samba - Jun 2023 - [EXTERNAL]Re: SMB1 Domain stopped working after updates quick solution needed

On 6/12/2023 2:37 PM, Rowland Penny via samba wrote:
>
>
> On 12/06/2023 20:06, Mark Bannister via samba wrote:
>> Simple small domain network running on a VM instance.
>>
>> Windows 10 browsing and shares not working.? I MUST have SMB1 working 
>> in order for a legacy database (Corel Paradox with Borland BDE) to 
>> work. We are migrating away from this but it won't happen today.? 
>> Error message from clients log 
>> "./../source3/smbd/server_exit.c:239(exit_server_common)
>> ?? Server exit (no protocol supported"
>>
>> History:
>>
>> Just updated from Ubuntu 18 up to 22.04.2? using stand Ubuntu 
>> repositories.
>>
>> Everything seemed to be working but then I couldn't join a new 
>> workstation to the domain (been a long time since that was an issue). 
>> Read a few posts about Windows 22H2 causing isusses so I updated 
>> Samba via add-apt-repository ppa:linux-schools/samba-latest
>>
>> Did not fix the issue.
>>
>> If I set server max protocol = NT1? to "server Min protocol"
browsing
>> and shares work but I get locking errors on the database lock files 
>> and it freezes the database (note veto op locks parameter in smb.conf).
>>
>> I reverted back to Version 4.15.13-Ubuntu but the same behavior.
>>
>> This was a working installation so SMB1 is activated on all Win10 
>> workstations.
>>
>> I've got no working database so I need a fast solution as well as a
>> long term one.? We are planning to switch to a Microsoft AD but that 
>> isn't even planned out yet.
>>
>>
>> ??testparm
>> Load smb config files from /etc/samba/smb.conf
>> lpcfg_do_global_parameter: WARNING: The "domain logons"
option is
>> deprecated
>> Loaded services file OK.
>> Weak crypto is allowed
>>
>> Server role: ROLE_DOMAIN_PDC
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>> ???????? add machine script = sudo /usr/sbin/useradd -g machines -c 
>> "%u machine account" -d /var/lib/samba -s /bin/false %u
>> ???????? add user script = /usr/sbin/adduser --quiet 
>> --disabled-password --gecos "" %u
>> ???????? dns proxy = No
>> ???????? domain logons = Yes
>> ???????? domain master = Yes
>> ???????? load printers = No
>> ???????? log file = /var/log/samba/log.%m
>> ???????? logon drive = H:
>> ???????? logon home >> ???????? logon path >> ????????
logon script = logon.bat
>> ???????? map to guest = Bad User
>> ???????? max log size = 1000
>> ???????? name resolve order = wins lmhosts host bcast
>> ???????? ntlm auth = ntlmv1-permitted
>> ???????? obey pam restrictions = Yes
>> ???????? pam password change = Yes
>> ???????? panic action = /usr/share/samba/panic-action %d
>> ???????? passwd chat = *Enter\snew\s*\spassword:* %n\n 
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> ???????? passwd program = /usr/bin/passwd %u
>> ???????? preferred master = Yes
>> ???????? security = USER
>> ???????? server max protocol = NT1
>> ???????? server role = classic primary domain controller
>> ???????? server string = APP Samba %v %h
>> ???????? template homedir = /home/%U
>> ???????? template shell = /bin/bash
>> ???????? unix password sync = Yes
>> ???????? username map = /usr/local/samba/etc/username.map
>> ???????? wins support = Yes
>> ???????? workgroup = LINGROUP
>> ???????? idmap config lingroup : range = 10000-999999
>> ???????? idmap config lingroup : backend = rid
>> ???????? idmap config * : range = 3000-7999
>> ???????? idmap config * : backend = tdb
>> ???????? admin users = sysadmin
>> ???????? hosts allow = 127.0.0.1 192.168.1. 192.168.0.0/26
>> ???????? hosts deny = 0.0.0.0/0
>> ???????? use client driver = Yes
>> ???????? veto oplock files = 
>>
/*.TV/*.FAM/*.dat/*.DAT/*.db/*.DB/*.X??/*.x??/*.Y??/*.y??/*.MB/*.mb/*.VAL/*.val/*.PX/*.px/*.mdb/*.MDB/*.lck/*.LCK/
>>
>>
>> [homes]
>> ???????? browseable = No
>> ???????? comment = Home Directories
>> ???????? create mask = 0700
>> ???????? directory mask = 0700
>> ???????? read only = No
>> ???????? valid users = %S
>> ???????? vfs objects = recycle
>> ???????? recycle:exclude = *.tmp, *~, *.bak
>> ???????? recycle:keeptree = yes
>> ???????? recycle:repository = Recycle_Bin
>>
>>
>> [netlogon]
>> ???????? comment = Network Logon Service
>> ???????? guest ok = Yes
>> ???????? path = /srv/samba/netlogon ; path = /home/samba/netlogon
>>
>>
>> [printers]
>> ???????? browseable = No
>> ???????? comment = All Printers
>> ???????? create mask = 0700
>> ???????? guest ok = Yes
>> ???????? path = /var/spool/samba
>> ???????? printable = Yes
>>
>>
>> [print$]
>> ???????? comment = Printer Drivers
>> ???????? path = /var/lib/samba/printers
>> ???????? write list = root @lpadmin
>>
>>
>> [PDFprinter]
>> ???????? comment = Cups Virtual PDF Printer
>> ???????? guest ok = Yes
>> ???????? lpq command >> ???????? path = /var/spool/samba
>> ???????? printable = Yes
>>
>>
>> [DATA]
>> ???????? comment = APP Files
>> ???????? force group = sambashare
>> ???????? force user = nobody
>> ???????? inherit acls = Yes
>> ???????? path = /mnt/APPDATA
>> ???????? read only = No
>> ???????? write list = @sambashare
>>
>>
>> -- 
>> Mark B
>
>
> Ubuntu 18.04 used Samba 4.7.6 (if I remember correctly) and didn't 
> require winbind, but from Samba 4.8.0 you need to run winbind. I know 
> this usually requires 'security = domain' but you also have
'server
> role = classic primary domain controller'. Do you have winbind 
> installed and running ?
> You might also want to set 'client max protocol = NT1', Samba, by 
> default, move to SMBv2 from 4.11.0
>
> Rowland
>
Excellent.? OK,? I installed:

sudo apt install winbind libpam-winbind libnss-winbind krb5-config 
samba-dsdb-modules samba-vfs-modules

Not sure I needed all that.? Winbind exits after starting.? I see this 
message in the log.winbindd-idmap.log

[2023/06/12 15:08:45.470947,? 3] 
../../source3/winbindd/idmap.c:397(idmap_init_domain)
 ? idmap backend rid not found
[2023/06/12 15:08:45.606645,? 3] 
../../lib/util/modules.c:167(load_module_absolute_path)
 ? load_module_absolute_path: Module 
'/usr/lib/x86_64-linux-gnu/samba/idmap/rid.so' loaded


It's been years since if messed with any winbind stuff.? Looks like I'm 
missing something?

I added? 'client max protocol = NT1'

On 6/12/2023 3:16 PM, Mark Bannister via samba wrote:
>
> On 6/12/2023 2:37 PM, Rowland Penny via samba wrote:
>>
>>
>> On 12/06/2023 20:06, Mark Bannister via samba wrote:
>>> Simple small domain network running on a VM instance.
>>>
>>> Windows 10 browsing and shares not working.? I MUST have SMB1 
>>> working in order for a legacy database (Corel Paradox with Borland 
>>> BDE) to work. We are migrating away from this but it won't
happen
>>> today.? Error message from clients log 
>>> "./../source3/smbd/server_exit.c:239(exit_server_common)
>>> ?? Server exit (no protocol supported"
>>>
>>> History:
>>>
>>> Just updated from Ubuntu 18 up to 22.04.2? using stand Ubuntu 
>>> repositories.
>>>
>>> Everything seemed to be working but then I couldn't join a new 
>>> workstation to the domain (been a long time since that was an 
>>> issue). Read a few posts about Windows 22H2 causing isusses so I 
>>> updated Samba via add-apt-repository ppa:linux-schools/samba-latest
>>>
>>> Did not fix the issue.
>>>
>>> If I set server max protocol = NT1? to "server Min
protocol"
>>> browsing and shares work but I get locking errors on the database 
>>> lock files and it freezes the database (note veto op locks
parameter
>>> in smb.conf).
>>>
>>> I reverted back to Version 4.15.13-Ubuntu but the same behavior.
>>>
>>> This was a working installation so SMB1 is activated on all Win10 
>>> workstations.
>>>
>>> I've got no working database so I need a fast solution as well
as a
>>> long term one.? We are planning to switch to a Microsoft AD but
that
>>> isn't even planned out yet.
>>>
>>>
>>> ??testparm
>>> Load smb config files from /etc/samba/smb.conf
>>> lpcfg_do_global_parameter: WARNING: The "domain logons"
option is
>>> deprecated
>>> Loaded services file OK.
>>> Weak crypto is allowed
>>>
>>> Server role: ROLE_DOMAIN_PDC
>>>
>>> Press enter to see a dump of your service definitions
>>>
>>> # Global parameters
>>> [global]
>>> ???????? add machine script = sudo /usr/sbin/useradd -g machines -c
>>> "%u machine account" -d /var/lib/samba -s /bin/false %u
>>> ???????? add user script = /usr/sbin/adduser --quiet 
>>> --disabled-password --gecos "" %u
>>> ???????? dns proxy = No
>>> ???????? domain logons = Yes
>>> ???????? domain master = Yes
>>> ???????? load printers = No
>>> ???????? log file = /var/log/samba/log.%m
>>> ???????? logon drive = H:
>>> ???????? logon home >>> ???????? logon path >>>
???????? logon script = logon.bat
>>> ???????? map to guest = Bad User
>>> ???????? max log size = 1000
>>> ???????? name resolve order = wins lmhosts host bcast
>>> ???????? ntlm auth = ntlmv1-permitted
>>> ???????? obey pam restrictions = Yes
>>> ???????? pam password change = Yes
>>> ???????? panic action = /usr/share/samba/panic-action %d
>>> ???????? passwd chat = *Enter\snew\s*\spassword:* %n\n 
>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
.
>>> ???????? passwd program = /usr/bin/passwd %u
