Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: robwellesley on April 23, 2018, 03:31:11 AM
-
Hi
The latest Windows 10 Feature Update removes SMB 1. from Windows 10 (it can be re-installed), but this exposed something we were unaware of.
It appears that out of the box, SME 9.0 Shares are SMB 1.x - and there is no obvious way to you SMB 2 or 3.
This seems unlikely or am i missing something?
Cheers
Rob
-
part of the answer is here:
https://wiki.contribs.org/Windows_10_Support#Setting_up_network_drives
you are able to modify the default samba version using thoses keys :
config setprop smb ServerMaxProtocol SMB2
expand-template /etc/smb.conf
service smb restart
SME9 will allows the following
· NT1: Current up to date version of the protocol. Used by
Windows NT. Known as CIFS.
· SMB2: Re-implementation of the SMB protocol. Used by Windows
Vista and newer.you were currently using NT1, which is the default
the thing is that Win 10 has its own implementation of SMB2 and SMB3. Allowing SMB2 on the SME, might not work as the SMB2 implemented on the version of samba might not be the one expected by Win 10, so more work need to be done on each machine to set the SMB2 protocol subversion. This might be trial and error.
My guees is that SME9 SMB2 is SMB2_02.
here is a more recent list of protocol, some are not supported by a SME9 Centos 6 linux
· NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
· SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.
· SMB2_02: The earliest SMB2 version.
· SMB2_10: Windows 7 SMB2 version.
· SMB2_22: Early Windows 8 SMB2 version.
· SMB2_24: Windows 8 beta SMB2 version.
By default SMB2 selects the SMB2_10 variant.
· SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub protocols available.
· SMB3_00: Windows 8 SMB3 version. (mostly the same as SMB2_24)
· SMB3_02: Windows 8.1 SMB3 version.
· SMB3_10: early Windows 10 technical preview SMB3 version.
· SMB3_11: Windows 10 technical preview SMB3 version (maybe final).
By default SMB3 selects the SMB3_11 variant.
Anyway give a try and report ! Alternative is indeed to reenable SMB1/NT1/CIFS protocol ... if you have windows XP client , you might have no choice anyway....
here is at least one reference on the wondows side : https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and
-
Thanks Jean-Phillipe for such a detailed response.
Do you know if there is any actual performance benefit to bothering with SMB2? Assuming the re-implementation is correct.
-
Thanks Jean-Phillipe for such a detailed response.
Do you know if there is any actual performance benefit to bothering with SMB2? Assuming the re-implementation is correct.
I could not say.
We sticked to NT1/CIFS because of maximal backward compatibility as still a lot of people are using XP stations. But if you have some linux client (Fedora, Ubuntu...) you might have experienced that they do not support anymore NT1/CIFS and you have to activate it manually. Now this is the same for Win10.
I do not expect better performance, but rather more hicups, because of the different subimplementation of the protocol for SMB2 and 3....
-
Cheers,
Good info here for other folk searching that matter.
-
Do you know if there is any actual performance benefit to bothering with SMB2? Assuming the re-implementation is correct.
It looks like there are some advantages:
https://en.wikipedia.org/wiki/Server_Message_Block#SMB_2.0
The problem with SMBv1 is that it leaves your clients vulnerable to a host of problems. Clients that support the SMBv1 protocol can be tricked into loading malicious code, can have their network traffic 'sniffed' for credentials and data, and more. I think wannacry used SMBv1 to spread laterally from workstation to workstation once it had infected a vulnerable network.
At a minimum you need to make sure that SMBv1 traffic is not allowed to exit your LAN (https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic), but that still leaves you subject to a complete network meltdown if someone brings an infected device into your LAN or manages to compromise one of your workstations by another means (infected thumb drive, malicious webpage or email, infected file loaded into a user's google drive or dropbox folder, etc).
https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
-
Was there a conclusion on this ?
