smb configuration required when Win10 Enable insecure guest logons = disabled

Accessing smb share on SLES 12 SP4. After “Enable insecure guest logons = disabled” applied to Windows 10, I am no longer able to login to the share. I assume there are some additional settings I need to configure within the SMB setup, but I haven’t found it yet. Can anyone point me in the right direction? Thanks! Ken

Hi
This is normally a SMB protocol error, likely need to configure the /etc/samba/smb.conf to add a higher protocol in the [Global] section eg min protocol = SMB2

Malcolm,
Thanks for the response. I’ve tried adding both “min protocol = SMB2” and “min protocol = SMB3” and neither one has any affect. Any other thoughts?

Hi
Can you try from a linux machine with smbclient to connect, add some debug with the -d option: smbclient -d3 -L \\\\HOST

Maybe try this as well: https://www.windowscentral.com/how-access-files-network-devices-using-smbv1-windows-10

If I set “Enable insecure guest logons = Enabled” on the Win10 pc, I can connect without any problem.
Running “smbclient -d3 -L \\ws2a” from another SLES 12 box returns this…

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section “[global]”
Can’t find include file /etc/samba/dhcp.conf
added interface eth0 ip=192.168.1.49 bcast=192.168.3.255 netmask=255.255.252.0
Client started (version 4.6.16-git.174.c2fd2e28c843.49.1-SUSE-SLE_12-x86_64).
resolve_lmhosts: Attempting lmhosts lookup for name ws2a<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name ws2a<0x20>
Connecting to 192.168.1.48 at port 445
got OID=1.3.6.1.4.1.311.2.2.10
Enter WORKGROUP\root’s password:
GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘naclrpc_as_system’ registered
GENSEC backend ‘sasl-EXTERNAL’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘ntlmssp_resume_ccache’ registered
GENSEC backend ‘http_basic’ registered
GENSEC backend ‘http_ntlm’ registered
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Domain=[WS2A] OS=[Windows 6.1] Server=[Samba 4.6.16-git.174.c2fd2e28c843.49.1-SUSE-SLE_12-x86_64]

    Sharename       Type      Comment
    ---------       ----      -------
    logs            Disk
    websites        Disk
    IPC$            IPC       IPC Service (Samba 4.6.16-git.174.c2fd2e28c843.49.1-SUSE-SLE_12-x86_64)

Connecting to 192.168.1.48 at port 139
got OID=1.3.6.1.4.1.311.2.2.10
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Domain=[WS2A] OS=[Windows 6.1] Server=[Samba 4.6.16-git.174.c2fd2e28c843.49.1-SUSE-SLE_12-x86_64]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            WS2A

Hi
Add client to the smb.conf line;

client min protocol = SMB2
client max protocol = SMB3

Still no go. Here is my current smb.conf global section
[global]
workgroup = WORKGROUP
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
domain logons = No
domain master = No
security = user
client min protocol = SMB2
client max protocol = SMB3
protocol = SMB3

Hi
Try without the last line protocol = SMB3

I’ve also tried adding:
encrypt passwords = yes
restrict anonymous = 2
But they don’t seem to make any difference either. I have a NetGear ReadyNAS that I also had to configure to handle this same problem. But it was just a matter of restricting anonymous logins. So I’m just a bit confused as to what the hold-up is with SLES 12.

Removing protocol = SMB3 did not make a difference.

By the way, after editing the file, I just need to do systemctl restart smb.service, correct? I assume nothing else needs restarted to have the changes take affect.

Hi
Yes, just a restart should be fine. Not sure either, if you install wireshark on a windows box and do a capture of the traffic, it should show what is happening.

drops head on desk… Sorry to have wasted your time. I just figured out what was going on. I added log level = 3 to the global section and then tried logging in from the Win10 box. Logs spelled it out for me. When Enable insecure guest logons = enabled was set, I could just enter \\\\<server_name> in an explorer window and I would be prompted to login. I could also just enter net use v: \\\\<server_name>\\<directory> and it would also prompt to login. But with Enable insecure guest logons = disabled set on the Win10 box, it was trying to login using my Windows credentials and then failing. All I had to do was use net use v: \\\\<server_name>\\<directory> /user:<username> on the Win10 box and everything works.

Thanks!
Ken

Hi Ken
No worries :slight_smile: Thanks for coming back with the result, I’m sure it will help another Forum user going forward.