PDA

View Full Version : smb scanning weirdness c550


Custom Search


trekuhl
04-08-2009, 09:51 PM
i've recently received a c550 and having some issues setting up SMB scan. Ive searched around these forums and some other random googling but cant seem to find a related thread anywhere.

i am trying to scan to a server (win2k3 r2 x64) that is NOT a domain controller. i want to use a local acct vs a domain acct for this purpose. figure it minimizes some impact of someone capturing traffic/hashes etc. since it appears it only uses LM or NTLM v1/v2 for SMB scanning.

at any rate, i am able to setup a local user acct on win2k3 (FILESVR\scan) and browse via *nix or a non-domain machine perfectly fine. i cannot, however, get this to work from the KM c550. i can input a domain admin acct and goes right thru. when i try to use local acct, both "scan" or append local machine name "FILESVR003\scan" it fails. i kept thinking it was a security setting, but since i can punch right thru with ubuntu or off-domain machine i started thinking in another direction. now i am keeping the path and everything else the same, so it points towards an authentication issue.

i ran wireshark to capture traffic and saw that the c550 is appending the domain name prior to the username, which seems odd since i do not have a default DNS name setup in the TCP/IP settings of the printer (i only have an IP setup, no gateway, no DNS, etc) see below packet cap, user is "scan" server is FILESVR003, domain name is "discontinuations.local" changed domain name kept same number characters and you can see its pulling a netbios name for preceeding the username.

...:.SMBr.....C.........................LANMAN1.0. .NT LM 0.12......SMBs..................................
.......B...........`@..+......604..0..
+.....7..
.". NTLMSSP........`.................K.O.N.I.C.A. .M.I.N.O.L.T.A. .O.S. .1...0...K.O.N.I.C.A. .M.I.N.O.L.T.A. .L.A.N.M.A.N. .1...0.......\.SMBs............................... ...
.................!.....0...........NTLMSSP........ .z...............@.......^.......f..............`D .I.S.C.O.N.T.I.N.U.A.T.I.O.N.s.c.a.n.K.M.B.T.5.9.D .1.C.8.(.7).5.A{...t.T..h!.......73.o<[.$...z...........h!......h!.............D.I.S.C.O. N.T.I.N.U.A.T.I.O.N.....F.I.L.E.S.V.R.0.0.3...,.d. i.s.c.o.n.t.i.n.u.a.t.i.o.n.s...l.o.c.a.l...>.f.i.l.e.s.v.r.0.0.3...d.i.s.c.o.n.t.i.n.u.a.t.i.o .n.s...l.o.c.a.l...,.d.i.s.c.o.n.t.i.n.u.a.t.i.o.n .s...l.o.c.a.l..........k /..f'....B....K.O.N.I.C.A. .M.I.N.O.L.T.A. .O.S. .1...0...K.O.N.I.C.A. .M.I.N.O.L.T.A. .L.A.N.M.A.N. .1...0..........SMBs........................... ......
.....................O,..|.. V..I.A.\..G.*.N.<.J.....T............@.B.s.c.a.n.....K.O.N.I.C.A. .M.I.N.O.L.T.A. .O.S. .1...0...K.O.N.I.C.A. .M.I.N.O.L.T.A. .L.A.N.M.A.N. .1...0...

so ive been thru every page i can see on the pagscope admin util and the domain isnt specified anywhere. it was, at one point, in the DNS default search but since removed and machine rebooted. i cant seem to figure out anywhere else it is in pagescope.

any tips? i'd prefer use the local than domain acct.

thx,

-trekuhl

cobiray
04-08-2009, 10:20 PM
Paranoid much? Just kidding.

I don't have an answer as to how to use a local account vs domain account (my brain says it won't work, but I'm not an IT guru.) What we often do is to set up a scan account that has access to the assigned folders but dis able the account so that it can't be used as a login. Just a thought...

jneezy2008
04-08-2009, 11:08 PM
What error message is showing in the job list on the C550?

trekuhl
04-09-2009, 12:18 AM
stepped out for the eve, but fairly sure it is always &quot;invalid login&quot; i notice looking about there is a pagescope log admin util but guessing it is a pay-for util as i cant seem to find the dl link on km site... but of course when i use an acct that is domain it will work (with proper privileges) and the packet cap shows it is throwing a netbios name prior to whatever user name i put in...damn printer is too smart for its own good. with domain acct i think im less worried about local logins and more worried about network access. i can GPO allow and deny access over network policies and use at least 2 policies to restrict access to that server spcifically...but its more work than using a local acct, of course at this point it may consume less time ;-) -trekuhl

trekuhl
04-09-2009, 03:10 PM
ok, so "login error" is all the detail it gives from the printer itself.

