samba - May 2019 - Windows clients require reboot once a day in order to access mapped drives

Hai, 

... 
> 
> As I said, where is the fault, is it something that Windows 10 is or
> isn't doing, or is it Samba ?
> 
> Well, we cannot change Windows, so on that basis, I think you should
> make a Samba bug report and let it work through the system.
> 
> Rowland
Well, yes, we can change windows, by allowing/disallowing SMB1. 
Which might help in detecting whats off..  

I would check 3 things here before this is reported as bug. 

Kerberos/Authentication. krb5.conf, Did you change the : clockskew or
renew_lifetime
Set only this : 
[libdefaults]
    default_realm = YOUR.REALM.TLD
    dns_lookup_kdc = true
    dns_lookup_realm = false

;; optinal. 
;    forwardable = true
;    proxiable = true
;    ticket_lifetime = 24h	<< one you can try as LAST option. 
;    ccache_type = 4



Are the pc's connected to multiple servers. Then on these servers run :
smbstatus -A
Check these outputs. 

The windows clients, do these have SMB1 still enabled or not? 
And what are the windows eventlogs telling ( post event id and part of
description ).

Now, you can try these also. I tested samba 4.9.6 and 4.10.2 on Debian 9. 

    smb encrypt = required
    client min protocol = SMB2
    client max protocol = SMB3



Greetz, 

Louis

>
>
> I would check 3 things here before this is reported as bug.
>
> Kerberos/Authentication. krb5.conf, Did you change the : clockskew or
> renew_lifetime
> Set only this :
> [libdefaults]
>     default_realm = YOUR.REALM.TLD
>     dns_lookup_kdc = true
>     dns_lookup_realm = false
>
I have not played with clockskew or renew_lifetime.  Both my DC and file
server have the following krb5.conf file.

[libdefaults]
        default_realm = YOUR.REALM.TLD
        dns_lookup_realm = false
        dns_lookup_kdc = true


Are the pc's connected to multiple servers. Then on these servers run
:
> smbstatus -A
> Check these outputs.
>
> The windows clients, do these have SMB1 still enabled or not?
>
Windows 10 clients (the only ones having the problem) have SMB1 disabled by
default.  I have not re-enabled it.

Currently, when I run smbstatus -A I see clients connection with either
protocol version 2_10 or 3_11.


> And what are the windows eventlogs telling ( post event id and part of
> description ).
>
As noted in my previous email, after spending a half hour looking through
event logs I didn't see anything.


Now, you can try these also. I tested samba 4.9.6 and 4.10.2 on Debian
9.
>
>     smb encrypt = required
>
That will disconnect my win7 clients, so I can't try that.


>     client min protocol = SMB2
>     client max protocol = SMB3
>
My reading of the man page suggests that these settings apply to smbclient,
not windows clients connecting to the samba server.  I had previously
thought, prior to reading the man page, that this would limit which
protocols were available to connecting clients, but I can confirm that it
does not perform that function.  However, setting server min protocol SMB2
and/or server max protocol = SMB3, does limit what clients can do.
However, to my surprise, if I set 'server max protocol = SMB2' windows
10
clients cannot connect.  So, my current understanding is that if one has
Win10 clients on the network, you cannot set 'server max protocol' to
anything less than SMB3.

I currently can't disable SMB1 on this server, as there is a scanner that
connects via SMB1 to one of my shares.  I'm working to change that, but I
can't eliminate it just yet.


--
Mason

Mason, 
 
You can set these also on the share. 

Win7 and10
	    client min protocol = SMB2
	    client max protocol = SMB3

The one for the scanner, 
	    client min protocol = NT1
	    client max protocol = SMB2

 
Part of my smbstatus -a:  
PID     Username     Group        Machine                                  
Protocol Version  Encryption           Signing
27316   root         root         192.168.xxx.1(ipv4:192.168.xxx.1:50818)
SMB2_10           -                    -
27357   username domain users 192.168.xxx.2(ipv4:192.168.xxx.2:63181) SMB3_11   
partial(AES-128-CCM) partial(AES-128-CMAC)
27439   username domain users 192.168.x.5 (ipv4:192.168.x.5:1102) NT1           
-                    -
27336   root         root         192.168.xxx.3(ipv4:192.168.xxx.3:34540)
SMB3_00           -                    -
27337   root         root         192.168.xxx.4(ipv4:192.168.xxx.4:41138)
SMB3_00           -                    -

>From above list, top to bottem. 
The first is a windows 7 pc. and the second a win10 PC.  connecting to a share
configured with :
    smb encrypt = auto
    client min protocol = SMB2
    client max protocol = SMB3

the thirth is a Win XP pc, connecting to a separated share configured with: 
    client min protocol = NT1
    client max protocol = SMB2
 
The last to are 2 Xen xcp-ng servers with samba 4.2.3. 
No configuration is done for this share. 

The above see if it helps you a bit. 

 
Greetz, 
 
Louis
 



________________________________

	Van: Mason Schmitt [mailto:mason at ftlcomputing.com] 
	Verzonden: dinsdag 30 april 2019 19:39
	Aan: L.P.H. van Belle
	CC: samba at lists.samba.org
	Onderwerp: Re: [Samba] Windows clients require reboot once a day in order to
access mapped drives
	
	


		I would check 3 things here before this is reported as bug. 
		
