Thanks so much gaiseric for your continued help, Your advice was spot on and I have found the issue in the windows 7 security settings. Not sure how it happened as a bad client was imaged from a good client.
I'd already tweaked the "Network Security: LAN Manager authentication level" to 'Send LM & NTLM - use NTLMv2 session security if negotiated' but on closer examination I found several other differences. The 4 changes that got me working were: 1: Microsoft network client: Digitally sign communications (always) Disabled 2: Network access: Do not allow anonymous enumeration of SAM accounts and shares Disabled 3: Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Require 128-bit encryption 4: Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Require 128-bit encryption though I suspect just changes 1: and 3: would have been enough. Once again thanks for all your input. Ed On 13 May 2013 15:59, Gaiseric Vandal <gaiseric.van...@gmail.com> wrote: > That suggests either a configuration difference with some of the win 7 > machines or a difference with some of the AD accounts for the machines. > > On the NAS, does the "getent passwd" command display user and machine > accounts? Is it may be showing only some machine accounts and not > others? It might be possible that samba has been unable to account an > idmap entry for newer machines. All though I would think this would > affect authentication issues, not connection issues. I have found > idmapping to be one of the less reliable functions in samba. > > Are all the Win 7 machines configured with identical network settings > (apart from the IP address itself of course.) this should be the case if > you use DHCP. > Are their any security settings on the problem Win 7 machines that are > different? If you use gpedit.msc -> computer -> security settings , you > may want to review things like NTLMv2 settings. Are all the machine > accounts in the same AD container ? > > If this is all AD, then you should not need to use WINS. Although it > may also help resolve confusion about which machine is the local master > browser. Which shouldn't really matter either. I use samba 3.x as a > non-AD PDC so the WINS and browser stuff is more important. > > Is the Microsoft server is the AD PDC it may expect to be the local master > browser. I think there can only be one local master browser per > subnet. And if you look thru the nmbd logs (?) on the NAS as well as the > logs on the Win 2008 server . you may see results of a browser > election. > > > the "testparm -v" will show you all the config settings, including those > set by default even if not explicitly set in smb.conf > > > On 05/13/13 08:44, Ed Strong wrote: > > Hi, > > all XP clients work fine. As do most win 7 clients. Just a handful of > win7 clients have this issue. > > We only have one Microsoft server: 2008 R2, it does not have the WINS > server feature installed. > The qnap box is called saturn and is a member of the domain > telnet saturn 139 > results in blank screen, blinking cursor so port open I guess. > NAS uses our Microsoft server for it's DNS and registers itself in DNS > Also on the NAS I have: > Enable WINS server NOT checked > Local master browser checked > Allow only NTLMv2 authentication NOT checked > DNS has a reverse lookup zone with a PTR record for client > > > This is my foray into samba so I'm not familiar with the config file > structure but here is the global > section: > > [global] > log level = 3 > passdb backend = smbpasswd > workgroup = OUR_DOMAIN > security = ADS > server string = > encrypt passwords = Yes > username level = 0 > map to guest = Bad User > null passwords = yes > max log size = 50 > socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=262144 SO_RCVBUF=131072 > os level = 20 > preferred master = no > dns proxy = No > smb passwd file=/etc/config/smbpasswd > username map = /etc/config/smbusers > guest account = guest > directory mask = 0777 > create mask = 0777 > oplocks = yes > locking = yes > disable spoolss = yes > load printers = no > display charset = UTF8 > force directory security mode = 0000 > veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network > Trash Folder/Temporary > Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/ > delete veto files = yes > map archive = no > map system = no > map hidden = no > map read only = no > deadtime = 10 > use sendfile = yes > unix extensions = no > store dos attributes = yes > client ntlmv2 auth = yes > dos filetime resolution = no > inherit acls = yes > wide links = yes > force unknown acl user = yes > template homedir = /share/homes/DOMAIN=%D/%U > domain logons = no > min receivefile size = 4096 > case sensitive = auto > domain master = auto > local master = yes > enhance acl v1 = yes > remove everyone = yes > kernel oplocks = no > mangled names = no > realm = OUR_DOMAIN.local > password server = SERVER.OUR_DOMAIN.local > pam password change = yes > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind cache time = 3600 > idmap uid = 400001-500000 > idmap gid = 400001-500000 > idmap config OUR_DOMAIN : backend = rid > idmap config OUR_DOMAIN : range = 10000001-20000000 > wins support = no > name resolve order = host bcast > > > > On 10 May 2013 16:19, Gaiseric Vandal <gaiseric.van...