none
Samba Share Password Refused

    Question

  • When I try to connect to a Samba share using this command: 

    net use l: \\myserver\myshare /u:myusername mypassword

    I get the message:

    System error 86 has occurred.
    
    The specified network password is not correct.

    I get the same error when using the Map Network Drive wizard. I know the password is correct. I've set and reset the password and removed and re-added the user on the server machine. I can also connect to the share from other clients (running Android and Linux) using the same username and password.

    I have tried adjusting the following security policies via secpol.msc:

    • Microsoft network client: Send unencrypted password to third-party SMB servers (enabled and disabled)
    • Netword security: LAN Manager authentication level (Send LM & NTLM responses, Send LM & NTLM - use NTLMv2 session security if negotiated
    • Network security: Minimum session security for NTLM SSP based clients/servers (128-bit encryption and none)

    I've tried disabling smb2/3 using:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
    sc.exe config mrxsmb20 start= disabled
    

    I've tried removing and re-adding my Windows credential file associated with the server.

    I've tried syncing Windows' clock with the same ntp server that the machine running the Samba share uses.

    I've even tried making my share public, but it still gives me the same password error.

    This is a new problem, up until about a week ago I could connect just fine. I am running Samba 4.5.0-2 on a server running Arch Linux 4.7.4-1. The client machine is running Windows 10, version 1511, build 10586.589. Anyone have any ideas of what else I can try? 

    Sunday, September 25, 2016 2:17 AM

Answers

  • For what it's worth, this is how you do it in windows 8:

    Open the search tool from the right-hand side of the screen, and type "secpol.msc" in the box, and then click OK.
    Click Local Policies, Security Options , "Network Security: LAN Manager authentication level."
    Click "Send LM & NTLM - use NTLMv2 session security if negotiated."
    Click Apply.

    That _should _ do what you want, but you might have to play with the other options there.

    --J
    • Marked as answer by romle Thursday, September 29, 2016 1:15 AM
    Wednesday, September 28, 2016 10:30 PM

All replies

  • It could be the Windows 10 machine is checking the password against the wrong system, i.e. itself. It has done that for me at times. To specify where the check the password the server can be put before the username separated with a backslash. So;

    net use l: \\myserver\myshare /u:myserver\myusername mypassword

    Give that a try.

    Sunday, September 25, 2016 12:38 PM
  • Thanks for the tip.

    Just gave it a whirl, and I get the same system error 86. I've also tried using both my client and my server as the domain for the username in the Map network drive wizard with the same results.

    Tuesday, September 27, 2016 2:39 AM
  • Can you connect to share on the other Linux machine from the Windows 10 machine?
    Tuesday, September 27, 2016 5:57 PM
  • Hello Romle,

      Have you looked at the logs on the samba server?  You can try turning up the samba server's log verbosity and see if that produces anything useful in the logs.  My gut feel, however, is that somehow your password is either not getting into the 'net' command correctly, or windows is doing something funny with it before it sends it to the samba server.  Are you able to capture the traffic with tcpdump or wireshark and then post the .pcap file?  I could look at the network traffic for you to see if there is something strange there.

    --J

    Tuesday, September 27, 2016 8:13 PM
  • romle, also what version of Windows 10? What build (via winver), just seeing some other posts for people using the Insider builds.
    Tuesday, September 27, 2016 8:46 PM
  • I just set up a share on that machine and I get the same error from Windows, but I'm able to connect just fine from the other Linux box.
    Tuesday, September 27, 2016 11:28 PM
  • Thanks for your replies. I'm running Windows 10 Pro 64 bit, version 1511, build 10586.589 on the client machine.
    Tuesday, September 27, 2016 11:30 PM
  • Thanks for the tips. These seem to be the important parts of the samba log:

     [2016/09/27 21:51:40.144324,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
    146   check_ntlm_password:  Checking password for unmapped user [MYSERVER\[MYUSER]@[MYCLIENT] with the new password interface
    147 [2016/09/27 21:51:40.144353,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
    148   check_ntlm_password:  mapped user is: [MYSERVER]\[MYUSER]@[MYCLIENT]
    ...
     [2016/09/27 21:51:40.144977,  2] ../libcli/auth/ntlm_check.c:424(ntlm_password_check)
    200   ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user MYUSER
    201 [2016/09/27 21:51:40.144990,  3] ../libcli/auth/ntlm_check.c:431(ntlm_password_check)
    202   ntlm_password_check: NEITHER LanMan nor NT password supplied for user MYUSER
    ...
     [2016/09/27 21:51:40.145577,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
    264   check_ntlm_password:  Authentication for user [MYUSER] -> [MYUSER] FAILED with error NT_STATUS_WRONG_PASSWORD
    265 [2016/09/27 21:51:40.145614,  2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
    266   SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
    From Wireshark, I log the following exchanges:
    10	0.055988	CLIENTIP	SERVERIP	SMB2	220	Session Setup Request, NTLMSSP_NEGOTIATE
    
