LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-17-2017, 02:35 PM   #1
DaneM
Member
 
Registered: Oct 2003
Location: Chico, CA, USA
Distribution: Linux Mint
Posts: 877

Rep: Reputation: 124Reputation: 124
Question Samba: "min protocol = SMB2" causes "protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE"


Because of a security flaw found in the SMB1 protocol, I'm seeking to harden my Samba server by only allowing access via protocols SMB2 and above. Supposedly, this can be accomplished by putting the following into /etc/samba/smb.conf:

Code:
[global]
...
min protocol = SMB2
However, when I try to access this share via an Ubuntu 16.10 client, I get authentication errors. Using the Ubuntu Unity file manager (Nautilus?), I get:

Quote:
Oops! Something went wrong.
Unhandled error message: Failed to retrieve share list from server: Connection timed out
However, when I do "smbclient -U <user> -L <server>", I get a somewhat more useful error message:

Quote:
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
If I remove "min protocol = SMB2", the problem goes away. I also tried "min protocol = SMB3", which produces no error in the file manager, but shows no shares; and produces the same manager with smbclient.

Here is /etc/samba/smb.conf (dumped using testparm, using "min protocol = SMB3"):
Code:
[global]
	server string = %h server (Samba, Ubuntu)
	server role = standalone server
	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	log file = /var/log/samba/log.%m
	max log size = 1000
	max protocol = SMB3
	protocol = SMB3
	server min protocol = SMB3
	min protocol = SMB3
	dns proxy = No
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap config * : backend = tdb
	hosts allow = 192.168.1.0/24 127.0.0.1 ::1
	map archive = No


[Storage]
	path = /mnt/storage
	valid users = scanner
	read only = No
	force create mode = 0600
	force directory mode = 0700
Has anybody run into this, before? Any suggestions?

Thank-you for any help you can provide.

Last edited by DaneM; 01-17-2017 at 02:41 PM.
 
Old 01-17-2017, 02:44 PM   #2
DaneM
Member
 
Registered: Oct 2003
Location: Chico, CA, USA
Distribution: Linux Mint
Posts: 877

Original Poster
Rep: Reputation: 124Reputation: 124
So...after posting this, I noticed that the output of testparm differed from my actual /etc/samba/smb.conf in that it added the line, "protocol = SMB3". After some experimentation, I determined that removing "min protocol = SMB3" and "max protocol = SMB3" caused "protocol = SMB3" to disappear from the testparm output. Because I hate unnecessary redundancy in config files, I decided to replace the two other lines with simply "protocol = SMB3", and see if some improved Feng Shui might fix it. Surprisingly, it did! The errors are gone, and the shares are now accessible. Now, it's using SMB3, exclusively, which means that clients that can't use SMB3 will have problems; but at least, it's not using SMB1, anymore. Note that, for some reason, "protocol = SMB3" causes testparm to add "max protocol = SMB3" to the output. This line is omitted, for clarity, below.

Here's my now-working /etc/samba/smb.conf:
Code:
[global]
	server string = %h server (Samba, Ubuntu)
	server role = standalone server
	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	log file = /var/log/samba/log.%m
	max log size = 1000
	protocol = SMB3
	dns proxy = No
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap config * : backend = tdb
	hosts allow = 192.168.1.0/24 127.0.0.1 ::1
	map archive = No


[Storage]
	path = /mnt/storage
	valid users = scanner
	read only = No
	force create mode = 0600
	force directory mode = 0700

Last edited by DaneM; 01-17-2017 at 02:47 PM.
 
Old 05-16-2017, 05:59 AM   #3
RikoNw
LQ Newbie
 
Registered: May 2017
Posts: 1

Rep: Reputation: Disabled
Because of protocol == server max protocol == max protocol

max protocol
This parameter is a synonym for server max protocol.
protocol
This parameter is a synonym for server max protocol.
server max protocol (G)
The value of the parameter (a string) is the highest protocol level that will be supported by the server.
Possible values are :
LANMAN1: First modern version of the protocol. Long filename support.
LANMAN2: Updates to Lanman1 protocol.
NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.
SMB2_02: The earliest SMB2 version.
SMB2_10: Windows 7 SMB2 version.
SMB2_22: Early Windows 8 SMB2 version.
SMB2_24: Windows 8 beta SMB2 version.
By default SMB2 selects the SMB2_10 variant.
SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub protocols available.
SMB3_00: Windows 8 SMB3 version. (mostly the same as SMB2_24)
By default SMB3 selects the SMB3_00 variant.
Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol.
Default: server max protocol = SMB3
Example: server max protocol = LANMAN1
min protocol
This parameter is a synonym for server min protocol.
server min protocol (G)
This setting controls the minimum protocol version that the server will allow the client to use.
Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol.
Default: server min protocol = LANMAN1
Example: server min protocol = NT1
 
1 members found this post helpful.
Old 06-04-2020, 09:51 AM   #4
xdigital
LQ Newbie
 
Registered: Jun 2020
Posts: 1

Rep: Reputation: Disabled
Smile

Confirm adding this to smb.conf fixed my problem with NT_STATUS_INVALID_NETWORK_RESPONSE

[global]
server min protocol = LANMAN1
 
  


Reply

Tags
samba, security, smb.conf, smb2, smb3


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I add new protocol in ns-2 name "Multi-Level feedback Congestion Control Protocol" bhavinsorathiya Linux - Software 6 02-15-2014 10:06 AM
I add new protocol in ns-2 name "binary marking congestion protocol(bmcc )" bhavinsorathiya Linux - Software 10 01-16-2014 08:18 AM
[SOLVED] About "rootstock" make ubuntu min file system error: "I: Failed to retrieve InRelease luolian_green Ubuntu 1 08-27-2012 03:15 PM
what does "failed to install socket filter protocol not available " mean??? xiaohaomei Linux - Networking 0 07-15-2004 08:45 PM
anging "Protocol" option to "IMPS/2" in XF86Config-4 causes problems zstingx Linux - General 2 10-27-2003 09:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration