Rowland Penny
2023-Jun-12 19:37 UTC
[Samba] SMB1 Domain stopped working after updates quick solution needed
On 12/06/2023 20:06, Mark Bannister via samba wrote:> Simple small domain network running on a VM instance. > > Windows 10 browsing and shares not working.? I MUST have SMB1 working in > order for a legacy database (Corel Paradox with Borland BDE) to work. We > are migrating away from this but it won't happen today.? Error message > from clients log "./../source3/smbd/server_exit.c:239(exit_server_common) > ? Server exit (no protocol supported" > > History: > > Just updated from Ubuntu 18 up to 22.04.2? using stand Ubuntu repositories. > > Everything seemed to be working but then I couldn't join a new > workstation to the domain (been a long time since that was an issue). > Read a few posts about Windows 22H2 causing isusses so I updated Samba > via add-apt-repository ppa:linux-schools/samba-latest > > Did not fix the issue. > > If I set server max protocol = NT1? to "server Min protocol" browsing > and shares work but I get locking errors on the database lock files and > it freezes the database (note veto op locks parameter in smb.conf). > > I reverted back to Version 4.15.13-Ubuntu but the same behavior. > > This was a working installation so SMB1 is activated on all Win10 > workstations. > > I've got no working database so I need a fast solution as well as a long > term one.? We are planning to switch to a Microsoft AD but that isn't > even planned out yet. > > > ?testparm > Load smb config files from /etc/samba/smb.conf > lpcfg_do_global_parameter: WARNING: The "domain logons" option is > deprecated > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_DOMAIN_PDC > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > ??????? add machine script = sudo /usr/sbin/useradd -g machines -c "%u > machine account" -d /var/lib/samba -s /bin/false %u > ??????? add user script = /usr/sbin/adduser --quiet --disabled-password > --gecos "" %u > ??????? dns proxy = No > ??????? domain logons = Yes > ??????? domain master = Yes > ??????? load printers = No > ??????? log file = /var/log/samba/log.%m > ??????? logon drive = H: > ??????? logon home > ??????? logon path > ??????? logon script = logon.bat > ??????? map to guest = Bad User > ??????? max log size = 1000 > ??????? name resolve order = wins lmhosts host bcast > ??????? ntlm auth = ntlmv1-permitted > ??????? obey pam restrictions = Yes > ??????? pam password change = Yes > ??????? panic action = /usr/share/samba/panic-action %d > ??????? passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > ??????? passwd program = /usr/bin/passwd %u > ??????? preferred master = Yes > ??????? security = USER > ??????? server max protocol = NT1 > ??????? server role = classic primary domain controller > ??????? server string = APP Samba %v %h > ??????? template homedir = /home/%U > ??????? template shell = /bin/bash > ??????? unix password sync = Yes > ??????? username map = /usr/local/samba/etc/username.map > ??????? wins support = Yes > ??????? workgroup = LINGROUP > ??????? idmap config lingroup : range = 10000-999999 > ??????? idmap config lingroup : backend = rid > ??????? idmap config * : range = 3000-7999 > ??????? idmap config * : backend = tdb > ??????? admin users = sysadmin > ??????? hosts allow = 127.0.0.1 192.168.1. 192.168.0.0/26 > ??????? hosts deny = 0.0.0.0/0 > ??????? use client driver = Yes > ??????? veto oplock files = > /*.TV/*.FAM/*.dat/*.DAT/*.db/*.DB/*.X??/*.x??/*.Y??/*.y??