I need to set SME Server to SMB 2 at least
I tried
config setprop smb ServerMaxProtocol SMB2
expand-template /etc/smb.conf
service smb restart
also tried
config setprop smb ServerMaxProtocol SMB2_02
expand-template /etc/smb.conf
service smb restart
and rebooted the Server for good measure
is there anyway to check if the settings made any changes
If I untick SMB1.0 in Windows - I can't connect
but can connect if I add SMB1.0 back in Windows components
-
Was there a conclusion on this ?
no, no one reported yet.
I need to set SME Server to SMB 2 at least
I tried
config setprop smb ServerMaxProtocol SMB2
expand-template /etc/smb.conf
service smb restart
this is the right command for the Samba on SME9/CentOS6
config setprop smb ServerMaxProtocol SMB2_02
expand-template /etc/smb.conf
service smb restart
this will not do with the samba version on SME9/CentOS6
then check your smb.conf ( yes the template and the real file have not the same path, but this is fine)
mcedit /etc/samba/smb.conf
and also check you samba log from manager or in /var/log/
from windows you can test some command lines : http://www.itprotoday.com/windows-server/checking-your-smb-version
or trying the linux client cli for samba : https://www.tldp.org/HOWTO/SMB-HOWTO-8.html
If I untick SMB1.0 in Windows - I can't connect
but can connect if I add SMB1.0 back in Windows components
well, what version of windows?
have you rebooted the windows ?
as I said earlier, most samba 2 implementations are different from one version to another of windows, and might lead having a Portuguese speaking to a Spanish, sound close enough for an English ear, but not the same language and they will not understand each other.
for windows 10 I guess this should work according to this link https://support.microsoft.com/en-ca/help/4034314/smbv1-is-not-installed-by-default-in-windows I can not say the same for other windows versions.
I do not have any windows to test this, so please report for the next one...
-
Ok, so
config setprop smb ServerMaxProtocol SMB2
expand-template /etc/smb.conf
service smb restart
Rebooted SME and Windows
still no connection without setting up SMB1.0 in windows components
BTW: SME is 9.2
mcedit /etc/smb.conf - brings up a BLANK file... should it or is it not located in /etc/
-
/etc/samba/smb.conf is the path on 9.2
/etc/e-smith/templates/etc/smb.conf is the template path
-
OK, checked in /etc/samba/smb.conf - Server Max Protocol = SMB2
(does that mean SMB1 is still enabled - therefore Windows 10 is still trying to connect as SMB1 even with SMB1.0 disabled)
so, from what I can see I suppose I have to report it dosen't work
With Windows 10 1709 and 1803 - with SMB1.0 disabled, I cannot connect to SME9.2
-
Just coming across this same issue.
Finally mothballed our old SME 8.2 box and spun up a new install of SME 9.2 as a VM; it's running as server-only and is not joined to our domain. I can ping by IP, I can ping by NetBIOS name (it resolves fine) but I cannot browse to the server using Windows Explorer from any network clients with SMB1 disabled.
Tried the commands posted above re: setting ServerMaxProtocol to no avail.
-
mcedit /etc/smb.conf - brings up a BLANK file... should it or is it not located in /etc/
that is not what I pointed, and took the time to precise ;)
then check your smb.conf ( yes the template and the real file have not the same path, but this is fine)
mcedit /etc/samba/smb.conf
OK, checked in /etc/samba/smb.conf - Server Max Protocol = SMB2
(does that mean SMB1 is still enabled - therefore Windows 10 is still trying to connect as SMB1 even with SMB1.0 disabled)
that mean that from now on Samba server propose SMB2 protocol while before it was only offering core, coreplus, lanman1, lanman2 and nt1 as default is max nt1.
