Andrea Baldoni
2018-Apr-30 15:26 UTC
[Samba] 4.2.14 (or newer) support "Windows for Workgroups 3.1a"?
Hello. I need to let Windows for Workgroup 3.11 clients (industrial machinery) connect to shares in the PDC samba Version 4.2.14-Debian. I started to be able to connect to shares exported by domain members windows professional (7, 10) machines (share permissions include "domain users"), after I added "lanman auth = yes" to PDC and updated the user password, though it's not stable (sometimes the client stop to access/list files in the share; rebooting the exporting windows machine sometimes cures the problem, sometimes I need to restart samba process in the PDC), but I never connect to shares exported by the PDC itself. Of course every other windows client connect to the PDC shares without problems or instability. The instability of the old WfW 3.11 clients existed even before I replaced the former windows 2008 PDC with samba, but it (seems it) was less severe and anyway always cured by rebooting the exporting windows pro machine, the PDC never needed a reboot (perhaps it would have cured the problem, but it was simpler to reboot the exporting windows pro machine, so no one tried to reboot the server). I don't know if Windows for Workgroup machines were able to connect to the shares exported from the former windows 2008 PDC. I traced client traffic, it seems that the samba PDC doesn't answer at all to the SMBnegprot (REQUEST) (other than TCP handshake). I don't see the expected SMBnegprot (REPLY).>>> NBT Session PacketNBT Session Message Flags=0x0 Length=142 (0x8e) SMB PACKET: SMBnegprot (REQUEST) SMB Command = 0x72 Error class = 0x0 Error code = 0 (0x0) Flags1 = 0x0 Flags2 = 0x0 Tree ID = 0 (0x0) Proc ID = 32018 (0x7d12) UID = 0 (0x0) MID = 1025 (0x401) Word Count = 0 (0x0) smb_bcc=107 Dialect=PC NETWORK PROGRAM 1.0 Dialect=MICROSOFT NETWORKS 3.0 Dialect=DOS LM1.2X002 Dialect=DOS LANMAN2.1 Dialect=Windows for Workgroups 3.1a I added various config lines related to protocol and auth without any success. testparm -v | grep protocol server max protocol = SMB3 server min protocol = LANMAN1 client max protocol = default client min protocol = CORE client ipc max protocol = default client ipc min protocol = default testparm -v | grep auth auth methods = lanman auth = Yes ntlm auth = Yes raw NTLMv2 auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No ldap server require strong auth = Yes allow dcerpc auth level connect = No I set loglevel=10 to try to see if there was some error at the exact time the packet got processed, but besides "set_remote_arch: Client arch is 'WfWg'" I wasn't able to see anything relevant. The windows client show (from program manager): "<STOP> This device does not exist on the network." (from command.com: net use x: \\server\share) "Error 55: This resource does not exist on the network." Thank you. Andrea Baldoni
Gaiseric Vandal
2018-Apr-30 15:55 UTC
[Samba] 4.2.14 (or newer) support "Windows for Workgroups 3.1a"?
There may be various "signing" parameters that you may need to set to "no" on the samba PDC. I would also disable SMB3. Windows 10 does support SMB3 but (in my experience) Samba does not properly implement it, so you will get problems. Windows 7 does not support SMB3 so will fall back to SMB2 anyway. I suspect at this point making Windows 7 and Windows 3.11 interact is a loosing proposition. It is pretty scary to think that there is still equipment that requires Windows 3.11. Hopefully it is air-gapped and not part of the electrical grid. Is there a difference between connecting to a share using the server IP name rather than the hostname ? On 04/30/18 11:26, Andrea Baldoni via samba wrote:> Hello. > > I need to let Windows for Workgroup 3.11 clients (industrial machinery) > connect to shares in the PDC samba Version 4.2.14-Debian. > > I started to be able to connect to shares exported by domain members windows > professional (7, 10) machines (share permissions include "domain users"), after > I added "lanman auth = yes" to PDC and updated the user password, > though it's not stable (sometimes the client stop to access/list files in the > share; rebooting the exporting windows machine sometimes cures the problem, > sometimes