samba - Jan 2022 - Remove LanMan auth from the AD DC and possibly file server?

On 1/26/22 08:41, Rowland Penny via samba wrote:
> On Wed, 2022-01-26 at 08:26 -0600, Patrick Goetz via samba wrote:
>>
>> On 1/26/22 08:10, Dr. Thomas Orgis wrote:
>>> Am Wed, 26 Jan 2022 07:55:22 -0600
>>> schrieb Patrick Goetz via samba <samba at lists.samba.org>:
>>>
>>>>     - Instrumentation equipment running old versions of Windows
>>>> which
>>>> can't be upgraded
>>>>    However it should be possible to run older versions
>>>> of Samba in a container?
>>>
>>> I think for old appliances without software maintenance, it is
>>> appropriate to segregate them in the network and have an equally
>>> segregated instance of an old version of samba serving them.
I'd
>>> build
>>> some kind of bridge pulling the data from things like scanners into
>>> the
>>> new storage environment automatically, but not having the old
>>> devices
>>> dictate how the public service is run.
>>>
>>
>> The reality at my University is that any version of Windows which is
>> out
>> of maintenance (e.g. Windows <= 7) is considered insecure and
can't
>> be
>> open to the public network anyway, so must be segregated. It's a
>> rather
>> large university, and we have dozens, maybe even hundreds of systems
>> like this.  Of course most small office environments are NATed and
>> firewalled, so this isn't as much of an issue for them, but your
>> suggestion is still probably best practice, if just from a system's
>> administration perspective.
>>
>>
>>> Heck, you could encapsulate things even by (literally) duct-taping
>>> a
>>> single-board computer to the old expensive hardware that presents
>>> as
>>> the old-style SMB server to it (using container, VM, or just a
>>> custom
>>> build of samba for this) and talk to the newer servers on the
>>> outside
>>> in whatever fashion.
>>>
>>> But of course, if this is in a customer's network who
doesn't even
>>> want to consider changing the config of scanners to use SMTP
>>> instead ?
>>> it might not be viable to convince them of such a solution;-)
>>>
>>> Not speaking current SMB might be one of the lesser reasons not to
>>> have
>>> these things on the network along with other gear ?
>>>
>>>
>>> Alrighty then,
>>>
>>> Thoams
> 
> I think the biggest problem will come from 'home' users when Samba
> finally removes SMBv1 (this isn't what Andrew is proposing). The
'home'
> users will not even consider using SMBv2 or 3, they MUST be able to see
> the shares in Network Neighbourhood, nothing else will do.
>
I think Windows 10 doesn't even support SMBv1? If that's correct, how 
does the Network Neighborhood thing work for Windows 10 machines?  I've 
actually been wondering about this for a while; i.e. I'm about to set up 
Samba on my home network just to accommodate Sonos FLAC streaming, but 
am wondering if I'm going to run into this with that hardware.


> This isn't helped by the fact that the various gui 'helper'
programs do
> not seem to understand that SMBv1 is going away and shouldn't be used
> if possible.
> 
> Rowland
> 
> 
>

On 1/26/22 16:24, Patrick Goetz via samba wrote:
> I think Windows 10 doesn't even support SMBv1?
Not by default.
Last time I checked you could add SMBv1 client and server support 
through appwiz.cpl.
This was probably a couple of years ago, though, so things might have 
changed.

On Wed, 2022-01-26 at 09:24 -0600, Patrick Goetz via samba
wrote:
> 
> On 1/26/22 08:41, Rowland Penny via samba wrote:
> > >I think the biggest problem will come from 'home' users
when Samba
finally removes SMBv1 (this isn't what Andrew is proposing).
The
> > 'home'
users will not even consider using SMBv2 or 3, they MUST be able
to
> > see
the shares in Network Neighbourhood, nothing else will
do.
> 
> I think Windows 10 doesn't even support SMBv1? If that's correct, 
At the moment Windows 10 has SMBv1 turned off by default, but it can be
turned on again.
> how 
> does the Network Neighborhood thing work for Windows 10 machines?
It is still there, if SMBv1 is turned on, but Windows wants you to use
Network Discovery instead.
>   I've 
> actually been wondering about this for a while; i.e. I'm about to set
> up 
> Samba on my home network just to accommodate Sonos FLAC streaming, 
I think Sonos still uses SMBv1, I seem to remember Jeremy having a
similar problem. If you haven't purchased the Sonos appliance yet,
check that it will use SMBv2 (at least) before you do.

Rowland

On Wed, Jan 26, 2022 at 09:24:59AM -0600, Patrick Goetz via samba
wrote:
>
>I think Windows 10 doesn't even support SMBv1? If that's correct,
how
>does the Network Neighborhood thing work for Windows 10 machines?  
>I've actually been wondering about this for a while; i.e. I'm about
to
>set up Samba on my home network just to accommodate Sonos FLAC 
>streaming, but am wondering if I'm going to run into this with that 
>hardware.
I am a heavy SONOS user. You can add a share via IP address
in the SONOS app, so no network neighborhood needed.

When we ditch SMB1 from smbd I'll just set up a gateway
system using an old Samba version.