So yes it still offers NT1, but as your client has NT1/SAMBA1/CIFS disabled it will ignore it.
so, from what I can see I suppose I have to report it doesn't work
With Windows 10 1709 and 1803 - with SMB1.0 disabled, I cannot connect to SME9.2
I would rather check if your windows 10 client has SMB2_02 enabled
then can you please report logs entries as pointed in my previous comment ?
and also check you samba log from manager or in /var/log/
from windows you can test some command lines : http://www.itprotoday.com/windows-server/checking-your-smb-version
or trying the linux client cli for samba : https://www.tldp.org/HOWTO/SMB-HOWTO-8.html
for the samba log you should at least check
tail -f /var/log/samba/samba_audit
and
tail -f /var/log/samba/log.YOURWINDOWS10CLIENT
replace YOURWINDOWS10CLIENT with either pc-00(last 3 digits of ip v4) or its netbios name.
to see how it is displayed do a
ll var/log/samba/
-
ok might have found something
Recent Samba documentation says :
max protocol
This parameter is a synonym for server max protocol.
protocol
This parameter is a synonym for server max protocol.
server max protocol (G)
The value of the parameter (a string) is the highest protocol level that will be supported by the server.
Possible values are :
however SME Server version has:
protocol
This parameter is a synonym for max protocol.
max protocol (G)
The value of the parameter (a string) is the highest protocol level that will be supported by the server.
Possible values are :
and trying to connect to a server with the settings
# smbclient -U user -L localhost
Unknown parameter encountered: "server max protocol"
Ignoring unknown parameter "server max protocol"
Enter user's password:
so I edited smb.conf, and changed
server max protocol = SMB2to
max protocol = SMB2
then
service smb restart
and tested :
# smbclient -U user -L localhost
Enter user's password:
this is not a fix, as templates needs to be updated but should allow to test. Please report if WIndows 10 detect you SME after .
edit: typo s/samba/smb/
-
>> service samba restart
service smb restart
-
>> service samba restart
service smb restart
thanks,
updated my comment
I have opened a bug: https://bugs.contribs.org/show_bug.cgi?id=10575
patch and build on their way
-
My pleasure. Was hoping you could fix the eternal SME-to-MSW alleged connectivity.
Since SME7, SME8 and now SME9 my efforts here do not achieve this until W10 is put to SMBv1. Use of SMBv1 is not good any more. However I need my powerful (Windows) editor and so have to copy/paste snapshots on my desktop into PuTTY sessions.
W10 (1803) - gigabit intranet - SME 9.2 (server gateway) - router - optical broadband
If you need me to test something on the Windows box just let me know.
-
fix will be available to test and report in a few minutes /hours depending on your local mirror :
https://bugs.contribs.org/show_bug.cgi?id=10575
My pleasure. Was hoping you could fix the eternal SME-to-MSW alleged connectivity.
If you need me to test something on the Windows box just let me know.
you could indeed test what is discussed on ths thread by doing what I suggested to do to test the connectivity in the post you found the error.
or wait a bit more and test the new rpm
-
FWIW: the SMB Status contrib in the Server Manager panel
----
smbstatus
Samba version 3.6.23-46el6_9
PID Username Group Machine
-------------------------------------------------------------------
Service pid machine Connected at
-------------------------------------------------------
No locked files
SME Server server 9.2
Copyright 1999-2006 Mitel Networks Corporation, Copyright (C) 2014 Koozali Foundation, Inc..
All rights reserved.
----
When the yum/rpm arrives I will test it.
Right now I just ran your "min" code in bugzilla...
>>you can also test the new property
>>config setprop smb ServerMinProtocol SMB2
>>expand-template /etc/smb.conf
>>service smb restart
...(after restart I manually re-edited smb.conf so that it did not show "server max protocol" but just "max protocol"). Can't immediately see any improvement or added connectivity. The error line in the messages log is not being added so that is good at least. No further connectivity as yet. Will try some more.
-
FWIW: the SMB Status contrib in the Server Manager panel
----
smbstatus
Samba version 3.6.23-46el6_9
PID Username Group Machine
-------------------------------------------------------------------
Service pid machine Connected at
-------------------------------------------------------
No locked files
SME Server server 9.2
Copyright 1999-2006 Mitel Networks Corporation, Copyright (C) 2014 Koozali Foundation, Inc..
