Moertenhumer Martin
2025-Mar-14  12:07 UTC
[Samba] 4.20: smb.conf include = %I.conf / server min protocol
Hello, 
in the past I've used host-based configurations to allow older Windows XP
machines to connect to recent servers (without reducing security for the entire
network). Up until samba 4.19 this worked for me. Using 4.20 I'm facing the
issue that  "server min protocol = NT1" does not work when set in
include=.../%I.conf. (setting server min protocol = NT1 in smb.conf's global
section works).
Any insights/ideas are highly appreciated.
Kernel: 
5.14.0-503.29.1.el9_5.x86_64
Red Hat Enterprise Linux release 9.5 (Plow) Samba version:
samba-4.20.2-2.el9_5.x86_64
smb.conf:
[global]
        allow insecure wide links = yes
        netbios aliases = somethingTEST somethingTEST
        acl allow execute always = True
        passdb backend = tdbsam
        wins support = true
        security = user
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        read raw = no
        map to guest = Bad Password
        cups options = raw
        follow symlinks = yes
        preferred master = yes
        load printers = yes
        guest account = liprod
        write raw = no
        os level = 20
        netbios name = something
        wide links = yes
        workgroup = ratherNOTtell
        include = /etc/samba/client_based_cfg/%I.conf
/etc/samba/client_based_cfg/10.2.10.4.conf:
[global]
        server min protocol = NT1
        map to guest = Bad Password
        ntlm auth = yes
        guest ok = yes
        log level = 3
Log (/var/log/samba/log.10.2.10.4)
[2025/03/14 12:50:31.095021,  2]
../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[printers]"
[2025/03/14 12:50:31.095068,  2]
../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[pcidos]"
[2025/03/14 12:50:31.095126,  2]
../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[fab]"
[2025/03/14 12:50:31.095174,  2]
../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[liident]"
[2025/03/14 12:50:31.095200,  2]
../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[sw-tank]"
[2025/03/14 12:50:31.095228,  2]
../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[labels]"
[2025/03/14 12:50:31.095253,  2]
../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[bar]"
[2025/03/14 12:50:31.095278,  2]
../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[benteler]"
[2025/03/14 12:50:31.095306,  2]
../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[shape]"
[2025/03/14 12:50:31.095319,  2]
../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[test]"
[2025/03/14 12:50:31.095341,  3] ../../source3/param/loadparm.c:1686(lp_add_ipc)
  adding IPC service
  added interface eth0 ip=10.2.10.1 bcast=10.2.10.255 netmask=255.255.255.0
[2025/03/14 12:50:31.095513,  3]
../../source3/smbd/smb2_negprot.c:1203(smb2_multi_protocol_reply_negprot)
  smb2_multi_protocol_reply_negprot: No protocol supported !
[2025/03/14 12:50:31.095627,  3]
../../source3/smbd/server_exit.c:229(exit_server_common)
  Server exit (no protocol supported
  )
Thanks,
Martin
Rowland Penny
2025-Mar-19  12:07 UTC
[Samba] 4.20: smb.conf include = %I.conf / server min protocol
On Fri, 14 Mar 2025 12:07:44 +0000 Moertenhumer Martin via samba <samba at lists.samba.org> wrote:> Hello, > > in the past I've used host-based configurations to allow older > Windows XP machines to connect to recent servers (without reducing > security for the entire network). Up until samba 4.19 this worked for > me. Using 4.20 I'm facing the issue that "server min protocol = NT1" > does not work when set in include=.../%I.conf. (setting server min > protocol = NT1 in smb.conf's global section works). > > Any insights/ideas are highly appreciated. >I recently found that the '%u' and '%U' variables do not return what you would expect. I have 'winbind use default domain = yes' set in smb.conf, so expect just the username for '%u' or '%U', but '%u' now returns '$NETBIOS_DOMAINusername and '%U' returns 'username_$DNS_DOMAIN'. I wonder if '%I' isn't returning the IP address correctly ? Rowland