Because of a security flaw found in the SMB1 protocol, I'm seeking to harden my Samba server by only allowing access via protocols SMB2 and above. Supposedly, this can be accomplished by putting the following into /etc/samba/smb.conf:
Code:
[global]
...
min protocol = SMB2
However, when I try to access this share via an Ubuntu 16.10 client, I get authentication errors. Using the Ubuntu Unity file manager (Nautilus?), I get:
Quote:
Oops! Something went wrong.
Unhandled error message: Failed to retrieve share list from server: Connection timed out
|
However, when I do "smbclient -U <user> -L <server>", I get a somewhat more useful error message:
Quote:
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
|
If I remove "min protocol = SMB2", the problem goes away. I also tried "min protocol = SMB3", which produces no error in the file manager, but shows no shares; and produces the same manager with smbclient.
Here is /etc/samba/smb.conf (dumped using testparm, using "min protocol = SMB3"):
Code:
[global]
server string = %h server (Samba, Ubuntu)
server role = standalone server
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
log file = /var/log/samba/log.%m
max log size = 1000
max protocol = SMB3
protocol = SMB3
server min protocol = SMB3
min protocol = SMB3
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
hosts allow = 192.168.1.0/24 127.0.0.1 ::1
map archive = No
[Storage]
path = /mnt/storage
valid users = scanner
read only = No
force create mode = 0600
force directory mode = 0700
Has anybody run into this, before? Any suggestions?
Thank-you for any help you can provide.