>>> ???????? preferred master = Yes
>>> ???????? security = USER
>>> ???????? server max protocol = NT1
>>> ???????? server role = classic primary domain controller
>>> ???????? server string = APP Samba %v %h
>>> ???????? template homedir = /home/%U
>>> ???????? template shell = /bin/bash
>>> ???????? unix password sync = Yes
>>> ???????? username map = /usr/local/samba/etc/username.map
>>> ???????? wins support = Yes
>>> ???????? workgroup = LINGROUP
>>> ???????? idmap config lingroup : range = 10000-999999
>>> ???????? idmap config lingroup : backend = rid
>>> ???????? idmap config * : range = 3000-7999
>>> ???????? idmap config * : backend = tdb
>>> ???????? admin users = sysadmin
>>> ???????? hosts allow = 127.0.0.1 192.168.1. 192.168.0.0/26
>>> ???????? hosts deny = 0.0.0.0/0
>>> ???????? use client driver = Yes
>>> ???????? veto oplock files = 
>>>
/*.TV/*.FAM/*.dat/*.DAT/*.db/*.DB/*.X??/*.x??/*.Y??/*.y??/*.MB/*.mb/*.VAL/*.val/*.PX/*.px/*.mdb/*.MDB/*.lck/*.LCK/
>>>
>>>
>>> [homes]
>>> ???????? browseable = No
>>> ???????? comment = Home Directories
>>> ???????? create mask = 0700
>>> ???????? directory mask = 0700
>>> ???????? read only = No
>>> ???????? valid users = %S
>>> ???????? vfs objects = recycle
>>> ???????? recycle:exclude = *.tmp, *~, *.bak
>>> ???????? recycle:keeptree = yes
>>> ???????? recycle:repository = Recycle_Bin
>>>
>>>
>>> [netlogon]
>>> ???????? comment = Network Logon Service
>>> ???????? guest ok = Yes
>>> ???????? path = /srv/samba/netlogon ; path = /home/samba/netlogon
>>>
>>>
>>> [printers]
>>> ???????? browseable = No
>>> ???????? comment = All Printers
>>> ???????? create mask = 0700
>>> ???????? guest ok = Yes
>>> ???????? path = /var/spool/samba
>>> ???????? printable = Yes
>>>
>>>
>>> [print$]
>>> ???????? comment = Printer Drivers
>>> ???????? path = /var/lib/samba/printers
>>> ???????? write list = root @lpadmin
>>>
>>>
>>> [PDFprinter]
>>> ???????? comment = Cups Virtual PDF Printer
>>> ???????? guest ok = Yes
>>> ???????? lpq command >>> ???????? path = /var/spool/samba
>>> ???????? printable = Yes
>>>
>>>
>>> [DATA]
>>> ???????? comment = APP Files
>>> ???????? force group = sambashare
>>> ???????? force user = nobody
>>> ???????? inherit acls = Yes
>>> ???????? path = /mnt/APPDATA
>>> ???????? read only = No
>>> ???????? write list = @sambashare
>>>
>>>
>>> -- 
>>> Mark B
>>
>>
>> Ubuntu 18.04 used Samba 4.7.6 (if I remember correctly) and didn't 
>> require winbind, but from Samba 4.8.0 you need to run winbind. I know 
>> this usually requires 'security = domain' but you also have
'server
>> role = classic primary domain controller'. Do you have winbind 
>> installed and running ?
>> You might also want to set 'client max protocol = NT1', Samba,
by
>> default, move to SMBv2 from 4.11.0
>>
>> Rowland
>>
> Excellent.? OK,? I installed:
>
> sudo apt install winbind libpam-winbind libnss-winbind krb5-config 
> samba-dsdb-modules samba-vfs-modules
>
> Not sure I needed all that.? Winbind exits after starting.? I see this 
> message in the log.winbindd-idmap.log
>
> [2023/06/12 15:08:45.470947,? 3] 
> ../../source3/winbindd/idmap.c:397(idmap_init_domain)
> ? idmap backend rid not found
> [2023/06/12 15:08:45.606645,? 3] 
> ../../lib/util/modules.c:167(load_module_absolute_path)
> ? load_module_absolute_path: Module 
> '/usr/lib/x86_64-linux-gnu/samba/idmap/rid.so' loaded
>
>
> It's been years since if messed with any winbind stuff.? Looks like 
> I'm missing something?
>
> I added? 'client max protocol = NT1'
>
>
Also, to clarify I don't have a Kerberos server running

