14.2 SMBv2 SMBv3 Win10 Creator Update smb.conf and Browsing

bamunds · 03-01-2018, 05:00 PM

I'm wondering if anyone else with a similar home network would share your smb.conf file. This is a simple setup that I'm trying to get working, It use to work until Microsoft sent the WIN10 Creator Update and SMBv1 was disabled.

The environment is two computers; a) Slackware 64-14.2+multilib with Samba 4.4.16 running wireless and a laser printer running under CUPS; b) WIN10 Pro 64 1709 all updates applied on 1G Ethernet connection. I have NOT yet applied this to the WIN10 PC

Code:

However, if you still have to use the Explorer Network in home and small
business workgroup environments to locate Windows-based computers, you can 
follow these steps on your Windows-based computers that no longer use SMBv1:

    Start the "Function Discovery Provider Host" and "Function Discovery 
Resource Publication" services, and then set them to Automatic (Delayed Start).
    When you open Explorer Network, enable network discovery when you are 
prompted.

All Windows devices within that subnet that have these settings will now appear 
in Network for browsing. This uses the WS-DISCOVERY protocol.

The two computers can ping each other by both IP and name, ping6 returns unknown host for name. Router assigns DHCP to both wire and wireless portions of LAN, and has DNS entries for both the a and b PC.

The WIN10 does not run SMBv1.

If I setup smb.conf to have

Code:

server min protocol = SMB2
client min protocol = SMB2
client max protocol = SMB3

Then Dolphin can not see either PC in Network. If I remove the min/max protocol of both client and server then both PC's will show in Dolphiin but access to the WIN10 folders will not show. So my question: Is this normal behavior or should Dolphin be showing at least the local PC? Is there a way to implement network browsing using SMBv2?

Concurrently smbtree shows nothing after entering the password. I notice
this error and suspect a password file issue or is it normal?

Code:

 tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied

Yes I know I can still smb:/{servername} and see the other PC, but when kids or other visit they would like to print and sometimes leave me a file, and right now they have to email the file instead.

Here is my smb.conf

Code:

bash-4.3$ cat /etc/samba/smb.conf
[global]
preferred master = Yes
os level = 65
server string = %h Samba %v
workgroup = UGATE2
log file = /var/log/samba/%m.log
max log size = 50  
log level = 1
logon drive = H:
printcap name = cups
printing = cups
client max protocol = SMB3
client min protocol = SMB2
server min protocol = SMB2
guest account = smbguest
map to guest = Bad User
passwd program = /usr/bin/passwd %u
unix password sync = Yes
lpq command = /usr/bin/lpq -P%p
print command = lpr -oraw -r -P%p %s
#load printers = Yes
logon home = \\%N\%U

[homes]
comment = Home Directories
browseable = No
read only = No
valid users = %S
create mode = 0664
directory mode = 0751
invalid users = root nobody smbguest

[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
public = Yes
guest ok = Yes
read only = Yes

[public]
comment = Public Shareable
path = /home/public
public = Yes
only guest = Yes
writable = Yes
force group = users
create mode = 664
directory mode = 775
bash-4.3$

I've read the latest Samba4 Wiki Docs for Standalone Server and also other smb.conf configs. I've slimmed smb.conf to remove default settings which were redundant to Samba4's defaults. Adding the netbios name = parameter isn't necessary because it automatically now defaults to the machine name which is netbios complaint in my case.

Appreciate any help. Cheers.

BratPit · 03-02-2018, 11:06 AM

The Computer Browser service on WOKGROUP /not domain/ relies on SMB v1.0 and it has gone in Creators update.

For home and small business users who use Network Neighborhood to locate Windows computers, you shoud map drives to the computers so that you no longer have to browse for them.

but check this if exist on your W10:

Quote:

Go to "Control Panel -> Programs"
Select "Turn Windows features on or off" (requires admin rights)
There you will find "SMB 1.0/CIFS File Sharing Support". Enable it!

