I have a running Samba v4.13 standalone server (no Active Directory nor Samba Domain) on Debian using an LDAP passdb backend (ldapsam) which was working just fine with Windows 7 SMB client but does not work with Windows 10 client.
At first Windows 10 client could not even display the list of shares, so I had to allow SMBv3 protocol by changing configuration from:
min protocol = SMB2
to:
server min protocol = SMB2_10
server max protocol = SMB3_11
client min protocol = SMB2
client max protocol = SMB3
This gave Windows 10 clients access to shares allowed for guests.
But the next step is authenticating from Windows 10 client to access private shares: once both username and password are provided it re-asks the credentials with the following error message:
The user name or password is incorrect.
Samba log on the server shows:
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
At the same time, the exact same credentials works on Windows 7 (thus with same smb.conf settings).
I tried playing with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel (https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level) without much luck.
My goal is to make Windows 10 clients able to authenticate (if it means loosing Windows 7 clients in the process, it's fine with me).
Here is my smb.conf configuration:
[global]
workgroup = WORKGROUP
server string = %h SMB
wins support = no
dns proxy = yes
name resolve order = host bcast
server role = standalone server
security = user
guest account = nobody
encrypt passwords = yes
passdb backend = ldapsam:ldap://ldap.example.com
ldap admin dn = cn=admin,dc=example,dc=com
ldap suffix = dc=example,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap ssl = no
ldap delete dn = no
obey pam restrictions = no
ldap passwd sync = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
# Seems irrelevant
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = yes
prefered master = yes
local master = yes
os level = 255
allow insecure wide links = yes
# Time Machine related
use sendfile = yes
ea support = yes
vfs objects = catia fruit streams_xattr
fruit:resource = file
fruit:encoding = native
fruit:copyfile = yes
fruit:metadata = stream
fruit:model = MacSamba
fruit:veto_appledouble = no
fruit:posix_rename = yes
fruit:zero_file_id = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
# /Time Machine related
# /Seems irrelevant
# Was working in Windows 7 (but removed for Windows 10)
;min protocol = SMB2
# /Was working in Windows 7 (but removed for Windows 10)
# Added for Windows 10 (with success)
server min protocol = SMB2_10
server max protocol = SMB3_11
client min protocol = SMB2
client max protocol = SMB3
# /Added for Windows 10 (with success)
# Tried for Windows 10 (without success)
# Attempt 1
lanman auth = yes
ntlm auth = ntlmv1-permitted
client lanman auth = yes
# /Attempt 1
# /Attempt 1
lanman auth = no
ntlm auth = ntlmv2-only
client lanman auth = no
# /Attempt 2
# /Tried for Windows 10 (without success)
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
follow symlinks = yes
wide links = yes
[some-timemachine-share]
comment = Some timemachine share
path = /data/some-timemachine-share
browseable = yes
read only = no
guest ok = no
create mask = 0700
directory mask = 0700
# Settings for Time Machine
vfs objects = catia fruit streams_xattr
inherit acls = Yes
fruit:time machine = yes
fruit:time machine max size = 683G
On the LDAP tree, users does have:
objectClass=sambaSamAccountsambaNTPasswordsambaAcctFlags
