samba - Sep 2020 - What is needed to allow Network Browsing of the file server in Windows

On 28/09/2020 12:36, Rowland penny via samba wrote:
> 
> On 28/09/2020 12:01, Nick Howitt via samba wrote:
>> I am using Samba as a simple file server but I cannot browse its 
>> shares in Windows Explorer. I do not use SMB1. Am I missing a trick or 
>> is it not possible without SMB1?
> No you are not missing a trick, Network Browsing requires SMBv1. Windows 
> now uses Network Discovery instead, you should be able to use this 
> instead: https://github.com/christgau/wsdd
>>
>> I am using ClearOS7 with the Centos7 4.10.4 samba package.
> 
> Samba is starting to remove everything to do with SMBv1, 4.13.0 (just 
> released) has deprecated a few of the parameters required for a PDC, so 
> can I suggest you upgrade to Samba AD as soon as possible, this will 
> mean using non distro packages or changing distro, because you cannot 
> provision an AD DC on the Centos packages.
> 
> Rowland
> 
Thanks. wsdd seems to do the trick.

I'm afraid I can't upgrade Samba as I am stuck with what upstream 
supply, so it is what I need to be able to support. ClearOS itself will 
need quite a rework to handle an AD/DC as it also does file serving and 
has a fair amount of stuff integrated with OpenLDAP including a few 
schema additions. Really the only feasible stage to do an upgrade would 
be when they change to 8.x. Even then, the easiest route would be to 
keep going with the current file server set up and run an AD/DC in 
docker with something like https://github.com/Fmstrat/samba-domain then 
join the server to the docker domain. You would hate this as it you 
strongly recommend (for understandable reasons) keeping an AD/DC on a 
separate machine. Unfortunately the ClearOS concept was for an 
all-in-one box acting as a router and server. Thankfully I am not a 
system architect and someone else is going to have to come up with the 
system design.
Nick

On 28/09/2020 14:52, Nick Howitt via samba wrote:
>
>
> On 28/09/2020 12:36, Rowland penny via samba wrote:
>>
>> On 28/09/2020 12:01, Nick Howitt via samba wrote:
>>> I am using Samba as a simple file server but I cannot browse its 
>>> shares in Windows Explorer. I do not use SMB1. Am I missing a trick
>>> or is it not possible without SMB1?
>> No you are not missing a trick, Network Browsing requires SMBv1. 
>> Windows now uses Network Discovery instead, you should be able to use 
>> this instead: https://github.com/christgau/wsdd
>>>
>>> I am using ClearOS7 with the Centos7 4.10.4 samba package.
>>
>> Samba is starting to remove everything to do with SMBv1, 4.13.0 (just 
>> released) has deprecated a few of the parameters required for a PDC, 
>> so can I suggest you upgrade to Samba AD as soon as possible, this 
>> will mean using non distro packages or changing distro, because you 
>> cannot provision an AD DC on the Centos packages.
>>
>> Rowland
>>
> Thanks. wsdd seems to do the trick.
>
> I'm afraid I can't upgrade Samba as I am stuck with what upstream 
> supply, so it is what I need to be able to support. ClearOS itself 
> will need quite a rework to handle an AD/DC as it also does file 
> serving and has a fair amount of stuff integrated with OpenLDAP 
> including a few schema additions. Really the only feasible stage to do 
> an upgrade would be when they change to 8.x. Even then, the easiest 
> route would be to keep going with the current file server set up and 
> run an AD/DC in docker with something like 
> https://github.com/Fmstrat/samba-domain then join the server to the 
> docker domain. You would hate this as it you strongly recommend (for 
> understandable reasons) keeping an AD/DC on a separate machine. 
> Unfortunately the ClearOS concept was for an all-in-one box acting as 
> a router and server. Thankfully I am not a system architect and 
> someone else is going to have to come up with the system design.
> Nick
>
>
You do not seem to understand, SMBv1 is insecure and the first stage (as 
far as Samba is concerned) is to deprecate SMBv1, the next stage will be 
to remove it. Now this isn't likely to happen overnight but it could be 
Samba 4.15.0, at which point your PDC will have virtually nothing to 
talk to, because I am fairly sure that when Samba removes SMBv1, 
Microsoft will do the same.

ClearOS is based on RHEL and RHEL doesn't seem to want an AD DC, so 
ClearOS (and Centos) are unlikely to have one either (unless they break 
with RHEL).

