Windows 10 clients flooding Samba servers with phantom guest login attempts

windows samba4

I am currently running a Samba server for file sharing on a SOHO network.

I have noticed that one of the recent patches to Windows 10 seems to have introduced some sort of nasty bug with SMB that causes Windows 10 to spam unauthenticated guest requests at the SMB server for every file accessed.

The errors I get in the Samba logs are as follows:

[2021/12/22 18:31:42.283148,  1] ../../source3/smbd/service.c:355(create_connection_session_info)
  create_connection_session_info: guest user (from session setup) not permitted to access this share (MY_USERNAME)
[2021/12/22 18:31:42.283174,  1] ../../source3/smbd/service.c:545(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

Over on the Windows 10 client, I see the event viewer under Applications and Services Logs -> Microsoft -> Windows -> SMBClient -> Security filling up with the following errors:

The SMB client failed to connect to the share.

Error: {Access Denied}
A process has requested access to an object, but has not been granted those access rights.

Path: \smb\MY_USERNAME

This bug appears to have been introduced sometime in the past couple of months during a KB rollup, since a fresh install of Windows 10 does not provoke this behavior- only a fully updated installation will.

I want to be clear about a couple of things:

  1. The client authenticates with the server just fine. My network shares work great, so I don't think this is a credential issue. Nevetheless, Windows 10 is constantly spamming Samba with unauthenticated guest login attempts on every file access.

  2. Guest access has NOT been enabled in Windows 10. It is disabled by default and I haven't overridden it using GPOs.

  3. Windows Defender isn't configured to scan network shares. Administratively disabling that function doesn't seem to change anything.

  4. I've tried outright disabling guest access in Samba, and I've tried enforcing encryption/server signing as well (which disables guest access entirely). Despite this, I still get phantom guest login attempts from the Windows 10 clients (though the error changes on the Samba server to say something about guest access being blocked due to encryption).

Again, I can login to the file server just fine and things do work- except for the bit where Windows 10 appears to be attempting to spawn a guest login for every file accessed.

Is there any way to fix this behavior on either the Samba or Windows 10 client side? I've seen some similar reports of this online, but thus far no solutions and I haven't been able to find anything in smb.conf that would "fix" this (apparent?) bug.


Solution 1:

I haven't done the regression testing of rolling back to old versions of windows, but I can share that I'm seeing the same problem here, with Win 10 19044.1415 connecting to a TrueNAS Core 12 box. It works, but it certainly creates some noisy logs:

[2021/12/24 21:40:18.383339,  1] ../../source3/smbd/service.c:355(create_connection_session_info)
  create_connection_session_info: guest user (from session setup) not permitted to access this share (personal)
[2021/12/24 21:40:18.383383,  1] ../../source3/smbd/service.c:544(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

Per a previous commenter's question, my ICACLS output:

C:\>icacls \\nas\personal
\\nas\personal S-1-22-1-0:(F)
               CREATOR OWNER:(OI)(CI)(IO)(F)
               S-1-5-21-3997689159-3832354152-3824094002-1005:(M,DC)
               CREATOR GROUP:(OI)(CI)(IO)(M,DC)

Successfully processed 1 files; Failed processing 0 files

EDIT: This issue from November 2020 (!) seems very similar: https://docs.microsoft.com/en-us/answers/questions/122178/windows-10-sends-unauthenticated-smb-requests.html

Also, in my case, unfortunately the client logs the same error (SMBClient Error code 31010) in the Windows event log for every single error that shows up in the samba server logs.

EDIT 2: Possible success?

I've been able to get this behavior to stop by disabling Windows Defender real-time inspection globally on the Win10 client. I haven't yet discovered any tweaks to Defender settings that allow me to leave it enabled but not produce this behavior - for example, mapping a drive to the share and excluding that mapped drive from scanning in Defender settings does /not/ work.

EDIT 3: The only long-term workaround I've found so far (that doesn't require killing all real-time malware protection) is to give in and enable guest logins for SMB shares. This lets the broken Windows behavior continue without triggering a flood of errors, and the rest of my Samba setup doesn't permit a guest to access anything (the guest user maps to 'nobody' and the filesystem ACLs are all chmod xx0) so this works fine for me. YMMV.

Interestingly, after this change, the Windows client now logs a complaint in the event log (once per share connection) that the remote SMB server is permitting guest connections when it really shouldn't...oh, the irony.

Related

Why doesn't dkim sign the letter?
Would SSD drives benefit from a non-default allocation unit size?
fail2ban- How to whitelist a big list of IP address to the jail.local file
chromium already at latest revision 73 when try apt install [migrated]
How to configure the login message in Ubuntu?
Tips for managing safe and insecure PC mixes [closed]
How to make sure script is always running?
Why does dig not show the authority section and how to make it show the authoritative name servers that hold the DNS query`s answer?
USB 3.0 Card for HP Proliant DL360 G7 and G8
Providing Guest VM to connect to Internet through Host on ESXi with only one adapter
Answer "yes" to ssh-copy-id first time run by script?
How to tell what computer has a file open on a network share?