Topic: Windows 10 remove SMB 1 - SMBServer share no longer accessible

[robwellesley]

Hi

The latest Windows 10 Feature Update removes SMB 1. from Windows 10 (it can be re-installed), but this exposed something we were unaware of.
It appears that out of the box, SME 9.0 Shares are SMB 1.x - and there is no obvious way to you SMB 2 or 3.
This seems unlikely or am i missing something?

Cheers
Rob

[Jean-Philippe Pialasse]

part of the answer is here:

https://wiki.contribs.org/Windows_10_Support#Setting_up_network_drives

you are able to modify the default samba version using thoses keys :

Code: [Select]

config setprop smb ServerMaxProtocol SMB2
 expand-template /etc/smb.conf
 service smb restart
SME9 will allows the following

Code: [Select]

           ·   NT1: Current up to date version of the protocol. Used by
               Windows NT. Known as CIFS.

           ·   SMB2: Re-implementation of the SMB protocol. Used by Windows
               Vista and newer.you were currently using NT1, which is the default



the thing is that Win 10 has its own implementation of SMB2 and SMB3. Allowing SMB2 on the SME, might not work as the SMB2 implemented on the version of samba might not be the one expected by Win 10, so more work need to be done on each machine to set the SMB2 protocol subversion. This might be trial and error.

My guees is that SME9 SMB2 is SMB2_02.

here is a more recent list of protocol, some are not supported by a SME9 Centos 6 linux

Code: [Select]

                 ·   NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
                  ·   SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.
                             ·   SMB2_02: The earliest SMB2 version.
                             ·   SMB2_10: Windows 7 SMB2 version.
                             ·   SMB2_22: Early Windows 8 SMB2 version.
                             ·   SMB2_24: Windows 8 beta SMB2 version.
                      By default SMB2 selects the SMB2_10 variant.
 
                  ·   SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub protocols available.
                             ·   SMB3_00: Windows 8 SMB3 version. (mostly the same as SMB2_24)
                             ·   SMB3_02: Windows 8.1 SMB3 version.
                             ·   SMB3_10: early Windows 10 technical preview SMB3 version.
                             ·   SMB3_11: Windows 10 technical preview SMB3 version (maybe final).
                      By default SMB3 selects the SMB3_11 variant.

Anyway give a try and report ! Alternative is indeed to reenable SMB1/NT1/CIFS protocol ... if you have windows XP client , you might have no choice anyway....


here is at least one reference on the wondows side : https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

[robwellesley]

Thanks Jean-Phillipe for such a detailed response.

Do you know if there is any actual performance benefit to bothering with SMB2?  Assuming the re-implementation is correct.

[Jean-Philippe Pialasse]

Thanks Jean-Phillipe for such a detailed response.

Do you know if there is any actual performance benefit to bothering with SMB2?  Assuming the re-implementation is correct.

I could not say.
We sticked to NT1/CIFS because of maximal backward compatibility as still a lot of people are using XP stations. But if you have some linux client (Fedora, Ubuntu...) you might have experienced that they do not support anymore NT1/CIFS and you have to activate it manually. Now this is the same for Win10.

I do not expect better performance, but rather more hicups, because of the different subimplementation of the protocol for SMB2 and 3....

[robwellesley]

Cheers,
Good info here for other folk searching that matter.

[mmccarn]

Do you know if there is any actual performance benefit to bothering with SMB2?  Assuming the re-implementation is correct.

It looks like there are some advantages:
https://en.wikipedia.org/wiki/Server_Message_Block#SMB_2.0


The problem with SMBv1 is that it leaves your clients vulnerable to a host of problems.  Clients that support the SMBv1 protocol can be tricked into loading malicious code, can have their network traffic 'sniffed' for credentials and data, and more.  I think wannacry used SMBv1 to spread laterally from workstation to workstation once it had infected a vulnerable network.

At a minimum you need to make sure that SMBv1 traffic is not allowed to exit your LAN, but that still leaves you subject to a complete network meltdown if someone brings an infected device into your LAN or manages to compromise one of your workstations by another means (infected thumb drive, malicious webpage or email, infected file loaded into a user's google drive or dropbox folder, etc).

https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

[bas60]

Was there a conclusion on this ?

I need to set SME Server to SMB 2 at least

I tried

config setprop smb ServerMaxProtocol SMB2
 expand-template /etc/smb.conf
 service smb restart

also tried

config setprop smb ServerMaxProtocol SMB2_02
 expand-template /etc/smb.conf
 service smb restart

and rebooted the Server for good measure
is there anyway to check if the settings made any changes

If I untick SMB1.0 in Windows - I can't connect

but can connect if I add SMB1.0 back in Windows components

[Jean-Philippe Pialasse]

Was there a conclusion on this ?

no, no one reported yet.

