Answered by:
Samba Share Password Refused

Question
-
When I try to connect to a Samba share using this command:
net use l: \\myserver\myshare /u:myusername mypassword
I get the message:
System error 86 has occurred. The specified network password is not correct.
I get the same error when using the Map Network Drive wizard. I know the password is correct. I've set and reset the password and removed and re-added the user on the server machine. I can also connect to the share from other clients (running Android and Linux) using the same username and password.
I have tried adjusting the following security policies via secpol.msc:
- Microsoft network client: Send unencrypted password to third-party SMB servers (enabled and disabled)
- Netword security: LAN Manager authentication level (Send LM & NTLM responses, Send LM & NTLM - use NTLMv2 session security if negotiated
- Network security: Minimum session security for NTLM SSP based clients/servers (128-bit encryption and none)
I've tried disabling smb2/3 using:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi sc.exe config mrxsmb20 start= disabled
I've tried removing and re-adding my Windows credential file associated with the server.
I've tried syncing Windows' clock with the same ntp server that the machine running the Samba share uses.
I've even tried making my share public, but it still gives me the same password error.
This is a new problem, up until about a week ago I could connect just fine. I am running Samba 4.5.0-2 on a server running Arch Linux 4.7.4-1. The client machine is running Windows 10, version 1511, build 10586.589. Anyone have any ideas of what else I can try?
Answers
-
For what it's worth, this is how you do it in windows 8:
Open the search tool from the right-hand side of the screen, and type "secpol.msc" in the box, and then click OK.
Click Local Policies, Security Options , "Network Security: LAN Manager authentication level."
Click "Send LM & NTLM - use NTLMv2 session security if negotiated."
Click Apply.
That _should _ do what you want, but you might have to play with the other options there.
--J- Marked as answer by romle Thursday, September 29, 2016 1:15 AM
All replies
-
It could be the Windows 10 machine is checking the password against the wrong system, i.e. itself. It has done that for me at times. To specify where the check the password the server can be put before the username separated with a backslash. So;
net use l: \\myserver\myshare /u:myserver\myusername mypassword
Give that a try.
-
-
-
Hello Romle,
Have you looked at the logs on the samba server? You can try turning up the samba server's log verbosity and see if that produces anything useful in the logs. My gut feel, however, is that somehow your password is either not getting into the 'net' command correctly, or windows is doing something funny with it before it sends it to the samba server. Are you able to capture the traffic with tcpdump or wireshark and then post the .pcap file? I could look at the network traffic for you to see if there is something strange there.
--J
-
-
-
-
Thanks for the tips. These seem to be the important parts of the samba log:
[2016/09/27 21:51:40.144324, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password) 146 check_ntlm_password: Checking password for unmapped user [MYSERVER\[MYUSER]@[MYCLIENT] with the new password interface 147 [2016/09/27 21:51:40.144353, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password) 148 check_ntlm_password: mapped user is: [MYSERVER]\[MYUSER]@[MYCLIENT] ... [2016/09/27 21:51:40.144977, 2] ../libcli/auth/ntlm_check.c:424(ntlm_password_check) 200 ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user MYUSER 201 [2016/09/27 21:51:40.144990, 3] ../libcli/auth/ntlm_check.c:431(ntlm_password_check) 202 ntlm_password_check: NEITHER LanMan nor NT password supplied for user MYUSER ... [2016/09/27 21:51:40.145577, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) 264 check_ntlm_password: Authentication for user [MYUSER] -> [MYUSER] FAILED with error NT_STATUS_WRONG_PASSWORD 265 [2016/09/27 21:51:40.145614, 2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg) 266 SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
From Wireshark, I log the following exchanges:
10 0.055988 CLIENTIP SERVERIP SMB2 220 Session Setup Request, NTLMSSP_NEGOTIATE 11 0.056648 CLIENTIP SERVERIP SMB2 291 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 12 0.056827 CLIENTIP SERVERIP SMB2 385 Session Setup Request, NTLMSSP_AUTH, User: SERVERIP\MYUSER 13 0.058042 SERVERIP CLIENTIP SMB2 131 Session Setup Response, Error: STATUS_LOGON_FAILURE
I'm having trouble posting a link to the full pcap (apparently they can't verify my account), but I'll try to make that available shortly as well.
The solution isn't jumping out at me from the logs/pcap. Can you offer any thoughts or advice?
- Edited by romle Wednesday, September 28, 2016 2:43 AM explain account verification problem
-
Hi Romie,
Thanks for sending the logs. In your /etc/smb.conf file, do you have a line that contains "min protocol"? Also, is there a line that says something like "client ntlm auth"? It looks like the Windows 10 machine is sending passwords to your SAMBA server using the NTLMv1 protocol which appears to be disabled on the SAMBA server. We can either enable NTLMv1 in SAMBA, or better yet, enable NTLMv2 in the Windows server.
If you are unable to for the windows machine to NTLMV2 for whatever reason, you might need to disable the 'client ntlmv2 auth' and turn on the 'client ntlm auth' in order to make it work (see below)
--J
client NTLMv2 auth (G)
-
This parameter determines whether or not smbclient(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted password response.
If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent. Older servers (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with NTLMv2 when not in an NTLMv2 supporting domain
Similarly, if enabled, NTLMv1,
client lanman auth
andclient plaintext auth
authentication will be disabled. This also disables share-level authentication.If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of
client lanman auth
.Note that Windows Vista and later versions already use NTLMv2 by default, and some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM.
Default:
client NTLMv2 auth
=yes
-
-
Now we're making progress. Using ntlm auth = yes in smb.conf, I can successfully connect.
Do you know how I can enable NTLMv2 in my Windows 10 client?
I googled up: this page: https://support.microsoft.com/en-us/kb/239869 but it covers every version of Windows except 10, so I wasn't sure if there's a more up-to-date article somewhere. I haven't looked very hard yet, but most of the pages I can find don't mention Windows 10. Do you know if the method is different?
I'll keep searching later on. Thank you so much for helping to point me in the right direction!
- Proposed as answer by frankgol Thursday, June 29, 2017 1:56 PM
-
Hi Romle,
I'm glad that you're seeing some progress. NTLMv2 should be the default for windows 7, vista, 8 and 10. Usually if you have one of those systems and it's using NTLMv1, it's because somebody set it that way. Are you part of a domain or do you have other servers that you're communicating with that might be expecting v1? If not, the windows 8 method should be very similar to 10, but I haven't verified that.
--J
-
For what it's worth, this is how you do it in windows 8:
Open the search tool from the right-hand side of the screen, and type "secpol.msc" in the box, and then click OK.
Click Local Policies, Security Options , "Network Security: LAN Manager authentication level."
Click "Send LM & NTLM - use NTLMv2 session security if negotiated."
Click Apply.
That _should _ do what you want, but you might have to play with the other options there.
--J- Marked as answer by romle Thursday, September 29, 2016 1:15 AM
-
Thanks million, I was getting scared I'd never access those files from this machine again.
I previously tried Send LM & NTLM - use NTLMv2 session security if negotiated,
but using 'Send NTLMv2 response only. Refuse LM & NTLM' client-side, and in smb.conf server-side:
lanman auth = no
ntlm = no
I can connect to the share successfully.
edit: reading into the samba man pages, those are both the default settings, so leaving them out of smb.conf entirely works as well.
- Edited by romle Thursday, September 29, 2016 1:29 AM
-