Chad William Seys
2016-Dec-23 20:21 UTC
[Samba] Win 10 cannot connect with (some variations of) 'smb encrypt = desired'
Hi all, There are some surprises when trying to connect Windows 10 (up to date circa Dec 2016) to Samba (4.5.2) with 'smb encrypt = desired' as a config option. I've made a grid of some of the combinations 'smb encrypt = desired' settings below. The biggest surprise is that if 'smb encrypt = desired' is set globally and in the share, Windows 10 cannot connect at all, but if 'smb encrypt = required' globally then Windows 10 can connect. "Connecting" was tested by first logging out of Windows, restarting the smbd daemon, logging in to Windows, opening Explorer, and typing the URL (UNC?) into the address bar. No credentials were saved in Credential Manager. browse - specify hostname, but not share name - \\smb.physics.wisc.edu select - browse shares as above, then select the share name in Explorer direct - specify hostname and sharename - \\smb.physics.wisc.edu\smb G - global S - per share browse | select | direct smb encrypt (no G, no S) = '' Y | Y | Y smb encrypt (G, no S) = required Y[0] | Y | Y smb encrypt (no G, S) = desired Y[4] | N[1] | Y smb encrypt (G and S) = desired N[3] | N/A | N[2] smb encrypt (G, no S) = desired N[3] | N/A | N[2] - Shouldn't the last two combos create the same final connection as a global 'smb encrypt = required'? [0] Successful login needed before shares are visible. [1] Error message is "multiple connections to a server or a shared resource by the same user, using more than one user name, are not allowed. Disconnect all [...]" [2] Error message is "The specified server connot perform the requested operation" [3] Error message is "Check the spelling of the name. Otherwise there might be a problem with your network." [4] Browsing shares connection not encrypted. When trying to enter a share, possibly Samba/Windows tries to create an encrypted connection leading to [1]. If it is not possible to renegotiate encryption, then the unencrypted connection should be used instead (remember that 'smb encryption = desired'). Below is testparm output (for the smb encrypt (no Global, only per share) = desired case): [global] realm = PHYSICS.WISC.EDU server string = %h server workgroup = PHYSICS max log size = 100000 syslog = 0 panic action = /usr/share/samba/panic-action %d kerberos method = secrets and keytab map to guest = Bad User security = ADS server signing = required hostname lookups = Yes dns proxy = No idmap config * : backend = tdb [smb] path = /srv/smb inherit acls = Yes inherit permissions = Yes read only = No smb encrypt = desired vfs objects = btrfs streams_xattr Thanks for your insights! Chad
Ralph Böhme
2017-Jan-20 14:15 UTC
[Samba] Win 10 cannot connect with (some variations of) 'smb encrypt = desired'
On Fri, Dec 23, 2016 at 02:21:16PM -0600, Chad William Seys via samba wrote:> Hi all, > > There are some surprises when trying to connect Windows 10 (up to date circa > Dec 2016) to Samba (4.5.2) with 'smb encrypt = desired' as a config option. > > I've made a grid of some of the combinations 'smb encrypt = desired' > settings below. > > The biggest surprise is that if 'smb encrypt = desired' is set globally and > in the share, Windows 10 cannot connect at all, but if 'smb encrypt > required' globally then Windows 10 can connect. > > "Connecting" was tested by first logging out of Windows, restarting the smbd > daemon, logging in to Windows, opening Explorer, and typing the URL (UNC?) > into the address bar. No credentials were saved in Credential Manager. > > browse - specify hostname, but not share name - \\smb.physics.wisc.edu > select - browse shares as above, then select the share name in Explorer > direct - specify hostname and sharename - \\smb.physics.wisc.edu\smb > > G - global > S - per share > browse | select | direct > smb encrypt (no G, no S) = '' Y | Y | Y > smb encrypt (G, no S) = required Y[0] | Y | Y > smb encrypt (no