Rowland penny
2021-Feb-10 20:02 UTC
[Samba] Is it possible to set the protocol for a single client
On 10/02/2021 19:46, Jeremy Allison wrote:> On Wed, Feb 10, 2021 at 07:32:17PM +0000, Rowland penny wrote: >> On 10/02/2021 19:07, Jeremy Allison via samba wrote: >>> On Wed, Feb 10, 2021 at 01:52:28PM -0500, Robert Steinmetz via samba >>> wrote: >>>> I have a few clients which require minimum protocol. Is it possible >>>> to set the min protocol on a per client basis? >>>> If so how? >>> >>> You could try doing an include directive in the >>> smb.conf based on client machine (%m or %M) parameter. >>> >> Hi Jeremy, how would that work ? >> >> I understand the concept of using 'includes', I just don't see how an >> include file that contains something like 'server minimum protocol = >> NT1' is going to affect a running samba, just how would the client >> trigger it ?? > > Matching on the remote hostname (%M) is > done at socket accept time (it's how > we handle the "hosts allow/ hosts deny" > parameters. > > This is *before* the negprot is processed, > so if there is an include that adds > "server minimum protocol = NT1" it > will allow the client that matches > to connect using SMB1, but all others > will be restricted to SMB2+.OK, I can understand that, but are you saying that if there is a line like 'include = /path/to/smb.conf.%M' in smb.conf and there is a file called smb.conf.clientname in /path/to , then the contents of that will be used instead of what is in the main smb.conf ? Wouldn't you have to reload the samba config ? Still mistified Rowland
Jeremy Allison
2021-Feb-10 20:14 UTC
[Samba] Is it possible to set the protocol for a single client
On Wed, Feb 10, 2021 at 08:02:41PM +0000, Rowland penny wrote:>On 10/02/2021 19:46, Jeremy Allison wrote: >> >>Matching on the remote hostname (%M) is >>done at socket accept time (it's how >>we handle the "hosts allow/ hosts deny" >>parameters. >> >>This is *before* the negprot is processed, >>so if there is an include that adds >>"server minimum protocol = NT1" it >>will allow the client that matches >>to connect using SMB1, but all others >>will be restricted to SMB2+. > >OK, I can understand that, but are you saying that if there is a line >like 'include = /path/to/smb.conf.%M' in smb.conf and there is a file >called smb.conf.clientname in /path/to , then the contents of that >will be used instead of what is in the main smb.conf ?Not instead of, included at that point.>Wouldn't you have to reload the samba config ?et voila ! source3/smbd/process.c:smbd_process() 4114 /* this is needed so that we get decent entries 4115 in smbstatus for port 445 connects */ 4116 set_remote_machine_name(remaddr, false); 4117 reload_services(sconn, conn_snum_used, true); Remember, Samba is *old* and has many, many strange wrinkles that were added a long time ago :-).