samba - Apr 2018 - 4.2.14 (or newer) support "Windows for Workgroups 3.1a"?

On Mon, Apr 30, 2018 at 05:04:29PM +0100, Rowland Penny via samba wrote:

Hello Rowland.
> I had to read this several times to understand it, then a few more
> because I didn't believe it.
Well. In the industrial environment you may find everything ranging from
CPM-86 onwards... old things talk via RS-232 or 422, the LAN equipped are
regarded as "modern". In general all are non-upgradable closed
systems.
> Firstly, I think that you haven't got a PDC, you have an AD DC, the
> 'windows 2008 PDC' bit gave that away ;-)
Sorry, I am not a windows sysadm and I lack of correct terminology; I am not
even sure if it was a 2008 or something else actually.
> You then want to use something that is clagged on top of DOS 6.22 and
> get that to talk to AD, something that really doesn't understand
> domains (the hint is in what it is called)
It cannot understand the domain and authenticate over it, but this is
not a problem as the WfWg doesn't export any folder and nothing connects to
it.

I need the 3.11 be able to access a folder exported by something else and,
with stability issues, it's working with windows 7/10 pro and it was working
already before I replaced the windows server with a samba one... but I would
really like not to have a machine-in-the-middle and have the samba serve
those data instead. There are other reasons, but a good one is the presence of
much more powerful debug instruments on samba to diagnose the instability.
> Can you post your smb.conf from the Samba DC
# Global parameters
[global]
        interfaces = 127.0.0.0/8 br0
        bind interfaces only = yes
        workgroup = WORKGROUP
        realm = MYDOMAIN.COM
        netbios name = SERVER
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 127.0.0.1
        acl allow execute always = true
        lanman auth = yes

[netlogon]
        path = /var/lib/samba/sysvol/mydomain.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[profiles]
        path = /home/samba/profiles
        read only = No
        force create mode = 0600
        create mask = 0600
        force directory mode = 0700
        directory mask = 0700

[pubblica]
        comment = Area pubblica
        path = /home/samba/pubblica
        read only = No
        force create mode = 0660
        create mask = 0660
        force directory mode = 0770
        directory mask = 0770

..other shares

Andrea

Did you set a "security" value in smb.conf ?   If this is a domain 
controller, then I think it should be "security=user."

Are the Windows 7 and Windows 10 machines properly joined to the domain 
?   Are any of the Windows 7/10 machines used for industrial systems?

It might be helpful to know what was the OS version of the previous 
server, and whether it was  actually configured as a domain controller.  
Why did you remove the old server?     A long long time ago when I moved 
from NT4, I used the samba "net rpc vampire" command  to pull the 
Windows accounts into the samba server.   Did you do something similar?

Assuming you only have the industrial systems and not your corporate 
network using this server, a "classic" domain controller may be simple
to setup than an AD domain controller.    Windows 3.11  won't benefit 
from AD.         Assuming you only have Windows 3.11 machines then there 
isn't even much point setting up the server as a domain controller at all.






On 04/30/18 14:32, Andrea Baldoni via samba wrote:
> On Mon, Apr 30, 2018 at 05:04:29PM +0100, Rowland Penny via samba wrote:
>
> Hello Rowland.
>
>> I had to read this several times to understand it, then a few more
>> because I didn't believe it.
> Well. In the industrial environment you may find everything ranging from
> CPM-86 onwards... old things talk via RS-232 or 422, the LAN equipped are
> regarded as "modern". In general all are non-upgradable closed
systems.
>
>> Firstly, I think that you haven't got a PDC, you have an AD DC, the
>> 'windows 2008 PDC' bit gave that away ;-)
> Sorry, I am not a windows sysadm and I lack of correct terminology; I am
not
> even sure if it was a 2008 or something else actually.
>
>> You then want to use something that is clagged on top of DOS 6.22 and
>> get that to talk to AD, something that really doesn't understand
>> domains (the hint is in what it is called)
> It cannot understand the domain and authenticate over it, but this is
> not a problem as the WfWg doesn't export any folder and nothing
connects to it.
>
> I need the 3.11 be able to access a folder exported by something else and,
> with stability issues, it's working with windows 7/10 pro and it was
working
> already before I replaced the windows server with a samba one... but I
would
> really like not to have a machine-in-the-middle and have the samba serve
> those data instead. There are other reasons, but a good one is the presence
of
> much more powerful debug instruments on samba to diagnose the instability.
>
>> Can you post your smb.conf from the Samba DC
> # Global parameters
> [global]
>          interfaces = 127.0.0.0/8 br0
>          bind interfaces only = yes
>          workgroup = WORKGROUP
>          realm = MYDOMAIN.COM
>          netbios name = SERVER
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
>          idmap_ldb:use rfc2307 = yes
>          dns forwarder = 127.0.0.1
>          acl allow execute always = true
>          lanman auth = yes
>
> [netlogon]
>          path = /var/lib/samba/sysvol/mydomain.com/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> [profiles]
>          path = /home/samba/profiles
>          read only = No
>          force create mode = 0600
>          create mask = 0600
>          force directory mode = 0700
>          directory mask = 0700
>
> [pubblica]
>          comment = Area pubblica
>          path = /home/samba/pubblica
>          read only = No
>          force create mode = 0660
>          create mask = 0660
>          force directory mode = 0770
>          directory mask = 0770
>
> ..other shares
>
> Andrea
>