All rights reserved.
----
not relevant
When the yum/rpm arrives I will test it.
Right now I just ran your "min" code in bugzilla...
>>you can also test the new property
>>config setprop smb ServerMinProtocol SMB2
>>expand-template /etc/smb.conf
>>service smb restart
...(after restart I manually re-edited smb.conf so that it did not show "server max protocol" but just "max protocol"). Can't immediately see any improvement or added connectivity. The error line in the messages log is not being added so that is good at least. No further connectivity as yet. Will try some more.
you need to restart samba after the edition.
then restart the windows machine
I would first give a try without the min protocol set. The important one is the max protocol to enable SMB2 on the server. And be careful, as default max is NT1/SMB1/CIFS, setting the minimum to SMB2 without setting the max value to higher will lead to no available protocol or ignored setting (not tested).
-
I installed the new e-smith-samba package via yum this morning and set the ServerMaxProtocol to SMB2. I have restarted SMB services and rebooted the server. I still cannot access shares from clients with SMB1 disabled - in fact, I now cannot access from clients with SMB1 enabled, either.
-
oh... :(
I have the SAME problem but with just 1 PC
May be somehow managed to ZAP my network configuration
Other Pc's can connect with SMB1 enabled!!
I'm going to try REMOVING network adaptor and RESET network
I've seen that option on Win 10 Pro but never used it...
just googling a bit first !
-
I too have nothing much good to report.
Except the single message log line no longer appears.
Cannot get the alleged SME-MSW connectivity without SMBv1.
Have not even tried the now deprecated SMBv1 in W10.
SME9 still needs magic sauce.
[root@uma tmp]# smbclient -U user -L localhost
Enter user's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23-46el6_9]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer drivers
Primary Disk Primary i-bay
.........snip private i-bays.........
IPC$ IPC IPC Service (SME Server)
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23-46el6_9]
Server Comment
--------- -------
KATE default MSW
UMA SME Server
Workgroup Master
--------- -------
WORKGROUP UMA
[root@uma tmp]#
[root@uma tmp]# smbclient -U user -L KATE
Enter user's password:
protocol negotiation failed: NT_STATUS_CONNECTION_RESET
[root@uma tmp]#
PostEdit: appended some snapshot code stuff and JPG of MSW diag
-
I installed the new e-smith-samba package via yum this morning and set the ServerMaxProtocol to SMB2. I have restarted SMB services and rebooted the server. I still cannot access shares from clients with SMB1 disabled - in fact, I now cannot access from clients with SMB1 enabled, either.
what is the output of :
config show smb
if you set config setprop smb ServerMinProtocol SMB2; then having SMB1 not working is the intended behaviour.
What are the windows version trying to connect to the SME ?Do they have SMB2 enabled.
-
[root@uma tmp]# config show smb
smb=service
DeadTime=10080
KeepVersions=disabled
OpLocks=enabled
OsLevel=35
RecycleBin=disabled
RoamingProfiles=no
ServerMaxProtocol=SMB2
ServerName=UMA
ServerProtocol=SMB2
ServerRole=PDC
ShadowCount=10
ShadowDir=/home/e-smith/files/.shadow
UnixCharSet=UTF8
UseClientDriver=yes
Workgroup=WORKGROUP
protocol=SMB2
server=max
status=enabled
[root@uma tmp]#
I tried the MIN but the setprop entered it with the server word in front. Was not sure whether that too needed stripping out or otherwise patching. You indicated MAX more important so left the MIN attempt out.
W10 1803
>>Do they have SMB2 enabled?