I need to restart samba process in the PDC), but I never connect to > shares exported by the PDC itself. Of course every other windows client connect > to the PDC shares without problems or instability. The instability of the old > WfW 3.11 clients existed even before I replaced the former windows 2008 PDC > with samba, but it (seems it) was less severe and anyway always cured by > rebooting the exporting windows pro machine, the PDC never needed a reboot > (perhaps it would have cured the problem, but it was simpler to reboot the > exporting windows pro machine, so no one tried to reboot the server). > I don't know if Windows for Workgroup machines were able to connect to the > shares exported from the former windows 2008 PDC. > > I traced client traffic, it seems that the samba PDC doesn't answer at all to > the SMBnegprot (REQUEST) (other than TCP handshake). I don't see the expected > SMBnegprot (REPLY). > >>>> NBT Session Packet > NBT Session Message > Flags=0x0 > Length=142 (0x8e) > > SMB PACKET: SMBnegprot (REQUEST) > SMB Command = 0x72 > Error class = 0x0 > Error code = 0 (0x0) > Flags1 = 0x0 > Flags2 = 0x0 > Tree ID = 0 (0x0) > Proc ID = 32018 (0x7d12) > UID = 0 (0x0) > MID = 1025 (0x401) > Word Count = 0 (0x0) > smb_bcc=107 > Dialect=PC NETWORK PROGRAM 1.0 > Dialect=MICROSOFT NETWORKS 3.0 > Dialect=DOS LM1.2X002 > Dialect=DOS LANMAN2.1 > Dialect=Windows for Workgroups 3.1a > > I added various config lines related to protocol and auth without any > success. > > testparm -v | grep protocol > > server max protocol = SMB3 > server min protocol = LANMAN1 > client max protocol = default > client min protocol = CORE > client ipc max protocol = default > client ipc min protocol = default > > testparm -v | grep auth > > auth methods > lanman auth = Yes > ntlm auth = Yes > raw NTLMv2 auth = No > client NTLMv2 auth = Yes > client lanman auth = No > client plaintext auth = No > ldap server require strong auth = Yes > allow dcerpc auth level connect = No > > > I set loglevel=10 to try to see if there was some error at the > exact time the packet got processed, but besides > "set_remote_arch: Client arch is 'WfWg'" I wasn't able to see anything > relevant. > > The windows client show (from program manager): > "<STOP> This device does not exist on the network." > > (from command.com: net use x: \\server\share) > "Error 55: This resource does not exist on the network." > > Thank you. > > Andrea Baldoni >
Rowland Penny
2018-Apr-30 16:04 UTC
[Samba] 4.2.14 (or newer) support "Windows for Workgroups 3.1a"?
On Mon, 30 Apr 2018 17:26:58 +0200 Andrea Baldoni via samba <samba at lists.samba.org> wrote:> Hello. > > I need to let Windows for Workgroup 3.11 clients (industrial > machinery) connect to shares in the PDC samba Version 4.2.14-Debian.I had to read this several times to understand it, then a few more because I didn't believe it. Firstly, I think that you haven't got a PDC, you have an AD DC, the 'windows 2008 PDC' bit gave that away ;-) You then want to use something that is clagged on top of DOS 6.22 and get that to talk to AD, something that really doesn't understand domains (the hint is in what it is called) Can you post your smb.conf from the Samba DC Rowland
Andrea Baldoni
2018-Apr-30 17:23 UTC
[Samba] 4.2.14 (or newer) support "Windows for Workgroups 3.1a"?
On Mon, Apr 30, 2018 at 11:55:24AM -0400, Gaiseric Vandal via samba wrote: Hello Gaiseric.> I suspect at this point making Windows 7 and Windows 3.11 interact is a > loosing proposition. It is pretty scary to think that there is still > equipment that requires Windows 3.11. Hopefully it is air-gapped and not > part of the electrical grid.I can evaluate different options: I can make a chrooted secondary samba (on a different IP) only to serve Windows 3.11 (or a VM with a minimal linux inside, eventually) if this could solve my problem. What parameters I should try to put to "no" to see if I get the 3.11 to connect? I have a test enviroment so I can try without disrupting service.> Is there a difference between connecting to a share using the server IP name > rather than the hostname ?No. Andrea
Chris Weiss
2018-Apr-30 17:48 UTC
[Samba] 4.2.14 (or newer) support "Windows for Workgroups 3.1a"?