@gmail.com> wrote: > >> Are XP clients having the same problem? Trying with an XP client >> would help indicate if there was something specific to XP. (I skipped >> vista.) >> >> >> Can you check in smb.conf >> - is the server a member server, AD member server, standalone >> server, or domain controller. >> - Are ports explicitly defined >> - how is name resolution configured? >> - is NTLMv2 required (I couldn't get NTLMv2 support working.) >> >> >> Domain membership shouldn't matter at this point since you aren't even >> getting to the authentication phase. >> >> Can you telnet port 139 to make sure it is open? >> >> >> Do you have a WINS server defined? If so make sure client and NAS are >> using the same WINS server. Is your NAS configured to use a DNS server? >> Do you have a reverse lookup zone defined in DNS? the NAS maybe trying >> to do a reverse lookup on the IP of the client. There doesn't need to be >> a PTR entry for the client but you are least want the zone. If DNS >> tries to lookup an IP and gets an immediate "host not found" that is OK. >> If it times out because it can't even locate a DNS server then that could >> cause problems for other services dependent on DNS. >> >> >> >> >> >> >> >> >> >> >> >> >> On 05/10/13 10:58, Ed Strong wrote: >> >>> Hi, >>> >>> Thanks for the info, I'm replying to you in gmail to >>> samba@lists.samba.org, >>> hope that is correct ? >>> >>> Yes I can edit the config file on the NAS >>> >>> Looking at the network packets all communication to NAS seems to be on >>> port >>> microsoft-ds (445) >>> I can't see any traffic on ports 137/138/139 >>> >>> If i use the IP I get exactly the same error :( >>> >>> >>> On 10 May 2013 15:01, Gaiseric Vandal <gaiseric.van...@gmail.com> wrote: >>> >>> I think the "Error was Transport endpoint is not connected" warnings >>>> are >>>> sometimes misleading. Do you have any control over the samba config >>>> (smb.conf) on the NAS ? On regular samba installs, changing the >>>> default >>>> port settings can cause more problems. >>>> >>>> Windows 7 will try to connect on port 445 (SMB or CIFS over tcp/ip), >>>> and >>>> will then reconnect to ports 137/138/139 (SMB over netbios over tcp/ip) >>>> since samba 3.x doesn't handle the newer SMB-over-tcp/ip. >>>> Disabling >>>> 445 on the server seems to cause more problems than it solves. >>>> >>>> >>>> Are you able to connect via IP ? e.g net use \\qnap_ip\share ? >>>> >>>> I had problems in the past when I disabled port 445 on samba servers. >>>> Remote users (no netbios broadcasts permitted) could connect via IP >>>> but >>>> not via name. For the name only connections, packet monitoring would >>>> show packets getting thru the the server but the exchange between client >>>> and server not being completed. For clients connecting via IP, the >>>> client >>>> would send packets to server, server respond, and then clients >>>> responded. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On 05/07/13 03:53, Ed Strong wrote: >>>> >>>> Hi, >>>>> >>>>> I'm re-posting this (with some more info) as I don't think the original >>>>> got >>>>> through as I wasn't >>>>> signed up to the samba list. >>>>> >>>>> this is my first foray in samba (and newsgroups) so go easy :) >>>>> I've started reading the o'reilly samba book but finding it hard going. >>>>> >>>>> Anyway I'm trying to map a network drive from a windows 7 pro client >>>>> to a >>>>> QNAP NAS with the command: >>>>> net use s: \\qnap\share >>>>> >>>>> I've posted on several forums and got good advice but the problem >>>>> remains. >>>>> Rather than repost all the detail, please see my original posts: >>>>> >>>>> http://forum.qnap.com/**viewtopic.php?f=185&t=74639< >>>>> http://forum.qnap.com/viewtopic.php?f=185&t=74639> >>>>> http://social.technet.