Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, August 16, 2018 7:48 PM
Dear all,
I do have a computer, which is part of a domain and runs Win10 Enterprise v1709. When connecting to a non-domain network share via VPN or when being in the network to connect to the share, neither works fine. The share has other credentials and is running on a Linux machine with Samba v21.
There are two cases:
1. I need to connect via VPN to the non-domain network and access the share (VPN connection works, I can access webpages, FTP and SSH server etc).
Problem: I cannot connect to the share via \IPADR\Share.
Error: Windows cannot access "\IPADR\Share". Check the spelling of the name. Otherwise there might be a problem with your network.... Error 0x80004005
2. When using the domain enabled computer in the non-domain network, I cannot access the share view IPADR, but via computername it works:
- \COMPNAME\Share works -> credentials prompt pops up, I can enter the credentials and all works fine
- \IPADR\Share does NOT work -> I get the following error:
Error: Windows cannot access "\IPADR\Share". Check the spelling of the name. Otherwise there might be a problem with your network.... Error 0x80070035
More important information:
Previously i had also 1709 installed (just reimaged the computer) and I found a configuration to make the access work, but I cannot remember which policies to change.
In network and sharing center I enabled the use of username a password instead of letting Windows handle it
All according file sharing and network access protocols in Firewall are enabled
When I enter the credentials manually into the credential manager as Windows Credentials, I do get access via \IPADRESS via VPN as well as inside the network
When using "map network drive" with "other credentials" all works fine.
When I use command line "net use" with other credentials all works fine
How can I enable, that in a domain computer I do get prompted with username and password when accessing a network share? Please dont provide the workaround via "map network drive", "net use" or storing the credentials in the credential manager. I would like NOT to store the credentials, I dont want a temporary network drive mapped (I am faster with entering the \IPADR than mapping a temporary network drive). As I managed to make it work before, I hope somebody knows a solution.
Thanks, regards
All replies (15)
Friday, August 17, 2018 8:05 AM
Hello Momominta,
thanks, but this is not the desired solution. As stated, I can already access each share via \ComputerName\Share as written above with SMB != v1 if you are in the same network, but this doesnt work over VPN. I need to use the IP address, which doesnt work. One can claim, I should use "map a network drive" (which also works), but this is cumbersome and a lot of clicking. So workarounds are existing, but I would like to solve the issue.
As additionally written, if I put the credentials manually in the credential manager, all works fine. So it seems to be an authentication issue.
For obvious reasons, I dont want to use SMBv1 and I dont want stored credentials on the notebook. I need to access the server in rare occasions, and it is by intention outside the other network.
Any other hint or idea?
Thanks, regards, BigCookie
P.S: "start \ComputerName\Share" works, "start \IP\Share" doesnt. Using this command it says anonymous access to shares is blocked by policies - which is correct (no access to anonymous share, but this share is not anonymous). It should prompt for credentials as it does when accessing \CompnuterName\share.
Friday, August 17, 2018 10:11 AM | 1 vote
■ LANManager Authentication Level
For older NAS(Not support ntlmv2), this setting is required.
Can't access smb share after update to 1709
https://social.technet.microsoft.com/Forums/en-US/eba9a147-c1de-41b1-99aa-9c65efd45d8f/cant-access-smb-share-after-update-to-1709?forum=win10itpronetworking
■ NTLMv2 / smb2.0 Support
Is samba's "Client NTLMv2 authentication" option set?
and smb2.0 support.
When connecting with IP address, NTLM authentication.
Could not use Kerberos.
The file sharing NTLM authentication packet is included in the SMB (CIFS).
Therefore, both DC and FS must be "SMBv1 invalid SMBv2 is valid".
# And windows10 client.
smb.conf — The configuration file for the Samba suite
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
How to configure Samba to use SMBv2 and disable SMBv1 on Linux or Unix
https://www.cyberciti.biz/faq/how-to-configure-samba-to-use-smbv2-and-disable-smbv1-on-linux-or-unix/
Wireshark: Determining a SMB and NTLM version in a Windows environment
https://richardkok.wordpress.com/2011/02/03/wireshark-determining-a-smb-and-ntlm-version-in-a-windows-environment/
■ Why does it work with credential manager
This happens when guest account is enabled.
However, this is inconsistent with "anonymous access to shares is blocked by policies".
■ About case2:
DomainComputer has ComputerAccount.
When using "ServerName\ShareWorks", FS can use kerberos authentication.
Since "0x80070035" is "Network path not found", IP address to be used may be incorrect.