/*.MB/*.mb/*.VAL/*.val/*.PX/*.px/*.mdb/*.MDB/*.lck/*.LCK/ > > > [homes] > ??????? browseable = No > ??????? comment = Home Directories > ??????? create mask = 0700 > ??????? directory mask = 0700 > ??????? read only = No > ??????? valid users = %S > ??????? vfs objects = recycle > ??????? recycle:exclude = *.tmp, *~, *.bak > ??????? recycle:keeptree = yes > ??????? recycle:repository = Recycle_Bin > > > [netlogon] > ??????? comment = Network Logon Service > ??????? guest ok = Yes > ??????? path = /srv/samba/netlogon ; path = /home/samba/netlogon > > > [printers] > ??????? browseable = No > ??????? comment = All Printers > ??????? create mask = 0700 > ??????? guest ok = Yes > ??????? path = /var/spool/samba > ??????? printable = Yes > > > [print$] > ??????? comment = Printer Drivers > ??????? path = /var/lib/samba/printers > ??????? write list = root @lpadmin > > > [PDFprinter] > ??????? comment = Cups Virtual PDF Printer > ??????? guest ok = Yes > ??????? lpq command > ??????? path = /var/spool/samba > ??????? printable = Yes > > > [DATA] > ??????? comment = APP Files > ??????? force group = sambashare > ??????? force user = nobody > ??????? inherit acls = Yes > ??????? path = /mnt/APPDATA > ??????? read only = No > ??????? write list = @sambashare > > > -- > Mark BUbuntu 18.04 used Samba 4.7.6 (if I remember correctly) and didn't require winbind, but from Samba 4.8.0 you need to run winbind. I know this usually requires 'security = domain' but you also have 'server role = classic primary domain controller'. Do you have winbind installed and running ? You might also want to set 'client max protocol = NT1', Samba, by default, move to SMBv2 from 4.11.0 Rowland
Mark Bannister
2023-Jun-12 20:16 UTC
[Samba] [EXTERNAL]Re: SMB1 Domain stopped working after updates quick solution needed
On 6/12/2023 2:37 PM, Rowland Penny via samba wrote:> > > On 12/06/2023 20:06, Mark Bannister via samba wrote: >> Simple small domain network running on a VM instance. >> >> Windows 10 browsing and shares not working.? I MUST have SMB1 working >> in order for a legacy database (Corel Paradox with Borland BDE) to >> work. We are migrating away from this but it won't happen today.? >> Error message from clients log >> "./../source3/smbd/server_exit.c:239(exit_server_common) >> ?? Server exit (no protocol supported" >> >> History: >> >> Just updated from Ubuntu 18 up to 22.04.2? using stand Ubuntu >> repositories. >> >> Everything seemed to be working but then I couldn't join a new >> workstation to the domain (been a long time since that was an issue). >> Read a few posts about Windows 22H2 causing isusses so I updated >> Samba via add-apt-repository ppa:linux-schools/samba-latest >> >> Did not fix the issue. >> >> If I set server max protocol = NT1? to "server Min protocol" browsing >> and shares work but I get locking errors on the database lock files >> and it freezes the database (note veto op locks parameter in smb.conf). >> >> I reverted back to Version 4.15.13-Ubuntu but the same behavior. >> >> This was a working installation so SMB1 is activated on all Win10 >> workstations. >> >> I've got no working database so I need a fast solution as well as a >> long term one.? We are planning to switch to a Microsoft AD but that >> isn't even planned out yet. >> >> >> ??testparm >> Load smb config files from /etc/samba/smb.conf >> lpcfg_do_global_parameter: WARNING: The "domain logons" option is >> deprecated >> Loaded services file OK. >> Weak crypto is allowed >> >> Server role: ROLE_DOMAIN_PDC >> >> Press enter to see a dump of your service definitions >> >> # Global parameters >> [global] >> ???????? add machine script = sudo /usr/sbin/useradd -g machines -c >> "%u machine account" -d /var/lib/samba -s /bin/false %u >> ???????? add user script = /usr/sbin/adduser --quiet >> --disabled-password --gecos "" %u >> ???????? dns proxy = No >> ???????? domain logons = Yes >> ???????? domain master = Yes >> ???????? load printers = No >> ???????? log file = /var/log/samba/log.