Hope it helps.

bamunds · 03-02-2018, 12:51 PM

BradPit, thanks for the reply. I know it is often said that browsing relies on SMBv1 but it doesn't according to Microsoft. The browsing function is re-enabled by implementing the Function Discovery Providers Host and Resource Publication along with enabling network discovery in Explorer, which will allow browsing via wsDiscovery protocol for one, mDNS browsing is possible also. So either Samba4 doesn't support ws-Discovery or mDNS, or Samba4 does support them and I have something wrong in the smb.conf. This is the reason for my post, what is wrong with the smb.conf or does Dolphin not support mDNS and wsDiscovery? Cheers.

kjhambrick · 03-02-2018, 01:36 PM

bamunds --

Probably a dumb Q ... but here goes:

Have you run testparm on the Slackware / SAMBA Box ?

If so, I assume there were no complaints ?

HTHBPWN ...

-- kjh

BratPit · 03-02-2018, 02:59 PM

As far as I know

Samba4 not support windows "Function Discovery Providers Host and Resource Publication" at least not in simple workgroup.

I think from certain version Samba4 not play with SMBv1 by default like W10 and "Network neighborhood" do not work in workgroup too .
So cli smbclient,smbtree /which is still SMB1/ is affected too.

The solution is to put

client maxprotocol=NT1

in smb.conf

When you set the client max protocol to anything other than SMB1 ( called NT1 in Samba ) going to eg. Nemo > Network > Windows Network results in an empty space.

But this settings may provide to not connecting to W10 if you do not turn on SMB1 on that client too.

Apart from all that
Even though network browsing is broken host name resolution itself is not. You can still access the server machine by name but you have to do it explicitly. For example in nemo: smb://win10

Note.
The 4.13 Linux Kernel changed the default CIFS SMB version from SMB1 to SMB3 so if you use CIFS to connect to those devices you need to add vers=1.0 to your list of cifs mount options.

PS.

Avahi - a Linux implementation of Zero Configuration Networking ( Zeroconf ) which implements muticast DNS ( mDNS ) allowing ip address to hostname resolution without the use of standard LAN side DNS services.
So it can bee used with samba to showing hosts on local network and replace SMB.

bamunds · 03-02-2018, 03:42 PM

Quote:

Originally Posted by BratPit

As far as I know
Samba4 not support windows "Function Discovery Providers Host and Resource Publication" at least not in simple workgroup.

Did you find something in Samba 4 documentation stating this? Because the Samba.org wiki didn't have that note and it claims to still support file and print sharing with an example for a home/small office network and standalone server.

Quote:

Originally Posted by BratPit

I think from certain version Samba4 not play with SMBv1 by default like W10 and "Network neighborhood" do not work in workgroup too .

Samba documentation suggest the protocol is automatically negotiated and if I remove the server/client min/max protocol lines I can see the local Samba shares and even the Win10, but Dolphin will not "explore" the Win10 folders due to a non-negotiable error, which is that the Win10 default is now SMBv2 to solve security issues, like WannaCry ransomware.

Quote:

Originally Posted by BratPit

So cli smbclient,smbtree /which is still SMB1/ is affected too.
The solution is to put
client maxprotocol=NT1
in smb.conf
When you set the client max protocol to anything other than SMB1 ( called NT1 in Samba ) going to eg. Nemo > Network > Windows Network results in an empty space.
But this settings may provide to not connecting to W10 if you do not turn on SMB1 on that client too.

Which is the result that I'm getting. I do not want to turn-on SMBv1 on the Win10, since later MS updates may again turn it off.

Quote:

Originally Posted by BratPit

Apart from all that
Even though network browsing is broken host name resolution itself is not. You can still access the server machine by name but you have to do it explicitly. For example in nemo: smb://win10
Note.
The 4.13 Linux Kernel changed the default CIFS SMB version from SMB1 to SMB3 so if you use CIFS to connect to those devices you need to add vers=1.0 to your list of cifs mount options.

