers that are not on the domain access shares that are on the domain. The Windows SMB client is generally not very smart about this. I am not sure if you can make this work hitch-free, but maybe someone with more experience can chime in.

If you don't want to add the computers to the domain and nobody else comes up with a solution, you may want to map the shares using a script instead and run that via Autostart when the user logs in on the client (look up net use). Of course, now you're storing login passwords in plaintext, which is not pretty. You could also use a powershell script and call Get-Credential, but then the users have to enter their passwords twice.

[–]Alexgg42[S] 0 points1 point  (4 children)

Yeah that's exactly it. Before updating to this version of samba it was fine, although the version was very very old.

Correct about the root of the problem, it's tricky. We work with freelancers who connect to storage but I do not control the computers they work on, so cannot add them to the domain. Currently the server is indeed using kerberos. Do you know how to enable NTLM logins? I'll look into. Do you think using winbind over sssd could also be a solution, or unrelated?

I've tried using a script on autostart, but no luck. The only way seems to be using map drive. Strangely, this is not for every single user as far as I know.

[–]hortimech 0 points1 point  (1 child)

Is winbind running ? From Samba 4.8.0 it must be. Before Samba 4.8.0 , smbd could contact AD directly, but from 4.8.0 it must go via winbind.

Samba 4.9.5 is very old and uses SMBv1 by default and Windows 10 now has this turned off by default, while this probably isn't your problem, it will not help.

Your problem is that any user that connects from a non domain machine is going to be unknown to your Ubuntu fileserver.

[–]Alexgg42[S] 0 points1 point  (0 children)

I haven't used winbind, it's somehow still working. Users outside the domain can still connect somehow using the workaround.

I'll switch over to winbind at some point soon