I need to set SME Server to SMB 2 at least

I tried

config setprop smb ServerMaxProtocol SMB2
 expand-template /etc/smb.conf
 service smb restart

this is the right command for the Samba on SME9/CentOS6

config setprop smb ServerMaxProtocol SMB2_02
 expand-template /etc/smb.conf
 service smb restart

this will not do with the samba version on SME9/CentOS6


then check your smb.conf ( yes the template and the real file have not the same path, but this is fine)
mcedit /etc/samba/smb.conf


and also check you samba log from manager or in /var/log/

from windows you can test some command lines : http://www.itprotoday.com/windows-server/checking-your-smb-version

or trying the linux client cli for samba : https://www.tldp.org/HOWTO/SMB-HOWTO-8.html

If I untick SMB1.0 in Windows - I can't connect

but can connect if I add SMB1.0 back in Windows components

well, what version of windows?
have you rebooted the windows ?

as I said earlier, most samba 2 implementations are different from one version to another of windows, and might lead having a Portuguese speaking to a Spanish, sound close enough for an English ear, but not the same language and they will not understand each other.

for windows 10 I guess this should work according to this  link https://support.microsoft.com/en-ca/help/4034314/smbv1-is-not-installed-by-default-in-windows I can not say the same for other windows versions.

I do not have any windows  to test this, so please report for the next one...

[bas60]

Ok, so

config setprop smb ServerMaxProtocol SMB2
 expand-template /etc/smb.conf
 service smb restart

Rebooted SME and Windows

still no connection without setting up SMB1.0 in windows components

BTW: SME is 9.2

mcedit /etc/smb.conf - brings up a BLANK file... should it or is it not located in /etc/

[TerryF]

/etc/samba/smb.conf is the path on 9.2

/etc/e-smith/templates/etc/smb.conf is the template path

[bas60]

OK, checked in /etc/samba/smb.conf - Server Max Protocol = SMB2

(does that mean SMB1 is still enabled - therefore Windows 10 is still trying to connect as SMB1 even with SMB1.0 disabled)

so, from what I can see I suppose I have to report it dosen't work

With Windows 10 1709 and 1803 - with SMB1.0 disabled, I cannot connect to SME9.2

[Brenno]

Just coming across this same issue.

Finally mothballed our old SME 8.2 box and spun up a new install of SME 9.2 as a VM; it's running as server-only and is not joined to our domain.  I can ping by IP, I can ping by NetBIOS name (it resolves fine) but I cannot browse to the server using Windows Explorer from any network clients with SMB1 disabled.

Tried the commands posted above re: setting ServerMaxProtocol to no avail.

[Jean-Philippe Pialasse]

mcedit /etc/smb.conf - brings up a BLANK file... should it or is it not located in /etc/

that is not what I pointed, and took the time to precise

then check your smb.conf ( yes the template and the real file have not the same path, but this is fine)
mcedit /etc/samba/smb.conf

OK, checked in /etc/samba/smb.conf - Server Max Protocol = SMB2

(does that mean SMB1 is still enabled - therefore Windows 10 is still trying to connect as SMB1 even with SMB1.0 disabled)

that mean that from now on Samba server propose SMB2 protocol while before it was only offering  core, coreplus, lanman1, lanman2 and nt1 as default is max nt1.

So yes it still offers NT1, but as your client has NT1/SAMBA1/CIFS disabled it will ignore it.

so, from what I can see I suppose I have to report it doesn't work

With Windows 10 1709 and 1803 - with SMB1.0 disabled, I cannot connect to SME9.2

I would rather check if your windows 10 client has SMB2_02 enabled

then can you please report logs entries as pointed in my previous comment ?

and also check you samba log from manager or in /var/log/

from windows you can test some command lines : http://www.itprotoday.com/windows-server/checking-your-smb-version

or trying the linux client cli for samba : https://www.tldp.org/HOWTO/SMB-HOWTO-8.html

for the samba log you should at least check
tail -f /var/log/samba/samba_audit

and
tail -f /var/log/samba/log.YOURWINDOWS10CLIENT
replace YOURWINDOWS10CLIENT with either pc-00(last 3 digits of ip v4) or its netbios name.
to see how it is displayed do a
ll var/log/samba/

[Jean-Philippe Pialasse]

ok might have found something

Recent Samba documentation says :

       max protocol

           This parameter is a synonym for server max protocol.

       protocol

           This parameter is a synonym for server max protocol.

       server max protocol (G)

           The value of the parameter (a string) is the highest protocol level that will be supported by the server.

           Possible values are :

however SME Server version has:

       protocol

           This parameter is a synonym for max protocol.

       max protocol (G)

           The value of the parameter (a string) is the highest protocol level that will be supported by the server.

           Possible values are :

and trying to connect to a server with the settings

Code: [Select]

# smbclient -U user -L localhost
Unknown parameter encountered: "server max protocol"
Ignoring unknown parameter "server max protocol"
Enter user's password:

so I edited smb.conf, and changed

Code: [Select]

server max protocol = SMB2to

Code: [Select]

max protocol = SMB2
then

Code: [Select]

service smb restart

and tested :

Code: [Select]

# smbclient -U user -L localhost
Enter user's password:

this is not a fix, as templates needs to be updated but should allow to test. Please report if WIndows 10 detect you SME after .


edit: typo s/samba/smb/

[piran]

>> service samba restart
service smb restart