cobiray
04-09-2009, 05:33 PM
Like I said before, I don't think it is possible to scan SMB with a local only account. Have you been able to get it to work with a network account to verify your setup?

trekuhl
04-13-2009, 05:59 PM
yes it works fine with a network acct. but wait, more weirdness... i set up a off-domain xp box and functions fine (it appends IP prior to username). THEN i thought let me try another win2k3svr box, so i have an extra box i run vmware on to do some testing and it is a domain machine and it functions same as off-domain; simply appends the IP prior to the username. This box WAS in a different GPO so i moved it to the same as the other filesvr i am trying to get it working on, gpupdate /force and get it seeing same policy and it STILL works fine and doesn't append the domain name prior to the username (just the IP) weird? -trekuhl

TheOwl
04-13-2009, 11:43 PM
On the copier Network settings, drop the NTLM login version back to v1. Version 1 is for local accounts and v2 is for accounts heald within AD.

leo
04-14-2009, 08:09 AM
check this setting on the server. ( ref attachment)
the service has to be set to "disable"
i also have an general scaanning guide. let me know if u want it.

buster68
04-14-2009, 01:53 PM
Here's my opinion...SMB stinks. Go the easy way, use FTP or scan to the HDD on the copier and use Pagescope Box Operator to pull the scans, and save them to your shared folder.

trekuhl
04-14-2009, 03:20 PM
On the copier Network settings, drop the NTLM login version back to v1. Version 1 is for local accounts and v2 is for accounts heald within AD.

it is set for v1. i have tried both v1 and v1/v2 although i realize that local accounts only use the v1.


check this setting on the server. ( ref attachment)
the service has to be set to "disable"
i also have an general scanning guide. let me know if u want it.

that setting is only on domain controllers, this is a simple member server as mentioned previously. i had seen this setting on other posts regarding SMB issues and double-checked this setting to ensure it wasn't pushed beyond the standard domain controller policy.


Here's my opinion...SMB stinks. Go the easy way, use FTP or scan to the HDD on the copier and use Pagescope Box Operator to pull the scans, and save them to your shared folder.

sure setting up FTP isnt difficult, but now i have those credentials flying around in COMPLETE CLEARTEXT which isnt very secure. i also dont fathom pushing install of pagescope over the network to 50-60 machines and its another piece of software to have to deal with

so SMB for me = easier.

===========
but its still screwy that the KM just decides whether to append the IP or the domain on its own with no way for the OP to decide...

leo
04-14-2009, 10:16 PM
i am trying to scan to a server (win2k3 r2 x64)


is X64 the problem?

TheOwl
04-14-2009, 11:42 PM
Have you tried using the old 'PCNAME\USERNAME'? Just to make sure that the machine is definately trying to hit up the correct server.


check this setting on the server. ( ref attachment)
the service has to be set to "disable"
i also have an general scaanning guide. let me know if u want it.


This machine is fully capable of SMB digital signatures. Therefore this group policy shouldn't be changed.

Pagescope with the FTP server shouldn't run on a server as it is an application and not a service which can cause issues.

SMB on the C550's is really simple to setup, the problem is when you go and change settings to try and make it work and forget to change them back again. I have been caught out by the NTLM versions before.

trekuhl
04-15-2009, 12:39 AM
Have you tried using the old 'PCNAMEUSERNAME'? Just to make sure that the machine is definately trying to hit up the correct server. yep, it still appends the domain name. these are not DCs just file servers with DFS that is all. it works fine to another win2k3 x64 server in the same GP group but not to two DFS file servers. its makes no sense and i dont understand how it is grabbing the domain name. our older ricohs you have to specify the domain\user or pcname\user...i would have thought this would be the same.... :-/ thx, -trekuhl

trekuhl
04-22-2009, 09:23 PM
solution...

i ended up doing a network settings clear and a destination clear. after a reboot the machine was no longer appending the domain. somehow, it must have stuck it on there because initially we did put a DNS domain name in. funny thing is it would only append to some IPs and not others...weird.

it also then did not like my password. either it was too long or it didnt care from some of the characters (i did set it again from the server side to make sure no typos)

hope this helps someone down the road...

-trekuhl

Custom Search