Hopefully this is a simple problem for a guru to solve. I have been installing Centos / Samba servers for my clients since 2004. However, in almost every instance, the linux machine has been the only server on site. To begin with I set up the server as a domain server but as most of my customers have less than a dozen PCs on a single site, the domain seemed to be an overkill so I now tend to use the server as a member of a workgroup, and purely as a fileserver. I installed a centos 5 server for a customer in 2012. As centos 5 support has ended, I recently persuaded that customer that it was time to update their server. I set up a new Dell T130 server with centos 7 and the latest downloaded samba. This was initially done offsite using my own windows 10 pro PC as a client, I added all the users and passwords before taking the server to site. All PCs on site were running win10 pro, version 1709, and previously had been connected to the centos 5 server, with the lanman parameters on the PCs modified to suit. When I connected the centos 7 server, I noted that PCs logged on as any of the users had access to the two shares I had defined but not to their personal home directories. Once I had completed restoring the data from backup disks, (only to the shares) for a reason I still do not understand I lost connection to the shares as well. I rebuilt smb.conf several times without success, but when I added " ntlm auth = yes " it worked again and I could access the home directories as well. I think I may have downgraded the authentication, but the customer is happy. Can anyone explain what the issue may have been, the effect of my fix and whether I should go back and 'improve' the setup? Peter Lawrie
On 3/9/2018 8:47 AM, peter lawrie via samba wrote:> ntlm > authPrior to Samba 4.5.0, the default for 'ntlm auth' parameter was yes. What version were you running prior to the upgrade? -- -- James
On Fri, 9 Mar 2018 13:47:39 +0000 peter lawrie via samba <samba at lists.samba.org> wrote:> Hopefully this is a simple problem for a guru to solve. > > I have been installing Centos / Samba servers for my clients since > 2004. However, in almost every instance, the linux machine has been > the only server on site. To begin with I set up the server as a > domain server but as most of my customers have less than a dozen PCs > on a single site, the domain seemed to be an overkill so I now tend > to use the server as a member of a workgroup, and purely as a > fileserver. > > I installed a centos 5 server for a customer in 2012. As centos 5 > support has ended, I recently persuaded that customer that it was > time to update their server. > I set up a new Dell T130 server with centos 7 and the latest > downloaded samba. > This was initially done offsite using my own windows 10 pro PC as a > client, I added all the users and passwords before taking the server > to site. All PCs on site were running win10 pro, version 1709, and > previously had been connected to the centos 5 server, with the lanman > parameters on the PCs modified to suit. > > When I connected the centos 7 server, I noted that PCs logged on as > any of the users had access to the two shares I had defined but not > to their personal home directories. > Once I had completed restoring the data from backup disks, (only to > the shares) for a reason I still do not understand I lost connection > to the shares as well. > I rebuilt smb.conf several times without success, but when I added " > ntlm auth = yes " it worked again and I could access the home > directories as well. I think I may have downgraded the > authentication, but the customer is happy. > > Can anyone explain what the issue may have been, the effect of my fix > and whether I should go back and 'improve' the setup? > Peter LawrieYou have just made your customers set up insecure and you really should go back asap and fix it. If you read the release notes for 4.5.0, you would find this: NTLMv1 authentication disabled by default In order to improve security we have changed the default value for the "ntlm auth" option from "yes" to "no". This may have impact on very old clients which doesn't support NTLMv2 yet. The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. By default, Samba will only allow NTLMv2 via NTLMSSP now, as we have the following default "lanman auth = no", "ntlm auth = no" and "raw NTLMv2 auth = no". You need to get your windows clients to use NTLMv2 rowland
On Fri, 9 Mar 2018 15:46:23 +0000 peter lawrie <peter.lawrie at glendiscovery.co.uk> wrote:> Dear Rowland > Thank you for the reply. > I thought I had probably created an insecurity - but no worse than > before! The previous samba was version 3.6.23-13.el5_11 on Centos > 5.11 > > I installed windows 10 PCs for them last year, replacing their XP > machines and configured the following on each > sc.exe config lanmanworkstation depend-bowser/mrxsmb10/nsi > sc.exe config mrxsmb20 start = disable > > Now I need to reverse this. > I only had a limited time on site to install the new server. The > priority was to get it in with minimum disruption. - > It's a construction company - as long as they can see their data they > don't care about security (unless something goes awry in which case I > could be in trouble - but not until.) > Now I will need to go back at a suitable time to resolve the security > issues > > It would be greatly appreciated if I had precise instructions. > I could experiment with my own windows 10 PC but my server is only > Centos 6.9 with samba-3.6.23-43.el6_9.x86_64 > I have lanman auth = yes in my smb.conf, but no ntlm authI thought you said you had added 'ntlm auth = yes' ? I might also point out that lanman auth is even worse than NTLMv1, have you got 5 minutes whilst I crack the lanman auth password ?> > What should I change in smb.conf and I presume I will need to change > the mrxsmb20 in each of the PCsHaving never seen the smb.conf, I have no idea, can you post a sanitised copy. You may also have to revert any changes that have been made to the windows machines. Rowland
On Fri, 9 Mar 2018 16:55:24 +0000 peter lawrie <peter.lawrie at glendiscovery.co.uk> wrote:> here is the current smb.confI would start with this smb.conf: [global] workgroup = dpcl security = user netbios name = dpcl1 server string = %h max server protocol = smb2 cups options = raw printing = cups hosts allow = 127. 10.0.0. printcap name = cups log file = /var/log/samba/log.%m max log size = 500 [homes] browseable = No comment = Home Directories read only = no valid users = %S,%D%w%S inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = root create mask = 0664 directory mask = 0775 [company] read only = no path = /datastore/company force directory mode = 775 force create mode = 775 comment = company share valid users = @users, at accounts, at adm create mode = 775 directory mode = 775 [accounts] force create mode = 755 read only = no valid users = @accounts path = /datastore/accounts force directory mode = 755 force group = accounts I would also ensure the windows machines were using NTLMv2 as a minimum. Rowland
On Fri, 9 Mar 2018 18:16:42 +0000 peter lawrie <peter.lawrie at glendiscovery.co.uk> wrote:> Dear Rowland > Thank you for your help. > Should these settings also work on my Centos 6.9 and Samba 3.6 > If so, I'll make sure the changes work on my system before going to > the customer. > PeterIt all depends on how much red-hat has backported to their version of 3.6. As far as Samba is concerned, 3.6 is EOL, but all the security patches seem to get backported by red-hat, so, all I can suggest is to try it. Rowland