Friday, August 17, 2018 1:19 PM
Hello Momominta,
this means, enabling an IPSec tunnel right? I would need the according endpoint in the second network. Will try, if I can enable this. At the moment the VPN connection is done through OpenVPN. Will need to try over the weekend... Thanks for your help!
Edit: I am running a Linux Samba server on the endpoint (Linux based server). I dont have a Windows server providing the firewall. Thus I think this setup will be more complex and probably too complex for me... Any other idea?
Friday, August 17, 2018 1:26 PM
Hello Yaki,
thanks a lot. This is something to digest for me. I will check over the weekend. To your comments:
- guest account is disabled
- 0x80070035 : weirdly the IP address is 100% correct... Will check further.
- to clarify DomainComputer has ComputerACcount: The domain computer has not the fileserver account, username and pw are different.
- IP address usage: if I use "map network drive" plus "other credentials", it works as well.
- I enabled SMBv1 prior on the Win10 client - no change. But I might have forgotten something. Will try again.
Thanks for your help!! I will report further.
In the meantime:
FS smb.conf:
-- "client ntlmv2 auth = yes" was and is set
-- "server min protocol = SMB2" now set, setting was not existing prior
-- max supported protocol is v3
-- "client min protocol = SMB2" now set, setting was not existing prior
AD:
-- lanmanagerworkstation: "send NTLMv2 only" is now set
-- SMBv1 is NOT installed/activated
-- group policy "Enable insecure guest logons" for lanman workstation now set
Access via Windows Explorer still ends up with 0x80004005 - Check spelling of the name (I am in the same network now). Used IP is correct as I can access it via SSH
Mapping a network drive still works
Access with \ComputerName\Share still works
Access with \IP\Share still doesnt work
Friday, August 17, 2018 4:46 PM
Further edit. I checked the network traffic with wireshark. The NTLM provided by the AD computer is NTLMv2 and the server answers with a "Session Setup REsponse", in which it states "accept-completed":
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Server Component: SMB2
Header Length: 64
Credit Charge: 1
NT Status: STATUS_SUCCESS (0x00000000)
Command: Session Setup (1)
Credits granted: 31
Flags: 0x00000011, Response, Priority
Chain Offset: 0x00000000
Message ID: Unknown (2)
Process Id: 0x0000feff
Tree Id: 0x00000000
Session Id: 0x000000006b3106ae Acct:##### Domain:##### Host:#####
Signature: 00000000000000000000000000000000
[Response to: 1684]
[Time from request: 0.008218000 seconds]
Session Setup Response (0x01)
StructureSize: 0x0009
Session Flags: 0x0001, Guest
Blob Offset: 0x00000048
Blob Length: 9
Security Blob: a1073005a0030a0100
GSS-API Generic Security Service Application Program Interface
Simple Protected Negotiation
negTokenTarg
negResult: accept-completed (0)
I see the "session flags" to be set to "guest" - might this be the problem?
Error is still the same... As it seems SMB3.11 is selected according to WireShark.
Friday, August 17, 2018 6:09 PM
I am connected with the AD account with adminstrator rights. There is no Microsoft account active on the computer.
I am not intentionally connected as guest. As it seems the connection to the Samba share uses it (I saw the flag "guest" in the protocol" - but this might mean nothing). Will try further. If it is not working, I will simply add the credentials to the credential manager... cumbersome, but at least working...
Friday, August 17, 2018 6:59 PM
It sounds like maybe you want to try disabling strict name checking on the host:
https://4sysops.com/archives/disable-strict-name-checking-with-powershell/
Saturday, August 18, 2018 2:39 PM
Hi, probably I didnt clarify. Server side is a Linux Samba server. It worked also with Win 10 prior to 1709 also with any other client without problems.
@Aaron Guilmette: I dont know how I can disable strict name checking on a Linux Samba server - and I dont know if it is enabled. But thanks for this proposal
@Momominta: Same here. I do have a Linux server, and I dont have an easy way to build an IPSec tunnel. The different networks are connected 24/7 via IPSec based VPN. So I assume the router would catch the Ipsec connection.
Thanks again for the help. I will probably just live with the situation...
Saturday, August 18, 2018 3:14 PM
Ok, some more findings. When I check the protocol exchange, once with credentials put into the credential manager and one without, the only difference is, that Win10 is using the domain account for authentication towards the Samba server without the correct credentials put into the credential manager. As this is not existing on the server side, it answers with an option for guest access (which is disabled on client side).
All authentication negotiation via NTLM works out fine.