See below
Get-SmbServerConfiguration
AnnounceComment :
AnnounceServer : False
AsynchronousCredits : 64
AuditSmb1Access : False
AutoDisconnectTimeout : 15
AutoShareServer : True
AutoShareWorkstation : True
CachedOpenLimit : 10
DurableHandleV2TimeoutInSeconds : 180
EnableAuthenticateUserSharing : False
EnableDownlevelTimewarp : False
EnableForcedLogoff : True
EnableLeasing : True
EnableMultiChannel : True
EnableOplocks : True
EnableSecuritySignature : False
EnableSMB1Protocol : False
EnableSMB2Protocol : True
EnableStrictNameChecking : True
EncryptData : False
IrpStackSize : 15
KeepAliveTime : 2
MaxChannelPerSession : 32
MaxMpxCount : 50
MaxSessionPerConnection : 16384
MaxThreadsPerQueue : 20
MaxWorkItems : 1
NullSessionPipes :
NullSessionShares :
OplockBreakWait : 35
PendingClientTimeoutInSeconds : 120
RejectUnencryptedAccess : True
RequireSecuritySignature : False
ServerHidden : True
Smb2CreditsMax : 2048
Smb2CreditsMin : 128
SmbServerNameHardeningLevel : 0
TreatHostAsStableStorage : False
ValidateAliasNotCircular : True
ValidateShareScope : True
ValidateShareScopeNotAliased : True
ValidateTargetName : True
-
according to this thread : http://samba.2283325.n4.nabble.com/Can-t-join-Win10-to-Samba-3-6-23-td4722058.html
seems like to allow support of samba v2 with windows 10 you need to have samba4 in NT4 mode.
also if you want to be able to see windows 7 , and avoid issues with protocol negotiation need to disable SMB3 on the samba server.
so from that perspective, you are stuck with keeping SMB1enable and use the current reg patch on your windows client as usual.
a way would be to try to integrate the samba4 rpm available in centOS in SME9.
This will need some work and modification of a few core packages.
-
W10 1803
so you're doing some beta testing here :-D
-
@JPP - Understood. Will await further whenever.
@Stefano - 1803 arrived completely automatically - just happened (honestly). Not forgetting that this (SME-to-MSW alleged connectivity WITHOUT SMBv1) hasn't worked for me ever - going back to at least SME7 if not before - memory blurred back then. Cheers.
-
for reference https://bugs.contribs.org/show_bug.cgi?id=10480
-
Noted.
While updating/upgrading is in the air...
"SMB Direct" looks interesting :: SMB3.0 (previously SMB2.2 apparently).
The Windows 10 features/options table already has an opt-in
slot for it so it's no trouble at the MSW end of the negotiations.
-
@Stefano - 1803 arrived completely automatically - just happened (honestly). Not forgetting that this (SME-to-MSW alleged connectivity WITHOUT SMBv1) hasn't worked for me ever - going back to at least SME7 if not before - memory blurred back then.
I know what I mean.. and we're testing w10 1803 'cause it seems to be able to break working machines (strange enough, isn't it?)
my feeling is that we're all beta testers here (and unfortunately not for SME)
-
Hasn't broken anything on three of my machines. The Autumn version was unattainable by two of those three machines and could NOT be forced, eventually had to do bare metal rebuilds - including for a MS Surface Book! This time everything progressed ...as if by clockwork.
SMB Direct
https://en.wikipedia.org/wiki/Server_Message_Block
https://en.wikipedia.org/wiki/Remote_direct_memory_access
Now awaiting a "In Your Dreams" retort from one CB:-)
-
what is the output of :
config show smb
Here's the output:
[root@webserv ~]# config show smb
smb=service
DeadTime=10080
KeepVersions=disabled
OpLocks=enabled
OsLevel=35
RecycleBin=disabled
RoamingProfiles=no
ServerMaxProtocol=SMB2
ServerName=webserv
ServerRole=WS
ShadowCount=10
ShadowDir=/home/e-smith/files/.shadow
UnixCharSet=UTF8
UseClientDriver=yes
Workgroup=sme-server
status=enabled
[root@webserv ~]#
if you set config setprop smb ServerMinProtocol SMB2; then having SMB1 not working is the intended behaviour.