G, S) = desired Y[4] | N[1] | Y > smb encrypt (G and S) = desired N[3] | N/A | N[2] > smb encrypt (G, no S) = desired N[3] | N/A | N[2] > > - Shouldn't the last two combos create the same final connection as a global > 'smb encrypt = required'? > > [0] Successful login needed before shares are visible. > [1] Error message is "multiple connections to a server or a shared resource > by the same user, using more than one user name, are not allowed. > Disconnect all [...]" > [2] Error message is "The specified server connot perform the requested > operation" > [3] Error message is "Check the spelling of the name. Otherwise there might > be a problem with your network." > [4] Browsing shares connection not encrypted. When trying to enter a share, > possibly Samba/Windows tries to create an encrypted connection leading to > [1]. If it is not possible to renegotiate encryption, then the unencrypted > connection should be used instead (remember that 'smb encryption > desired').hm, this sounds different then <https://bugzilla.samba.org/show_bug.cgi?id=12520> but can you please test with the patch proposed here: <https://lists.samba.org/archive/samba-technical/2017-January/118225.html> Cheerio! -slow
Chad William Seys
2017-Jan-23 22:30 UTC
[Samba] Win 10 cannot connect with (some variations of) 'smb encrypt = desired'
Hi, > hm, this sounds different then > <https://bugzilla.samba.org/show_bug.cgi?id=12520> > > but can you please test with the patch proposed here: > <https://lists.samba.org/archive/samba-technical/2017-January/118225.html> Definitely seems to be in the ballpark. But I'm a little busy at the moment to try this. I'll follow the bug so I'll know if it makes it into a packaged Samba before I get a chance to patch it myself. Thanks for the heads up! Chad.
Ralph Böhme
2017-Jan-24 08:36 UTC
[Samba] Win 10 cannot connect with (some variations of) 'smb encrypt = desired'
On Fri, Dec 23, 2016 at 02:21:16PM -0600, Chad William Seys via samba wrote:> There are some surprises when trying to connect Windows 10 (up to date circa > Dec 2016) to Samba (4.5.2) with 'smb encrypt = desired' as a config option. > > ... > > browse | select | direct > smb encrypt (no G, no S) = '' Y | Y | Y > smb encrypt (G, no S) = required Y[0] | Y | Y > smb encrypt (no G, S) = desired Y[4] | N[1] | Y > smb encrypt (G and S) = desired N[3] | N/A | N[2] > smb encrypt (G, no S) = desired N[3] | N/A | N[2]can't reproduce this. These are my findings: browse | select | direct smb encrypt (no G, no S) = '' Y | Y | Y smb encrypt (G, no S) = required Y | Y | Y smb encrypt (no G, S) = desired Y | Y | Y smb encrypt (G and S) = desired Y | Y | Y smb encrypt (G, no S) = desired Y | Y | Y This is with a Windows 10 client and Samba git master, but without the patch I mentioned. I don't think there are differences in the code between master and 4.5.2 that could come into play here. After every test I closed all Explorer windows, restarted Samba and checked with smbstatus that there was no active session before running the next test. I didn't restart the Windows client which I would have done if I got unexecpted results, but as the above results matched my expectations I ommitted this step. Cheerio! -slow
Chad William Seys
2017-Jan-24 20:02 UTC
[Samba] Win 10 cannot connect with (some variations of) 'smb encrypt = desired'
I did one test and was able to reproduce a line again with a freshly booted (and long time off) Win 10 client: browse | select | direct smb encrypt (no G, S) = desired Y[4] | N[1] | Y Did you authenticate by kerberos? That seems to be the most likely difference (but maybe not most likely cause). Thanks for looking into it! C.
Maybe Matching Threads
- Win 10 cannot connect with (some variations of) 'smb encrypt = desired'
- Win 10 cannot connect with (some variations of) 'smb encrypt = desired'
- Win 10 cannot connect with (some variations of) 'smb encrypt = desired'
- samba server with two kerberos realms
- dfs links anywhere?