So the question is, why Win 10 is not asking for credentials in a prompt, but forces the domain username and credentials when trying to access \IP\Share. When using \ComputerName\Share the popup states, it is only doing so because the domain controller is not reachable (which is true and intended, as I am connected to the non-domain network).
@Momominta: Unfortunately I dont have the option to use Samba 4 on server side.
Saturday, August 18, 2018 5:20 PM
The computer is trying to reach the domain which provides the account and profile. The Samba share is in a different network, which is not connected to the same domain. It would require simple username/password prompt. The IPSec tunnel would not work, as the router of the non domain network establishes certain IPSec connections and therefore will not forward the IPSec packets to the computer running the Samba server.
I am sure I can get the IPSEc tunnel somehow to work, but I consider this a workaround. And in this case it would be easier to use "map a network drive". I would in this case simply create scripts which connect and/or disconnect a network drive. This is easier. I am just curious, how I can enable the password prompt or better understand why Win 10 is suppressing it...
The two networks are connected via OpenVPN. All IPs are reachable. Probably worth a try to switch to IPSec, but requires two many changes in the network configurations for me... Based on the WireShark protocol I can only see that the Win 10 client is passing the Domain credentials from its account, which are not valid on that server (by intention), and then the connection fails. If I tell Win10 via Credential manager to use other credentials, it works, but makes the authentication permanent available, which I wanted to avoid.
As said: workarounds are available:
- map a network drive with "other credentials" (either through GUI or via Script and net use)
- use credentials manager
I simply try to find the cause and reason.
Sunday, August 19, 2018 1:31 PM
Unfortunately the setting doesnt help. I think I will live for now with the workarounds... If I find a solution, I will post it here. Thanks for all who were supporting me in finding a solution
Monday, August 20, 2018 6:52 PM
Sorry for the confusion. As it seems, I was not good in summarizing. Hopefully this is better:
Setup
- Client, SurfaceBook, running Win10 Enterprise (Pro), 1709
Profile is coming from AD. No problems within this network - External Server, running Linux, Samba v4.4.16, located in a different network, not connected to domain. The user to access the server is not locally available on the SurfaceBook
- Server Configuration
- Min. Samba version v2, when checking the WireShark recording, SMB3.11 is used as protocol.
- Client configuration
- lanmanager:NTLMv2 is enabled only (Secpol: Local policies -> Security Options -> LAN manager authentication level)
- Firewall: all file sharing is enabled for domain and private networks. I enabled that via "add an app or feature through Windows firewall" - I also checked the existing rule set
- settings -> network center -> advanced settings: use user accounts and passwords to connect to other computers is enabled (I changed it)
Based on this post: - policy (gpedit) for lanmanger "enable insecure guest logons" is enabled
- settings -> network center -> advanced settings -> all networks: Turn on sharing so that anyone with network access can read and write files in the Public folders is enabled
Issue 1: Computer in AD network, connected via OpenVPN to external network, trying to access network share
Error: Windows cannot access "\IPADR\Share". Check the spelling of the name. Otherwise there might be a problem with your network.... Error 0x80004005
Issue 2: Computer connected to external network (moving computer to other location into the non domain network)
- \COMPNAME\Share works -> credentials prompt pops up, I can enter the credentials and all works fine
- \IPADR\Share does NOT work -> I get the following error:
Error: Windows cannot access "\IPADR\Share". Check the spelling of the name. Otherwise there might be a problem with your network.... Error 0x80004005 (please note that I tried again, I get now this error code, not the one mentioned in the first post)
Workarounds
- I can add the credentials into credential manager for the specific IP address. After access, I delete the credentials. All works
- I can map a network drive using other credentials and then disconnect again.
- I can write a script using "net use" with other user
Analyzing the traffic with Wireshark (SMB/SMB2 packages), I noticed, that SMBv3.11 is used and NTLMv2 is used. Without credentials in credential manager the computer automatically uses the Computer AD account to access the share, but doesnt prompt for credentials, even though they are wrong. Samba gives then a "guest" flag back to the client. As it seems this is not triggering the credentials prompt.
With credentials put into credential manager, Win10 is without problems accessing the share.
As summary: the client computer finds the server by IP address and tries to authenticate. This fails and Samba gives the according response, which is not triggering the credentials prompt. I didnt check the traffic for \COMPUTERNAME\Share.