When SMBv1 is removed, you will probably have three options. Continue 
with ClearOS using a version of Samba that is unlikely to get updates 
and has limited clients, switch to freeIPA (RHEL 8 no longer comes with 
openldap and smbldap-tools) or change distro to a Debian based one.

I personally think it is better to decide now, rather than waiting until 
you are forced to make a choice.

Rowland

On 28/09/2020 15:21, Rowland penny via samba wrote:
> 
> On 28/09/2020 14:52, Nick Howitt via samba wrote:
>>
>>
>> On 28/09/2020 12:36, Rowland penny via samba wrote:
>>>
>>> On 28/09/2020 12:01, Nick Howitt via samba wrote:
>>>> I am using Samba as a simple file server but I cannot browse
its
>>>> shares in Windows Explorer. I do not use SMB1. Am I missing a
trick
>>>> or is it not possible without SMB1?
>>> No you are not missing a trick, Network Browsing requires SMBv1. 
>>> Windows now uses Network Discovery instead, you should be able to
use
>>> this instead: https://github.com/christgau/wsdd
>>>>
>>>> I am using ClearOS7 with the Centos7 4.10.4 samba package.
>>>
>>> Samba is starting to remove everything to do with SMBv1, 4.13.0
(just
>>> released) has deprecated a few of the parameters required for a
PDC,
>>> so can I suggest you upgrade to Samba AD as soon as possible, this 
>>> will mean using non distro packages or changing distro, because you
>>> cannot provision an AD DC on the Centos packages.
>>>
>>> Rowland
>>>
>> Thanks. wsdd seems to do the trick.
>>
>> I'm afraid I can't upgrade Samba as I am stuck with what
upstream
>> supply, so it is what I need to be able to support. ClearOS itself 
>> will need quite a rework to handle an AD/DC as it also does file 
>> serving and has a fair amount of stuff integrated with OpenLDAP 
>> including a few schema additions. Really the only feasible stage to do 
>> an upgrade would be when they change to 8.x. Even then, the easiest 
>> route would be to keep going with the current file server set up and 
>> run an AD/DC in docker with something like 
>> https://github.com/Fmstrat/samba-domain then join the server to the 
>> docker domain. You would hate this as it you strongly recommend (for 
>> understandable reasons) keeping an AD/DC on a separate machine. 
>> Unfortunately the ClearOS concept was for an all-in-one box acting as 
>> a router and server. Thankfully I am not a system architect and 
>> someone else is going to have to come up with the system design.
>> Nick
>>
>>
> You do not seem to understand, SMBv1 is insecure and the first stage (as 
> far as Samba is concerned) is to deprecate SMBv1, the next stage will be 
> to remove it. Now this isn't likely to happen overnight but it could be
> Samba 4.15.0, at which point your PDC will have virtually nothing to 
> talk to, because I am fairly sure that when Samba removes SMBv1, 
> Microsoft will do the same.
> 
> ClearOS is based on RHEL and RHEL doesn't seem to want an AD DC, so 
> ClearOS (and Centos) are unlikely to have one either (unless they break 
> with RHEL).
> 
> When SMBv1 is removed, you will probably have three options. Continue 
> with ClearOS using a version of Samba that is unlikely to get updates 
> and has limited clients, switch to freeIPA (RHEL 8 no longer comes with 
> openldap and smbldap-tools) or change distro to a Debian based one.
> 
> I personally think it is better to decide now, rather than waiting until 
> you are forced to make a choice.
> 
> Rowland
> 
> 
Yes, I am aware of the issues. I don't use smb1 or domains so I should 
be able to live with the current product.
For customers who use NT4 domains things are a little more difficult. 
Currently you can still use them with 4.10 without SMB1, but you said in 
earlier correspondence that you needed SMB1 but I am not sure with what 
level of Samba. This is the first thing that scares me (a lot).
It will be interesting to see what upstream do, bearing in mind they are 
still on 4.10. I am very concerned about the future and would really 
like to see ClearOS move to v8 when everything is up for grabs. There is 
too much baggage in 7.x to upgrade as there is too much other stuff 
built into the O/S which would need refactoring, as I was trying to 
point out. Also, if they push an upgrade to AD/DC it would have to be an 
automatic push converting over existing NT4 domains and I am not sure 
this is a possibility, or even safe to force on clients.