    11	0.056648	CLIENTIP	SERVERIP	SMB2	291	Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
    
    12	0.056827	CLIENTIP	SERVERIP	SMB2	385	Session Setup Request, NTLMSSP_AUTH, User: SERVERIP\MYUSER
    
    13	0.058042	SERVERIP	CLIENTIP	SMB2	131	Session Setup Response, Error: STATUS_LOGON_FAILURE

    I'm having trouble posting a link to the full pcap (apparently they can't verify my account), but I'll try to make that available shortly as well.

    The solution isn't jumping out at me from the logs/pcap. Can you offer any thoughts or advice?


    • Edited by romle Wednesday, September 28, 2016 2:43 AM explain account verification problem
    Wednesday, September 28, 2016 2:38 AM
  • Hi Romie,

      Thanks for sending the logs. In your /etc/smb.conf file, do you have a line that contains "min protocol"?  Also, is there a line that says something like "client ntlm auth"?  It looks like the Windows 10 machine is sending passwords to your SAMBA server using the NTLMv1 protocol which appears to be disabled on the SAMBA server.  We can either enable NTLMv1 in SAMBA, or better yet, enable NTLMv2 in the Windows server.

    If you are unable to for the windows machine to NTLMV2 for whatever reason, you might need to disable the 'client ntlmv2 auth' and turn on the 'client ntlm auth' in order to make it work (see below)

    --J

    client NTLMv2 auth (G)

    This parameter determines whether or not smbclient(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted password response.

    If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent. Older servers (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with NTLMv2 when not in an NTLMv2 supporting domain

    Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth authentication will be disabled. This also disables share-level authentication.

    If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of client lanman auth.

    Note that Windows Vista and later versions already use NTLMv2 by default, and some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM.

    Default: client NTLMv2 auth = yes


    • Edited by JMAES123 Wednesday, September 28, 2016 4:48 PM Wanted to clarify what I had previously said.
    • Proposed as answer by JMAES123 Wednesday, September 28, 2016 10:19 PM
    Wednesday, September 28, 2016 4:37 PM
  • Now we're making progress. Using ntlm auth = yes in smb.conf, I can successfully connect.

    Do you know how I can enable NTLMv2 in my Windows 10 client?

    I googled up: this page: https://support.microsoft.com/en-us/kb/239869 but it covers every version of Windows except 10, so I wasn't sure if there's a more up-to-date article somewhere. I haven't looked very hard yet, but most of the pages I can find don't mention Windows 10. Do you know if the method is different?

    I'll keep searching later on. Thank you so much for helping to point me in the right direction!

    • Proposed as answer by frankgol Thursday, June 29, 2017 1:56 PM
    Wednesday, September 28, 2016 9:36 PM
  • Hi Romle,

      I'm glad that you're seeing some progress.  NTLMv2 should be the default for windows 7, vista, 8 and 10.  Usually if you have one of those systems and it's using NTLMv1, it's because somebody set it that way.  Are you part of a domain or do you have other servers that you're communicating with that might be expecting v1?  If not, the windows 8 method should be very similar to 10, but I haven't verified that.

    --J

    Wednesday, September 28, 2016 10:16 PM
  • For what it's worth, this is how you do it in windows 8:

    Open the search tool from the right-hand side of the screen, and type "secpol.msc" in the box, and then click OK.
    Click Local Policies, Security Options , "Network Security: LAN Manager authentication level."
    Click "Send LM & NTLM - use NTLMv2 session security if negotiated."
    Click Apply.

    That _should _ do what you want, but you might have to play with the other options there.

    --J
    • Marked as answer by romle Thursday, September 29, 2016 1:15 AM
    Wednesday, September 28, 2016 10:30 PM
  • Thanks million, I was getting scared I'd never access those files from this machine again.

    I previously tried Send LM & NTLM - use NTLMv2 session security if negotiated,

    but using 'Send NTLMv2 response only. Refuse LM & NTLM' client-side, and in smb.conf server-side:

    lanman auth = no

    ntlm = no

    I can connect to the share successfully.

    edit: reading into the samba man pages, those are both the default settings, so leaving them out of smb.conf entirely works as well.





    • Edited by romle Thursday, September 29, 2016 1:29 AM
    Thursday, September 29, 2016 1:19 AM
  • Hello Romle, 

      You're welcome, I'm glad everything worked out for you.

    --J

    Thursday, September 29, 2016 2:26 PM