I did not set the ServerMinProtocol property.
What are the windows version trying to connect to the SME ?Do they have SMB2 enabled.
Windows 7 Professional, Windows 2012r2 and Windows 10. All have SMB2 enabled because we have SMB1 disabled on all.
Sounds like we're out of luck on this for a while, which is a shame. It's really only me that needs periodic access and I can likely do what I need with WinSCP (or even FTP), so I can live with it.
-
Just checking..
No solution for 9.2 without enabling SMB1.0 ?
-
We are investigating if if can upgrade to samba 4 using the centos samba4 rpms, it seems hazardous as the implementation is not complete, and some rpm like libsmbclient are missing.
Without thos possibility, yes only SMB1 protocol is compatible between samba 3, inlcuded in SME9, and Win 10.
-
Hi Everyone,
has there been any update about Samba on SME 9.2 fix for Windows 10 domain login and SMB 2 or 3 share access.
Windows 7 support deadline is 14 Jan 2020. and windows 10 computers are becoming more common and currently can't logon to the domain at all for windows 10 1809 or newer and SMB V1 has be to readded for share use. It could be entirely possible that Microsoft could remove the ability to add SMB V1 at any point in the next feature update. which break existing fixes and render them unusable.
Can anyone advise?
-
Hi Everyone,
has there been any update about Samba on SME 9.2 fix for Windows 10 domain login and SMB 2 or 3 share access.
No because Samba 3.x can't do SMB v3. The only long term solution for SMBv3 is Samba 4, and that isn't going to happen on SME v9. There isn't enough time to be worthwhile, and we don't have the manpower to try and implement it - it is a huge amount of work. Lots of people 'want' but no one is prepared to actually get their hands dirty and do some work.
Windows 7 support deadline is 14 Jan 2020. and windows 10 computers are becoming more common and currently can't logon to the domain at all for windows 10 1809 or newer and SMB V1 has be to readded for share use. It could be entirely possible that Microsoft could remove the ability to add SMB V1 at any point in the next feature update. which break existing fixes and render them unusable.
No, as far as I am aware Windows 10 can do domain logons since M$ re enabled it, and allows install of SMBv1 and SMBv2 for network browsing. Please see the various threads, bugs, and M$ documentation on this on this.
Note that I believe there were two actually slightly different issues at the same time - removal of SMBv1 which disabled share browsing, and something else that disabled domain logons. They appeared to be one and the same but were not.
If you actually searched the bugs you would also find things like this:
https://bugs.contribs.org/show_bug.cgi?id=10575
So you can enable max protocol SMB2 for network browsing but I am not sure you can still use domain logons with this if you set min protocol SMB2 as well - I think Samba has to be able to handle the NT protocol as well for 'legacy' domain logons (but you need to test - I have no Windows machines at all to test with)
Yes, they could remove it or break it again. My suspicion is they will keep it there until RHEL/CentOS6 goes EOL.
If you are worried about it then the best thing you can do is stop using Windows, or help us get SME v10 out of the door. It won't happen by itself. And yes, we all have families, kids and jobs too.
-
As an addendum I think the following is true but E&OE.....
SMBv1 uses the NETBIOS protocol which enables the old style windows network browsing.
SMBv2 does not. I believe you can still connect using a direct URL or mapped drive, but you cannot use network browsing.
I cannot confirm which protocol you need to install to restore Domain logon functionality as we have no 'Pro' machines to test with (it's the sort of thing we need a hand with)
-
Just out of curiosity, what would be a 'pro' machine, ReetP?
-
Just out of curiosity, what would be a 'pro' machine, ReetP?
He is referring to Windows 10 Professional which supports DOMAIN login, as compared to Windows 10 Home (which does not support DOMAIN login).
-
He is referring to Windows 10 Professional which supports DOMAIN login, as compared to Windows 10 Home (which does not support DOMAIN login).
:thumbsup:
Beat me to it thanks !!