Andrew Bartlett
2021-May-10 23:33 UTC
[Samba] Hoping someone can shed some light on this issue
On Mon, 2021-05-10 at 19:17 +0100, Rowland penny via samba wrote:> On 10/05/2021 19:10, Rowland penny via samba wrote: > > On 10/05/2021 19:00, Todd Ruffing wrote: > > > It's a no-go on the configuration changes. I backed up the > > > original > > > config file and modified the old config file to resemble what > > > you > > > had. I restarted the server (I know I could have forced samba > > > to > > > pick up the config changes, just thought it would be best to > > > restart > > > it.). I tried the mapping from windows 2016 to samba, and got > > > the > > > same result. Windows 2008 still works after the changes. Why > > > doesn't windows 2016 work. Did Microsoft change something in > > > 2016 to > > > prevent it from working? > > > > Who are you connecting as ? A Windows user that is unknown to the > > Samba standalone server, or a user that is known to the standalone > > server ? If the latter, are you using the correct password ? > > > > Rowland > > > > > > > No, don't bother, its Microsoft trying to stop you doing something > that > has been a part of Samba since Adam was a lad ? > > see here: > https://techjourney.net/cannot-connect-to-cifs-smb-samba-network-shares-shared-folders-in-windows-10/I'm really glad they did that, but I'm surprised we haven't heard more about it. We need to update our documentation to make it clear that 'guest ok' and 'map to guest = bad user' isn't a practical option any more. The crux of the issue is that because we don't give out (eg) an SSL certificate there is no way, absent a password, to validate the server. So the password is what sets up the full chain of protection on the connection. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Andrew Walker
2021-May-11 01:01 UTC
[Samba] Hoping someone can shed some light on this issue
On Mon, May 10, 2021 at 7:34 PM Andrew Bartlett via samba < samba at lists.samba.org> wrote:> On Mon, 2021-05-10 at 19:17 +0100, Rowland penny via samba wrote: > > On 10/05/2021 19:10, Rowland penny via samba wrote: > > > On 10/05/2021 19:00, Todd Ruffing wrote: > > > > It's a no-go on the configuration changes. I backed up the > > > > original > > > > config file and modified the old config file to resemble what > > > > you > > > > had. I restarted the server (I know I could have forced samba > > > > to > > > > pick up the config changes, just thought it would be best to > > > > restart > > > > it.). I tried the mapping from windows 2016 to samba, and got > > > > the > > > > same result. Windows 2008 still works after the changes. Why > > > > doesn't windows 2016 work. Did Microsoft change something in > > > > 2016 to > > > > prevent it from working? > > > > > > Who are you connecting as ? A Windows user that is unknown to the > > > Samba standalone server, or a user that is known to the standalone > > > server ? If the latter, are you using the correct password ? > > > > > > Rowland > > > > > > > > > > > No, don't bother, its Microsoft trying to stop you doing something > > that > > has been a part of Samba since Adam was a lad ? > > > > see here: > > > https://techjourney.net/cannot-connect-to-cifs-smb-samba-network-shares-shared-folders-in-windows-10/ > > I'm really glad they did that, but I'm surprised we haven't heard more > about it. We need to update our documentation to make it clear that > 'guest ok' and 'map to guest = bad user' isn't a practical option any > more. >We have had quite a few users report this issue and have had to document around it in FreeNAS. IIRC the change happened in Windows 10 version 1709 and Windows Server version 1903. MacOS these days also gets unhappy if it requests an authenticated session, but gets a guest one (can't remember version there). The world moved on in terms of what is acceptable in terms of security (and with good reason). Now if only we could get rid of those NT domains :)) Andrew