LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Samba: "min protocol = SMB2" causes "protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE" (https://www.linuxquestions.org/questions/linux-networking-3/samba-min-protocol-%3D-smb2-causes-protocol-negotiation-failed-nt_status_invalid_network_response-4175597669/)

DaneM 01-17-2017 02:35 PM

Samba: "min protocol = SMB2" causes "protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE"
 
Because of a security flaw found in the SMB1 protocol, I'm seeking to harden my Samba server by only allowing access via protocols SMB2 and above. Supposedly, this can be accomplished by putting the following into /etc/samba/smb.conf:

Code:

[global]
...
min protocol = SMB2

However, when I try to access this share via an Ubuntu 16.10 client, I get authentication errors. Using the Ubuntu Unity file manager (Nautilus?), I get:

Quote:

Oops! Something went wrong.
Unhandled error message: Failed to retrieve share list from server: Connection timed out
However, when I do "smbclient -U <user> -L <server>", I get a somewhat more useful error message:

Quote:

protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
If I remove "min protocol = SMB2", the problem goes away. I also tried "min protocol = SMB3", which produces no error in the file manager, but shows no shares; and produces the same manager with smbclient.

Here is /etc/samba/smb.conf (dumped using testparm, using "min protocol = SMB3"):
Code:

[global]
        server string = %h server (Samba, Ubuntu)
        server role = standalone server
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        log file = /var/log/samba/log.%m
        max log size = 1000
        max protocol = SMB3
        protocol = SMB3
        server min protocol = SMB3
        min protocol = SMB3
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        hosts allow = 192.168.1.0/24 127.0.0.1 ::1
        map archive = No


[Storage]
        path = /mnt/storage
        valid users = scanner
        read only = No
        force create mode = 0600
        force directory mode = 0700

Has anybody run into this, before? Any suggestions?

Thank-you for any help you can provide.

DaneM 01-17-2017 02:44 PM

So...after posting this, I noticed that the output of testparm differed from my actual /etc/samba/smb.conf in that it added the line, "protocol = SMB3". After some experimentation, I determined that removing "min protocol = SMB3" and "max protocol = SMB3" caused "protocol = SMB3" to disappear from the testparm output. Because I hate unnecessary redundancy in config files, I decided to replace the two other lines with simply "protocol = SMB3", and see if some improved Feng Shui might fix it. Surprisingly, it did! The errors are gone, and the shares are now accessible. Now, it's using SMB3, exclusively, which means that clients that can't use SMB3 will have problems; but at least, it's not using SMB1, anymore. Note that, for some reason, "protocol = SMB3" causes testparm to add "max protocol = SMB3" to the output. This line is omitted, for clarity, below.

Here's my now-working /etc/samba/smb.conf:
Code:

[global]
        server string = %h server (Samba, Ubuntu)
        server role = standalone server
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        log file = /var/log/samba/log.%m
        max log size = 1000
        protocol = SMB3
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        hosts allow = 192.168.1.0/24 127.0.0.1 ::1
        map archive = No


[Storage]
        path = /mnt/storage
        valid users = scanner
        read only = No
        force create mode = 0600
        force directory mode = 0700


RikoNw 05-16-2017 05:59 AM

Because of protocol == server max protocol == max protocol

max protocol
This parameter is a synonym for server max protocol.
protocol
This parameter is a synonym for server max protocol.
server max protocol (G)
The value of the parameter (a string) is the highest protocol level that will be supported by the server.
Possible values are :
LANMAN1: First modern version of the protocol. Long filename support.
LANMAN2: Updates to Lanman1 protocol.
NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.
SMB2_02: The earliest SMB2 version.
SMB2_10: Windows 7 SMB2 version.
SMB2_22: Early Windows 8 SMB2 version.
SMB2_24: Windows 8 beta SMB2 version.
By default SMB2 selects the SMB2_10 variant.
SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub protocols available.
SMB3_00: Windows 8 SMB3 version. (mostly the same as SMB2_24)
By default SMB3 selects the SMB3_00 variant.
Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol.
Default: server max protocol = SMB3
Example: server max protocol = LANMAN1
min protocol
This parameter is a synonym for server min protocol.
server min protocol (G)
This setting controls the minimum protocol version that the server will allow the client to use.
Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol.
Default: server min protocol = LANMAN1
Example: server min protocol = NT1

xdigital 06-04-2020 09:51 AM

Confirm adding this to smb.conf fixed my problem with NT_STATUS_INVALID_NETWORK_RESPONSE

[global]
server min protocol = LANMAN1


All times are GMT -5. The time now is 07:56 PM.