%m >> ???????? logon drive = H: >> ???????? logon home >> ???????? logon path >> ???????? logon script = logon.bat >> ???????? map to guest = Bad User >> ???????? max log size = 1000 >> ???????? name resolve order = wins lmhosts host bcast >> ???????? ntlm auth = ntlmv1-permitted >> ???????? obey pam restrictions = Yes >> ???????? pam password change = Yes >> ???????? panic action = /usr/share/samba/panic-action %d >> ???????? passwd chat = *Enter\snew\s*\spassword:* %n\n >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >> ???????? passwd program = /usr/bin/passwd %u >> ???????? preferred master = Yes >> ???????? security = USER >> ???????? server max protocol = NT1 >> ???????? server role = classic primary domain controller >> ???????? server string = APP Samba %v %h >> ???????? template homedir = /home/%U >> ???????? template shell = /bin/bash >> ???????? unix password sync = Yes >> ???????? username map = /usr/local/samba/etc/username.map >> ???????? wins support = Yes >> ???????? workgroup = LINGROUP >> ???????? idmap config lingroup : range = 10000-999999 >> ???????? idmap config lingroup : backend = rid >> ???????? idmap config * : range = 3000-7999 >> ???????? idmap config * : backend = tdb >> ???????? admin users = sysadmin >> ???????? hosts allow = 127.0.0.1 192.168.1. 192.168.0.0/26 >> ???????? hosts deny = 0.0.0.0/0 >> ???????? use client driver = Yes >> ???????? veto oplock files = >> /*.TV/*.FAM/*.dat/*.DAT/*.db/*.DB/*.X??/*.x??/*.Y??/*.y??/*.MB/*.mb/*.VAL/*.val/*.PX/*.px/*.mdb/*.MDB/*.lck/*.LCK/ >> >> >> [homes] >> ???????? browseable = No >> ???????? comment = Home Directories >> ???????? create mask = 0700 >> ???????? directory mask = 0700 >> ???????? read only = No >> ???????? valid users = %S >> ???????? vfs objects = recycle >> ???????? recycle:exclude = *.tmp, *~, *.bak >> ???????? recycle:keeptree = yes >> ???????? recycle:repository = Recycle_Bin >> >> >> [netlogon] >> ???????? comment = Network Logon Service >> ???????? guest ok = Yes >> ???????? path = /srv/samba/netlogon ; path = /home/samba/netlogon >> >> >> [printers] >> ???????? browseable = No >> ???????? comment = All Printers >> ???????? create mask = 0700 >> ???????? guest ok = Yes >> ???????? path = /var/spool/samba >> ???????? printable = Yes >> >> >> [print$] >> ???????? comment = Printer Drivers >> ???????? path = /var/lib/samba/printers >> ???????? write list = root @lpadmin >> >> >> [PDFprinter] >> ???????? comment = Cups Virtual PDF Printer >> ???????? guest ok = Yes >> ???????? lpq command >> ???????? path = /var/spool/samba >> ???????? printable = Yes >> >> >> [DATA] >> ???????? comment = APP Files >> ???????? force group = sambashare >> ???????? force user = nobody >> ???????? inherit acls = Yes >> ???????? path = /mnt/APPDATA >> ???????? read only = No >> ???????? write list = @sambashare >> >> >> -- >> Mark B > > > Ubuntu 18.04 used Samba 4.7.6 (if I remember correctly) and didn't > require winbind, but from Samba 4.8.0 you need to run winbind. I know > this usually requires 'security = domain' but you also have 'server > role = classic primary domain controller'. Do you have winbind > installed and running ? > You might also want to set 'client max protocol = NT1', Samba, by > default, move to SMBv2 from 4.11.0 > > Rowland >Excellent.? OK,? I installed: sudo apt install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules Not sure I needed all that.? Winbind exits after starting.? I see this message in the log.winbindd-idmap.log [2023/06/12 15:08:45.470947,? 3] ../../source3/winbindd/idmap.c:397(idmap_init_domain) ? idmap backend rid not found [2023/06/12 15:08:45.606645,? 3] ../../lib/util/modules.c:167(load_module_absolute_path) ? load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/idmap/rid.so' loaded It's been years since if messed with any winbind stuff.? Looks like I'm missing something? I added? 'client max protocol = NT1'