Nick

https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/ 
Just read it and think again.
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nick 
> Howitt via samba
> Verzonden: maandag 28 september 2020 16:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] What is needed to allow Network 
> Browsing of the file server in Windows
> 
> 
> 
> On 28/09/2020 15:21, Rowland penny via samba wrote:
> > 
> > On 28/09/2020 14:52, Nick Howitt via samba wrote:
> >>
> >>
> >> On 28/09/2020 12:36, Rowland penny via samba wrote:
> >>>
> >>> On 28/09/2020 12:01, Nick Howitt via samba wrote:
> >>>> I am using Samba as a simple file server but I cannot
browse its
> >>>> shares in Windows Explorer. I do not use SMB1. Am I 
> missing a trick 
> >>>> or is it not possible without SMB1?
> >>> No you are not missing a trick, Network Browsing requires
SMBv1.
> >>> Windows now uses Network Discovery instead, you should be 
> able to use 
> >>> this instead: https://github.com/christgau/wsdd
> >>>>
> >>>> I am using ClearOS7 with the Centos7 4.10.4 samba package.
> >>>
> >>> Samba is starting to remove everything to do with SMBv1, 
> 4.13.0 (just 
> >>> released) has deprecated a few of the parameters required 
> for a PDC, 
> >>> so can I suggest you upgrade to Samba AD as soon as 
> possible, this 
> >>> will mean using non distro packages or changing distro, 
> because you 
> >>> cannot provision an AD DC on the Centos packages.
> >>>
> >>> Rowland
> >>>
> >> Thanks. wsdd seems to do the trick.
> >>
> >> I'm afraid I can't upgrade Samba as I am stuck with what
upstream
> >> supply, so it is what I need to be able to support. ClearOS itself
> >> will need quite a rework to handle an AD/DC as it also does file 
> >> serving and has a fair amount of stuff integrated with OpenLDAP 
> >> including a few schema additions. Really the only feasible 
> stage to do 
> >> an upgrade would be when they change to 8.x. Even then, 
> the easiest 
> >> route would be to keep going with the current file server 
> set up and 
> >> run an AD/DC in docker with something like 
> >> https://github.com/Fmstrat/samba-domain then join the 
> server to the 
> >> docker domain. You would hate this as it you strongly 
> recommend (for 
> >> understandable reasons) keeping an AD/DC on a separate machine. 
> >> Unfortunately the ClearOS concept was for an all-in-one 
> box acting as 
> >> a router and server. Thankfully I am not a system architect and 
> >> someone else is going to have to come up with the system design.
> >> Nick
> >>
> >>
> > You do not seem to understand, SMBv1 is insecure and the 
> first stage (as 
> > far as Samba is concerned) is to deprecate SMBv1, the next 
> stage will be 
> > to remove it. Now this isn't likely to happen overnight but 
> it could be 
> > Samba 4.15.0, at which point your PDC will have virtually 
> nothing to 
> > talk to, because I am fairly sure that when Samba removes SMBv1, 
> > Microsoft will do the same.
> > 
> > ClearOS is based on RHEL and RHEL doesn't seem to want an AD DC,
so
> > ClearOS (and Centos) are unlikely to have one either 
> (unless they break 
> > with RHEL).
> > 
> > When SMBv1 is removed, you will probably have three 
> options. Continue 
> > with ClearOS using a version of Samba that is unlikely to 
> get updates 
> > and has limited clients, switch to freeIPA (RHEL 8 no 
> longer comes with 
> > openldap and smbldap-tools) or change distro to a Debian based one.
> > 
> > I personally think it is better to decide now, rather than 
> waiting until 
> > you are forced to make a choice.
> > 
> > Rowland
> > 
> > 
> Yes, I am aware of the issues. I don't use smb1 or domains so 
> I should 
> be able to live with the current product.
> For customers who use NT4 domains things are a little more difficult. 
> Currently you can still use them with 4.10 without SMB1, but 
> you said in 
> earlier correspondence that you needed SMB1 but I am not sure 
> with what 
> level of Samba. This is the first thing that scares me (a lot).
> It will be interesting to see what upstream do, bearing in 
> mind they are 
> still on 4.10. I am very concerned about the future and would really 
> like to see ClearOS move to v8 when everything is up for 
> grabs. There is 
> too much baggage in 7.x to upgrade as there is too much other stuff 
> built into the O/S which would need refactoring, as I was trying to 
> point out. Also, if they push an upgrade to AD/DC it would 
> have to be an 
> automatic push converting over existing NT4 domains and I am not sure 
> this is a possibility, or even safe to force on clients.
> 
> Nick
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>