SMB access denied with VPNs

I continue to not solve this problem.
now I’m on the remote site.

I installed a second nethserver, with a vpn tunnel I published the 2 net directly
1.x with samba services
and 18.x the network that must access remotely
(i remove completly alias 12.x)

the folders without authentication navigate, those protected no, keep asking me for the password.

I’m looking at all the logs

message / firewall / log.smb
but I find nothing.

Where should I look? do you have some advice?

in prompt i have run

net use * /delete

and retry connection my pc samba server

Any error from smbd or nmbd in /var/log/messages?

any :triumph:

can a Windows Active Directory domain interfere with authentication?

to avoid dns problems I have put on pc in

c: \ windows \ system32 \ etc \ hosts domain

no! i have try with only my pc…

i have try from another network through another tunnel vpn.
same result.
autentication dosen’t work!

someone uses shared folder with ACL through the vpn tunnel?

my pc		    -> nethserver 	-> internet  <- nethserver 	    <- samba server	

Hi Enzo,

what do you think about this?

STATUS_ACCESS_DENIED sounds as if a program on the client tried to open or create a file to which the account being used for the SMB connection did not have access - i.e., it’s not a networking problem or an SMB packet-signing problem, it’s a file permissions problem.

Isn’t permission problem, i have check via GUI and Reset Permission on folder.
I have try with my user and admin user.

yet I am convinced that it is a name resolution problem.
I tried to insert the entry into the LMHOST file in ipv4 protocol DOMAIN

1.2 is the nsdc ip

for once it has been authenticated,
I restarted the pc and you no longer logged in

:astonished: once? Can you test it from smbclient? I prefer it because has no “caching” and error messages are more useful

connection through OpenVpn Gui via OpenVPN roadwarrior work perfectly.

[root@dbo ~]# smbclient // -U
Enter's password:
OS=[Windows 6.1] Server=[Samba 4.4.4]
tree connect failed: NT_STATUS_ACCESS_DENIED

[root@dbo ~]# smbclient // -U enzo -W domain
Enter DOMAIN\enzo's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Do those commands work if the client is in the same LAN of the file server?

Just a silly questions. I did not understand very well the setup so:

Is the client using the DNS of the server ?
Also is the second NS joined to the AD ?

what format is the username you use?:
DOMAIN\username or username@domain.suffix

try using only “domain” and do not apend the suffix ".it"
Example username@domain

Also a good thing will be to check what level of protocol is used by the client to negociate NT/SMB/SMB2/SMB3 etc

they actually do not seem to run, I did a lot of tests, but I do not find any errors in the logs, I also checked in sssd. host-specific samba logs are empty (0 kb)

no and no, but I’ve tried all the combinations of dns (local NS, remote NS, remote SAMBA)

in primary network (not vpn) both work well. I use it indiscriminately for joining in the domain

wireshark say SMB2

i have try but dont solve

I’m quite confused… can we focus on a File Server (with remote AD account provider) scenario? Can we ignore the VPN?

This is puzzling! Ensure your remote network is considered “trusted” (see Trusted networks page).

i have setup in remote dns client only ip of VB-nsdc
client now login, both > domain\user and >

obviously not a solution, but maybe it’s the explanation of the problem

i have insert remote network vpn tunnel in trusted network, since he did not see anything

maybe I’m wrong with the commands in smbclient, now I’m looking for the right combination

ok i found solution. :scream:

for correct name resolution in remote vpn tunnel fw i have insert as a secondary dns the ip of my primary fw

in samba server i have added ip subnet of vpn tunnel into the trusted network

now domain authentication work right with DOMAIN\username over vpn tunnel

hoping they will :grin:


You’re lucky: mixing private and public DNS forwarding leads to weird issues! I’d not recommend it at all!

7 posts were split to a new topic: Unable to join/access AD domain through VPN