Rowland Penny
2022-Jan-26 14:41 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On Wed, 2022-01-26 at 08:26 -0600, Patrick Goetz via samba wrote:> > On 1/26/22 08:10, Dr. Thomas Orgis wrote: > > Am Wed, 26 Jan 2022 07:55:22 -0600 > > schrieb Patrick Goetz via samba <samba at lists.samba.org>: > > > > > - Instrumentation equipment running old versions of Windows > > > which > > > can't be upgraded > > > However it should be possible to run older versions > > > of Samba in a container? > > > > I think for old appliances without software maintenance, it is > > appropriate to segregate them in the network and have an equally > > segregated instance of an old version of samba serving them. I'd > > build > > some kind of bridge pulling the data from things like scanners into > > the > > new storage environment automatically, but not having the old > > devices > > dictate how the public service is run. > > > > The reality at my University is that any version of Windows which is > out > of maintenance (e.g. Windows <= 7) is considered insecure and can't > be > open to the public network anyway, so must be segregated. It's a > rather > large university, and we have dozens, maybe even hundreds of systems > like this. Of course most small office environments are NATed and > firewalled, so this isn't as much of an issue for them, but your > suggestion is still probably best practice, if just from a system's > administration perspective. > > > > Heck, you could encapsulate things even by (literally) duct-taping > > a > > single-board computer to the old expensive hardware that presents > > as > > the old-style SMB server to it (using container, VM, or just a > > custom > > build of samba for this) and talk to the newer servers on the > > outside > > in whatever fashion. > > > > But of course, if this is in a customer's network who doesn't even > > want to consider changing the config of scanners to use SMTP > > instead ? > > it might not be viable to convince them of such a solution;-) > > > > Not speaking current SMB might be one of the lesser reasons not to > > have > > these things on the network along with other gear ? > > > > > > Alrighty then, > > > > ThoamsI think the biggest problem will come from 'home' users when Samba finally removes SMBv1 (this isn't what Andrew is proposing). The 'home' users will not even consider using SMBv2 or 3, they MUST be able to see the shares in Network Neighbourhood, nothing else will do. This isn't helped by the fact that the various gui 'helper' programs do not seem to understand that SMBv1 is going away and shouldn't be used if possible. Rowland
Patrick Goetz
2022-Jan-26 15:24 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On 1/26/22 08:41, Rowland Penny via samba wrote:> On Wed, 2022-01-26 at 08:26 -0600, Patrick Goetz via samba wrote: >> >> On 1/26/22 08:10, Dr. Thomas Orgis wrote: >>> Am Wed, 26 Jan 2022 07:55:22 -0600 >>> schrieb Patrick Goetz via samba <samba at lists.samba.org>: >>> >>>> - Instrumentation equipment running old versions of Windows >>>> which >>>> can't be upgraded >>>> However it should be possible to run older versions >>>> of Samba in a container? >>> >>> I think for old appliances without software maintenance, it is >>> appropriate to segregate them in the network and have an equally >>> segregated instance of an old version of samba serving them. I'd >>> build >>> some kind of bridge pulling the data from things like scanners into >>> the >>> new storage environment automatically, but not having the old >>> devices >>> dictate how the public service is run. >>> >> >> The reality at my University is that any version of Windows which is >> out >> of maintenance (e.g. Windows <= 7) is considered insecure and can't >> be >> open to the public network anyway, so must be segregated. It's a >> rather >> large university, and we have dozens, maybe even hundreds of systems >> like this. Of course most small office environments are NATed and >> firewalled, so this isn't as much of an issue for them, but your >> suggestion is still probably best practice, if just from a system's >> administration perspective. >> >> >>> Heck, you could encapsulate things even by (literally) duct-taping >>> a >>> single-board computer to the old expensive hardware that presents >>> as >>> the old-style SMB server to it (using container, VM, or just a >>> custom >>> build of samba for this) and talk to the newer servers on the >>> outside >>> in whatever fashion. >>> >>> But of course, if this is in a customer's network who doesn't even >>> want to consider changing the config of scanners to use SMTP >>> instead ? >>> it might not be viable to convince them of such a solution;-) >>> >>> Not speaking current SMB might be one of the lesser reasons not to >>> have >>> these things on the network along with other gear ? >>> >>> >>> Alrighty then, >>> >>> Thoams > > I think the biggest problem will come from 'home' users when Samba > finally removes SMBv1 (this isn't what Andrew is proposing). The 'home' > users will not even consider using SMBv2 or 3, they MUST be able to see > the shares in Network Neighbourhood, nothing else will do. >I think Windows 10 doesn't even support SMBv1? If that's correct, how does the Network Neighborhood thing work for Windows 10 machines? I've actually been wondering about this for a while; i.e. I'm about to set up Samba on my home network just to accommodate Sonos FLAC streaming, but am wondering if I'm going to run into this with that hardware.> This isn't helped by the fact that the various gui 'helper' programs do > not seem to understand that SMBv1 is going away and shouldn't be used > if possible. > > Rowland > > >