On Mon, 30 Apr 2018 20:32:26 +0200
Andrea Baldoni via samba <samba at lists.samba.org> wrote:
> On Mon, Apr 30, 2018 at 05:04:29PM +0100, Rowland Penny via samba
> wrote:
> 
> Hello Rowland.
> 
> > I had to read this several times to understand it, then a few more
> > because I didn't believe it.
> 
> Well. In the industrial environment you may find everything ranging
> from CPM-86 onwards... old things talk via RS-232 or 422, the LAN
> equipped are regarded as "modern". In general all are
non-upgradable
> closed systems.
I understand about CNC, nobody thinks about the builtin PC going
obsolete before the machine wears out, so you end up a machine that is
virtually obsolete.
> 
> > Firstly, I think that you haven't got a PDC, you have an AD DC,
the
> > 'windows 2008 PDC' bit gave that away ;-)
> 
> Sorry, I am not a windows sysadm and I lack of correct terminology; I
> am not even sure if it was a 2008 or something else actually.
Don't worry about it, your post was written in such a way that it made
it obvious what you had, quite a lot posts aren't so obvious and a PDC
is quite different from an AD DC ;-)
> 
> > You then want to use something that is clagged on top of DOS 6.22
> > and get that to talk to AD, something that really doesn't
understand
> > domains (the hint is in what it is called)
> 
> It cannot understand the domain and authenticate over it, but this is
> not a problem as the WfWg doesn't export any folder and nothing
> connects to it.
> 
> I need the 3.11 be able to access a folder exported by something else
> and, with stability issues, it's working with windows 7/10 pro and it
> was working already before I replaced the windows server with a samba
> one... but I would really like not to have a machine-in-the-middle
> and have the samba serve those data instead. There are other reasons,
> but a good one is the presence of much more powerful debug
> instruments on samba to diagnose the instability.
Do you need the Samba machine to talk to a lan ?
If not, then follow the good advice you have already been given and use
the AD DC as a standalone machine.
If it does, then creating a VM to run a Unix domain member in, would be
a good idea.
> 
> > Can you post your smb.conf from the Samba DC
> 
> # Global parameters
> [global]
>         interfaces = 127.0.0.0/8 br0
>         bind interfaces only = yes
>         workgroup = WORKGROUP
>         realm = MYDOMAIN.COM
>         netbios name = SERVER
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes
>         dns forwarder = 127.0.0.1
You seem to be using Bind9 for the dns server, so you don't need the
'dns forwarder' line, it should be in the bind configuration.
>         acl allow execute always = true
>         lanman auth = yes
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/mydomain.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> [profiles]
>         path = /home/samba/profiles
>         read only = No
>         force create mode = 0600
>         create mask = 0600
>         force directory mode = 0700
>         directory mask = 0700
> 
> [pubblica]
>         comment = Area pubblica
>         path = /home/samba/pubblica
>         read only = No
>         force create mode = 0660
>         create mask = 0660
>         force directory mode = 0770
>         directory mask = 0770
> 
> ..other shares
> 
> Andrea
> 
Sorry but this is a DC and all the 'force' lines etc do not work on a
DC.

Rowland

On Mon, Apr 30, 2018 at 07:57:32PM +0100, Rowland Penny via samba wrote:

Hello Rowland.
 
> I understand about CNC, nobody thinks about the builtin PC going
> obsolete before the machine wears out, so you end up a machine that is
> virtually obsolete.
Exactly.
> If it does, then creating a VM to run a Unix domain member in, would be
> a good idea.
I will do it, security is never enough, however I would like to understand
better if concerns are on

the need of lowering AD DC security to permit WfWg to connect
[lanman auth = yes, server signing = disabled]

here I agree, better to let the AD DC run at full security and have a
secondary samba member run at lower

or

the danger the WfWg machines could pose to the network, thus they need to
run on a separate LAN

of course those machines aren't there for customers to "browse the
internet,
open emails and download malware" - no software that connect to the outside
world is installed there

or

the danger the win 7/10 machines (that actually are there also for customers to
"browse the internet") could pose to WfWg, spreading virus and malware
to
them, thus WfWg need to run on a separate LAN

this has some fundament, I suppose WfWg TCP stack is vulnerable to every kind
of remote attacks; I doubt that modern virii still have code able to
exploit any, but of course it's possible that a malicious user, knowing
that,
target those machines from the LAN


It's interesting to note that, with two samba, it's not difficult to
implement
LAN separation while at the same time allow (indirectly) the windows 7/10
machines to share files with WfWg (that's exactly what they should do),
while
using windows servers, the same thing would be much more difficult
to obtain, if even possible without recurring to third party softare.
> >         dns forwarder = 127.0.0.1
> 
> You seem to be using Bind9 for the dns server, so you don't need the
> 'dns forwarder' line, it should be in the bind configuration.
Yes, I use bind9. Thank you, I'll remove that line.
> >         force create mode = 0600
> >         force directory mode = 0700
 
> Sorry but this is a DC and all the 'force' lines etc do not work on
a
> DC.
I have already read that in the past, but actually they do, I tried right now
and I confirm it.

Andrea