Windows 10 Anonymous Share Issue Printer Management



  • FOG Version: 1.5.7.1
    FOG OS: CentOS
    Client OS: Windows 10 PRO

    Hello! I am currently having an issue deploying printers from an anonymous SMB share to any WIndows Host… I have been getting an error stating:

    “You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe malicious devices on the network.”

    I never use to get this message until the most recent Windows 10 update.

    @Wayne-Workman do you have a work around for this?

    Thanks!



  • @Wayne-Workman
    @george1421

    I figured this one out… I was having problems with security. One of Windows 10’s recent updates (as in the last 3 months or so) was blocking connections to anonymous shares. It allowed them but they needed to be authenticated. For those of you who stumble across this post…

    Add your FOG server to your domain and configure Kerberos. After you do this you will need to configure your driver share. I have included the way I did mine and it works. This configuration is for using an existing domain controller. In our case, we use Windows Server 2012 to do domain control.

    Do the following:

    yum install samba*
    yum install krb5-libs krb5-workstation

    Confuguration Kerberos /etc/krb5.conf

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = YOURDOMAIN
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

    [realms]
    DOMAIN.TN = {
    kdc = dns-name-your-domain-controller
    }

    [domain_realm]
    netbiosnameyourdoamin = NETBIOSNAMEYOURDOMAIN
    netbiosnameyourdomain = NETBIOSNAMETYOURDOMAIN
    Configuration samba /etc/samba/smb.conf

    [global]

    workgroup = DOMAIN
    password server = dns-name-your-domain-controller:88
    realm = NETBIOSNAMETYOURDOMAIN
    security = ads
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    template shell = /bin/bash
    winbind use default domain = false
    winbind offline logon = true

    log file = /var/log/samba/log.%m
    max log size = 50

    passdb backend = tdbsam

    load printers = yes
    cups options = raw

    [homes]
    comment = Home Directories
    browseable = no
    writable = yes

    [printerdrivers]
    comment = All FOG Printers
    path = /PATHTODRIVERS
    browseable = no
    guest ok = no
    writable = yes

    Add dns name in /etc/hosts

    Install and configuration ntp server (It’s important for use Kerborose authorization)

    yum install ntpd
    edit /etc/ntp.conf
    server ip-address-your-ntp-server prefer
    Create ticket
    kinit account-admin-for-active-directory@NETBIOSNAMETYOURDOMAIN
    Add server in domain

    net ads join -S dns-name-your-domain-controller -U account-admin-for-active-directory
    Create keytab for Kerberos

    net ads keytab create -U account-admin-for-active-directory
    Edit file /etc/nsswitch.conf

    passwd: files winbind
    shadow: files winbind
    group: files winbind

    Restart samba and windind

    Test
    net ads info
    wbinfo -t



  • No idea, haven’t used Windows in a year.


  • Moderator

    I’m not sure how you are connecting things, but my bet is someone disabled guest or anonymous access (which should have been blocked years ago). Typically you will need to provide domain level connection credentials to access domain base network shares. If your connection is by a batch file, mapping a drive to the network share or the IPC$ port first will then address the issue.

    If you use a batch file this command will map a drive with network credentials.

    net use t: \\server\share1 /user:domain\user <password>
    will map a network drive to a remote server using the specific credentials.

    If you want to use a driveless connection then you can go this route

    net use \server\IPC$ /user:domain\user <password>
    \\server\share\file_path\some_program.exe
    

Log in to reply
 

354
Online

6.2k
Users

13.6k
Topics

128.1k
Posts