On Mon, Apr 30, 2018 at 10:42 AM Andrea Baldoni via samba < samba at lists.samba.org> wrote:> Hello. > > I need to let Windows for Workgroup 3.11 clients (industrial machinery) > connect to shares in the PDC samba Version 4.2.14-Debian. >I have a couple win9x and DOS machine controllers in a similar situation. I decided that having these on the domain was less important than running a little bit tighter security for the rest of my LAN, so I have this work around and it seems to be working well enough: - I have a virtual machine running samba 4.x standalone with these global options: lanman auth = Yes client lanman auth = Yes server signing = disabled create mask = 0664 directory mask = 0775 - the last 2 are needed to play nice over NFS when using ACL group based permissions on the source server. - my main samba AD file server exports the folders I want these old system to access via NFS to only this VM. - the VM has only the required local users and groups created to match the UIDs of the domain. I guess a container would work too, just I have VM hosts with plenty of resources so that was most flexible for me. the drawback of this is the user management is outside the domain, but here these are station specific shared accounts on auto-login anyway, so not being on the domain is actually a bit beneficial.
Reindl Harald
2018-Apr-30 17:53 UTC
[Samba] 4.2.14 (or newer) support "Windows for Workgroups 3.1a"?
Am 30.04.2018 um 17:26 schrieb Andrea Baldoni via samba:> I need to let Windows for Workgroup 3.11 clients (industrial machinery) > connect to shares in the PDC samba Version 4.2.14-Debianthey should *never* be connected to the same network as your normal LAN so the problem must not exist to start with for "industrial machinery" i expect the budget for a switch with vlan support or even completly physical networks and to connect both networks for admin purposes a firewall between only allowing admin machines any other setup is irresponsible
Andrea Baldoni
2018-Apr-30 18:32 UTC
[Samba] 4.2.14 (or newer) support "Windows for Workgroups 3.1a"?
On Mon, Apr 30, 2018 at 05:04:29PM +0100, Rowland Penny via samba wrote: Hello Rowland.> I had to read this several times to understand it, then a few more > because I didn't believe it.Well. In the industrial environment you may find everything ranging from CPM-86 onwards... old things talk via RS-232 or 422, the LAN equipped are regarded as "modern". In general all are non-upgradable closed systems.> Firstly, I think that you haven't got a PDC, you have an AD DC, the > 'windows 2008 PDC' bit gave that away ;-)Sorry, I am not a windows sysadm and I lack of correct terminology; I am not even sure if it was a 2008 or something else actually.> You then want to use something that is clagged on top of DOS 6.22 and > get that to talk to AD, something that really doesn't understand > domains (the hint is in what it is called)It cannot understand the domain and authenticate over it, but this is not a problem as the WfWg doesn't export any folder and nothing connects to it. I need the 3.11 be able to access a folder exported by something else and, with stability issues, it's working with windows 7/10 pro and it was working already before I replaced the windows server with a samba one... but I would really like not to have a machine-in-the-middle and have the samba serve those data instead. There are other reasons, but a good one is the presence of much more powerful debug instruments on samba to diagnose the instability.> Can you post your smb.conf from the Samba DC# Global parameters [global] interfaces = 127.0.0.0/8 br0 bind interfaces only = yes workgroup = WORKGROUP realm = MYDOMAIN.COM netbios name = SERVER server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes dns forwarder = 127.0.0.1 acl allow execute always = true lanman auth = yes [netlogon] path = /var/lib/samba/sysvol/mydomain.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [profiles] path = /home/samba/profiles read only = No force create mode = 0600 create mask = 0600 force directory mode = 0700 directory mask = 0700 [pubblica] comment = Area pubblica path = /home/samba/pubblica read only = No force create mode = 0660 create mask = 0660 force directory mode = 0770 directory mask = 0770 ..other shares Andrea
Andrea Baldoni
2018-May-01 08:31 UTC
[Samba] 4.2.14 (or newer) support "Windows for Workgroups 3.1a"?
On Mon, Apr 30, 2018 at 05:48:29PM +0000, Chris Weiss via samba wrote:> I have a couple win9x and DOS machine controllers in a similar situation. > I decided that having these on the domain was less important than running a > little bit tighter security for the rest of my LAN, so I have this work > around and it seems to be working well enough: > > - I have a virtual machine running samba 4.x standalone with these global > options: > lanman auth = Yes > client lanman auth = YesHello Chris. "client lanman auth = yes" is ineffective unless you also set "client NTLMv2 auth = no". However if I understood correctly, this is used by smbclient and both you and me don't need it. You solved my problem anyway, the culprit was exactly "server signing = disabled" Now I can pass to diagnose stability problems.> - the VM has only the required local users and groups created to match the > UIDs of the domain.I think I will prepare a similar configuration.> the drawback of this is the user management is outside the domain, but here > these are station specific shared accounts on auto-login anyway, so not > being on the domain is actually a bit beneficial.The samba inside the VM couldn't be a domain member? Andrea