--
Mark B

On 12/06/2023 21:16, Mark Bannister via samba wrote:
>>
> Excellent.? OK,? I installed:
> 
> sudo apt install winbind libpam-winbind libnss-winbind krb5-config 
> samba-dsdb-modules samba-vfs-modules
Did it actually install the last two ?
I ask it this because I normally just install the 'samba' package and 
get those as dependencies, yet you seemed to have the 'samba' package 
already installed. However, you should be able to run winbind by itself, 
you just get authentication.

You also do not need krb5-config, your PDC doesn't use kerberos, that is 
an AD thing.
> 
> Not sure I needed all that.? Winbind exits after starting.? I see this 
> message in the log.winbindd-idmap.log
> 
> [2023/06/12 15:08:45.470947,? 3] 
> ../../source3/winbindd/idmap.c:397(idmap_init_domain)
>  ? idmap backend rid not found
> [2023/06/12 15:08:45.606645,? 3] 
> ../../lib/util/modules.c:167(load_module_absolute_path)
>  ? load_module_absolute_path: Module 
> '/usr/lib/x86_64-linux-gnu/samba/idmap/rid.so' loaded
> 
> 
Have you tried restarting all three binaries, smbd, nmbd and winbind ?
> It's been years since if messed with any winbind stuff.? Looks like
I'm
> missing something?
And it has been years since I set up an NT4-style PDC, so a bit unsure.

Rowland