Regards, BigCookie
For completeness, this is SMB section of the last package when Win10 tries to connect to the server with IPadress using the domain credentials, which are not accepted on server side. You can see the response providing a guest session flag:
MB2 (Server Message Block Protocol version 2)
SMB2 Header
Server Component: SMB2
Header Length: 64
Credit Charge: 1
NT Status: STATUS_SUCCESS (0x00000000)
Command: Session Setup (1)
Credits granted: 31
Flags: 0x00000011, Response, Priority
Chain Offset: 0x00000000
Message ID: Unknown (2)
Process Id: 0x0000feff
Tree Id: 0x00000000
Session Id: 0x000000006b3106ae Acct:##### Domain:##### Host:#####
Signature: 00000000000000000000000000000000
[Response to: 1684]
[Time from request: 0.008218000 seconds]
Session Setup Response (0x01)
StructureSize: 0x0009
Session Flags: 0x0001, Guest
Blob Offset: 0x00000048
Blob Length: 9
Security Blob: a1073005a0030a0100
GSS-API Generic Security Service Application Program Interface
Simple Protected Negotiation
negTokenTarg
negResult: accept-completed (0)
Tuesday, August 21, 2018 1:13 AM
When authentication fails. Or when the response becomes "GUEST".
Is communication occurring from FS to DC with SMB or NTLM? And does it's communication contain errors?
# Not FS and Client.
Tuesday, August 21, 2018 10:18 AM
Hello Momominta,
the server is a Linux server without GUI. No right click with Windows possible :-). The folders shall not be shared with everyone on the local server, but only specific users/usergroups have access. The access permissions work fine from other machines.
SMBv2 seems to work fine. I enabled also SMB1 for testing on client and server, and it didnt change the behavior. I can try it again as I might have made mistakes, if this is helping. Enabling SMBv1 is not a solution which I want to keep.
Communication: I dont see errors. I used WireShark and filtered by SMB2. According WireShark, the protocol is SMB2, authentication mentioned NTLM.
As stated above: I will live with the workarounds. If I find a solution, I will post it here. And thanks for all patience!!!!
Wednesday, August 22, 2018 6:44 PM
The linux based server is currently a QNAP NAS TS-653B, Intel based 64bit machine. As far as I know the Linux version is quite special - I am not aware that this is based on a common Linux distribution.
I can share the smb.conf - I only left the configuration of one share in it and removed printers as well:
[global]
passdb backend = smbpasswd
workgroup = WORKGROUP
security = USER
server string = FileServer
encrypt passwords = Yes
username level = 0
map to guest = Bad User
null passwords = yes
max log size = 10
socket options = TCP_NODELAY SO_KEEPALIVE
os level = 20
preferred master = no
dns proxy = No
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = no
load printers = yes
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Fold er/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/.@__qini/.Qsy nc/.@upload_cache/.qsync/.qsync_sn/.@qsys/.streams/.digest/
delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
deadtime = 10
server role = auto
use sendfile = yes
unix extensions = no
store dos attributes = yes
client ntlmv2 auth = yes
dos filetime resolution = no
wide links = yes
force unknown acl user = yes
template homedir = /share/homes/DOMAIN=%D/%U
inherit acls = no
domain logons = no
min receivefile size = 256
case sensitive = auto
domain master = auto
local master = no
enhance acl v1 = yes
remove everyone = no
conn log = no
kernel oplocks = no
smb2 leases = yes
durable handles = yes
kernel share modes = no
posix locking = no
lock directory = /share/CACHEDEV1_DATA/.samba/lock
state directory = /share/CACHEDEV1_DATA/.samba/state
cache directory = /share/CACHEDEV1_DATA/.samba/cache
printcap cache time = 0
acl allow execute always = yes
server signing = disabled
streams_depot:delete_lost = yes
streams_depot:check_valid = no
fruit:nfs_aces = no
fruit:veto_appledouble = no
pid directory = /var/lock
printcap name = /etc/printcap
printing = cups
show add printer wizard = no
dos charset = ISO8859-1
host msdfs = yes
winbind enum groups = Yes
winbind enum users = Yes
winbind expand groups = 1
wins support = no
name resolve order = host bcast
min protocol = NT1
follow symlinks = yes
min protocol = NT1
server min protocol = SMB2
client min protocol = SMB2
vfs objects = shadow_copy2 catia fruit qnap_macea streams_depot
[Web]
comment = System default share
path = /share/CACHEDEV1_DATA/Web
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
public = yes
invalid users = "guest"
read list =
write list = "admin",@"administrators",@"Web_RW"
valid users = "root","admin",@"administrators",@"Web_RW"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Web/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Web
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes
Regards