**microsoft.com/Forums/en-US/** >>>>> winservergen/thread/11d35b0c-**ac95-489f-b5d1-0486b9774603< >>>>> http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/11d35b0c-ac95-489f-b5d1-0486b9774603 >>>>> > >>>>> http://www.edugeek.net/forums/**windows-7/112309-map-network-** >>>>> drive-nas-but-get-error-64-58-**a.html< >>>>> http://www.edugeek.net/forums/windows-7/112309-map-network-drive-nas-but-get-error-64-58-a.html> >>>>> >>>>> >>>>> >>>>> I've managed to ssh onto the QNAP via putty and found this in the logs >>>>> (getpeername failed) >>>>> >>>>> [/var/log] # pwd >>>>> /var/log >>>>> [/var/log] # tail -f log.smbd >>>>> [2013/05/01 09:36:17.135999, 0] lib/util_sock.c:474(read_fd_ >>>>> with_timeout) >>>>> [2013/05/01 09:36:17.136096, 0] >>>>> lib/util_sock.c:1440(get_peer_**addr_internal) >>>>> >>>>> getpeername failed. Error was Transport endpoint is not connected >>>>> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset >>>>> by >>>>> peer. >>>>> [2013/05/01 09:36:17.137700, 1] >>>>> smbd/server.c:299(remove_**child_pid) >>>>> >>>>> Scheduled cleanup of brl and lock database after unclean shutdown >>>>> [2013/05/01 09:36:17.178522, 1] smbd/service.c:1073(make_** >>>>> >>>>> connection_snum) >>>>> 172.24.120.139 (172.24.120.139) connect to service Staff initially >>>>> as >>>>> user DOMAIN+admin (uid=10001423, gid=10000514) (pid >>>>> >>>>> 25771) >>>>> [2013/05/01 09:36:17.179093, 0] lib/util_sock.c:474(read_fd_** >>>>> >>>>> with_timeout) >>>>> [2013/05/01 09:36:17.179173, 0] >>>>> lib/util_sock.c:1440(get_peer_**addr_internal) >>>>> >>>>> getpeername failed. Error was Transport endpoint is not connected >>>>> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset >>>>> by >>>>> peer. >>>>> [2013/05/01 09:36:17.179289, 1] smbd/service.c:1254(close_**cnum) >>>>> >>>>> 172.24.120.139 (172.24.120.139) closed connection to service Staff >>>>> [2013/05/01 09:36:37.142714, 1] >>>>> smbd/server.c:272(cleanup_**timeout_fn) >>>>> >>>>> Cleaning up brl and lock database after unclean shutdown >>>>> >>>>> >>>>> The QNAP's samba version appears to be 3.5.2: >>>>> >>>>> [/var/log] # ps -ef | grep smb >>>>> 4016 admin 3104 S /usr/local/samba/sbin/winbindd -s >>>>> /etc/config/smb.conf >>>>> 4017 admin 3728 S /usr/local/samba/sbin/winbindd -s >>>>> /etc/config/smb.conf >>>>> 4366 admin 1840 S /usr/local/samba/sbin/winbindd -s >>>>> /etc/config/smb.conf >>>>> 4877 admin 3300 S /usr/local/samba/sbin/winbindd -s >>>>> /etc/config/smb.conf >>>>> 4902 admin 3952 S /usr/local/samba/sbin/winbindd -s >>>>> /etc/config/smb.conf >>>>> 4978 admin 4132 S /usr/local/samba/sbin/smbd -l /var/log -D >>>>> -s >>>>> /etc/config/smb.conf >>>>> 4979 admin 3356 S /usr/local/samba/sbin/winbindd -s >>>>> /etc/config/smb.conf >>>>> 4980 admin 1224 S /usr/local/samba/sbin/winbindd -s >>>>> /etc/config/smb.conf >>>>> 4995 admin 1016 S /usr/local/samba/sbin/smbd -l /var/log -D >>>>> -s >>>>> /etc/config/smb.conf >>>>> 5063 admin 2068 S /usr/local/samba/sbin/winbindd -s >>>>> /etc/config/smb.conf >>>>> 9509 admin 1664 S /usr/local/samba/sbin/nmbd -l /var/log -D >>>>> -s >>>>> /etc/config/smb.conf >>>>> 25540 admin 544 S grep smb >>>>> [/var/log] # /usr/local/samba/sbin/smbd -V >>>>> Version 3.5.2 >>>>> >>>>> >>>>> I've also installed MS network monitor on two clients and did a capture >>>>> whilst running the command >>>>> net use s:\ \\saturn\staff >>>>> >>>>> I've posted three screenshots here: >>>>> >>>>> https://plus.google.com/**photos/108734482620454690509/** >>>>> albums/5875135861918839393?**authkey=CJ3lwKu2xJqMyQE< >>>>> https://plus.google.com/photos/108734482620454690509/albums/5875135861918839393?authkey=CJ3lwKu2xJqMyQE> >>>>> >>>>> >>>>> >>>>> Basically, Worked.png shows the SMB frames on a PC where the net use >>>>> command worked >>>>> and Failed.png shows the SMB frames on a PC where the net use command >>>>> did >>>>> not work >>>>> >>>>> It looks to me like the first 6 SMB frames are identical. Then things >>>>> start >>>>> to change >>>>> >>>>> On the working client we continue with frame 10113 which is a >>>>> Dfsc: Get DFS Referral Request >>>>> >>>>> but the failing client continues with some TCP frames (see >>>>> tcp-frames154-157.png) 154 to 157 >>>>> before it seems to start the negotiation again at frame 158 >>>>> >>>>> Not sure how to troubleshoot this further so any advice welcome. >>>>> >>>>> Thanks >>>>> Ed >>>>> >>>>> PS I initially tried to post this on google group linux.samba but was >>>>> rejected by the >>>>> moderation robot which said "Please submit your message to the mailing >>>>> list >>>>> address". >>>>> I did this with attached png's but failed due to file size so hopefully >>>>> 3rd >>>>> time lucky! >>>>> >>>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/**mailman/options/samba< >>>> https://lists.samba.org/mailman/options/samba> >>>> >>>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