		Kerberos/Authentication. krb5.conf, Did you change the : clockskew or
renew_lifetime
		Set only this : 
		[libdefaults]
		    default_realm = YOUR.REALM.TLD
		    dns_lookup_kdc = true
		    dns_lookup_realm = false
		


	I have not played with clockskew or renew_lifetime.  Both my DC and file server
have the following krb5.conf file.

	[libdefaults]
	        default_realm = YOUR.REALM.TLD
	        dns_lookup_realm = false
	        dns_lookup_kdc = true



		Are the pc's connected to multiple servers. Then on these servers run :
smbstatus -A
		Check these outputs. 
		
		The windows clients, do these have SMB1 still enabled or not? 
		


	Windows 10 clients (the only ones having the problem) have SMB1 disabled by
default.  I have not re-enabled it.

	Currently, when I run smbstatus -A I see clients connection with either
protocol version 2_10 or 3_11.

	 

		And what are the windows eventlogs telling ( post event id and part of
description ).
		


	As noted in my previous email, after spending a half hour looking through event
logs I didn't see anything.
	 


		Now, you can try these also. I tested samba 4.9.6 and 4.10.2 on Debian 9. 
		
		    smb encrypt = required
		


	That will disconnect my win7 clients, so I can't try that.
	
	
	 

		    client min protocol = SMB2
		    client max protocol = SMB3
		


	My reading of the man page suggests that these settings apply to smbclient, not
windows clients connecting to the samba server.  I had previously thought, prior
to reading the man page, that this would limit which protocols were available to
connecting clients, but I can confirm that it does not perform that function. 
However, setting server min protocol = SMB2 and/or server max protocol = SMB3,
does limit what clients can do.  However, to my surprise, if I set 'server
max protocol = SMB2' windows 10 clients cannot connect.  So, my current
understanding is that if one has Win10 clients on the network, you cannot set
'server max protocol' to anything less than SMB3.
	
	
	I currently can't disable SMB1 on this server, as there is a scanner that
connects via SMB1 to one of my shares.  I'm working to change that, but I
can't eliminate it just yet.


	--
	Mason

On Wed, May 1, 2019 at 2:24 AM L.P.H. van Belle via samba
<samba at lists.samba.org> wrote:
> You can set these also on the share.
> Win7 and10
>             client min protocol = SMB2
>             client max protocol = SMB3
> The one for the scanner,
>             client min protocol = NT1
>             client max protocol = SMB2
>>>>
> The first is a windows 7 pc. and the second a win10 PC.  connecting to a
share configured with :
>     smb encrypt = auto
>     client min protocol = SMB2
>     client max protocol = SMB3
> the thirth is a Win XP pc, connecting to a separated share configured with:
>     client min protocol = NT1
>     client max protocol = SMB2
Interesting, client min protocol and client max protocol are listed as
Global parameters (G) in the smb.conf man page. Is it common to have
Global parameters work properly in the Share (S) sections? And what is
the result if stated Global parameter used in both the Global section
and Share sections? Is there a list of which Global parameters are
valid in Share sections? Are any Share labelled parameters valid in
the Global section?
And just a pet peeve which I mentioned years ago - the parameter
synonyms should be deprecated, too many times users use both, plus it
would assist in the readable and support of the smb.conf file.

Hai Sonic, 

> -----Oorspronkelijk bericht-----
> Van: Sonic [mailto:sonicsmith at gmail.com] 
> Verzonden: woensdag 1 mei 2019 14:51
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Windows clients require reboot once a 
> day in order to access mapped drives
> 
> On Wed, May 1, 2019 at 2:24 AM L.P.H. van Belle via samba
> <samba at lists.samba.org> wrote:
> > You can set these also on the share.
> > Win7 and10
> >             client min protocol = SMB2
> >             client max protocol = SMB3
> > The one for the scanner,
> >             client min protocol = NT1
> >             client max protocol = SMB2
> >>>>
> > The first is a windows 7 pc. and the second a win10 PC.  
> connecting to a share configured with :
> >     smb encrypt = auto
> >     client min protocol = SMB2
> >     client max protocol = SMB3
> > the thirth is a Win XP pc, connecting to a separated share 
> configured with:
> >     client min protocol = NT1
> >     client max protocol = SMB2
> 
> Interesting, client min protocol and client max protocol are listed as
> Global parameters (G) in the smb.conf man page. 
> - Is it common to have Global parameters work properly in the Share (S)
sections?
That i dont know, but i do try these things out when needed. 
Some work some not. 
> - And what is the result if stated Global parameter used in both the Global
section and Share sections?
I havent check that in the test, but i do believe the share setting is
overruling the global setting.
Because otherwise i would not have seen NT1 in my outputs. 
> - Is there a list of which Global parameters are valid in Share sections? 
Not that i know of. 
> - Are any Share labelled parameters valid in the Global section?
That i dont know, but i do try these things out when needed. 
Some work some not. 
> And just a pet peeve which I mentioned years ago - the parameter
> synonyms should be deprecated, too many times users use both, plus it
> would assist in the readable and support of the smb.conf file.
Yes, good point, cleanup more is good. 

Well, i was thinking the same as you did, but few days ago, Rowland noticed that
this is not the case.
And i also dont know everything.. I must follow in this case what Rowland is
saying.

The above questions are good questions. 
I suggest, wait and see what Rowland or another dev can say about this. 


Greetz, 

Louis