PS.
Avahi - a Linux implementation of Zero Configuration Networking ( Zeroconf ) which implements muticast DNS ( mDNS ) allowing ip address to hostname resolution without the use of standard LAN side DNS services.
So it can bee used with samba to showing hosts on local network and replace SMB.

When testparm is run on the smb.conf, no errors are generated.

Microsoft instructions indicate wsDiscover can be used on a workgroup home/small business environment within a single subnet. Your PS about Avahi is something I also thought about. Wikipedia states that wsDiscovery is a zeroconf implementation, as is mDNS and Bonjour. I've been thinking to try Avahi setup to see if it interoperates with wsDiscovery. I wonder if that will also require a rebuild of Dolphin which is not built with zeroconf?

In the meantime UNC's are still allowing communication for file sharing and printer sharing using SMBv2. It is just inconvenient for my kids when they visit. Cheers.

BratPit · 03-03-2018, 03:02 AM

"Samba documentation suggest the protocol is automatically negotiated and if I remove the server/client min/max protocol lines"

NT1 is excluded in recent samba AFAIK.

"but Dolphin will not "explore" the Win10 folders"

To enumerate win shares in SMB2 you need to enable network guest access on W10 client.
It is disabled by default in Creators update.

Quote:

Computer configuration\administrative templates\network\Lanman Workstation
"Enable insecure guest logons"

bamunds · 03-03-2018, 12:29 PM

@BratPit I appreciate that you are responding. I also appreciate the ideas to go and check. Do you currently have my configuration working in your environment? Or are you finding answers on Google and sending them to me?

Quote:

Originally Posted by BratPit

"Samba documentation suggest the protocol is automatically negotiated and if I remove the server/client min/max protocol lines"

NT1 is excluded in recent samba AFAIK.

NT1 is still an available setting in Samba4 and it can be set. The issue is that SMB1 has known security flaws that allow malware, like WannaCry, to exploit systems. Which is the reason that Microsoft and most Linux security sites recommend the Samba server/client min protocol be set to SMB2. There is debate if the max protocol also needs to be set for server since the manual states the default is SMB3. I experimented with client max protocol. If client max protocol wasn't set to SMB2 or SMB3 then smbclient -L localhost -U xxxxx would be rejected for mismatched protocol. I suspect that is because it is trying to auto-negotiate and attempting the default which is NT1, while the server wants SMB2 minium, so the server rejects it. The default min client protocol is CORE, and max protocol default is NT1, which is why both client min/max protocol must be set to SMB2/SMB3 respectively.

Quote:

Originally Posted by BratPit

"but Dolphin will not "explore" the Win10 folders"

To enumerate win shares in SMB2 you need to enable network guest access on W10 client.
It is disabled by default in Creators update.

The help page for that template state this setting default is "not configured" and it is the same as disabled on Win10. The not configured allows unauthorized access to shares.

BratPit, thanks again for the suggestions. Unfortunately they don't help solve the question. Cheers.

hoodlum7 · 03-04-2018, 01:14 AM

Create a .smh folder in your home directory. In the .smh directory create an smb.conf and add client min protocol = SMB2. This should help with dolphin. However, you will have to provide a username and password to connect to any system.

BratPit · 03-04-2018, 03:21 AM

Here at home I do not have W$ network /only slackware sshfs/ so I can not help you practically using your smb.conf.

I have mine but it works for me at my job . I do not care about visibility hosts through browsing in smb environment.

I use "nmap" to discover instead and automount on the fly shares in MATE' Caja. Works from WXP to W10.

and Smb.conf is only one little aspect of W$ network sharing .Without others things may go wrong.

PHP Code:



[global]

# disable NetBIOS
disable netbios = no
smb ports = 445 139

# NetBIOS identification
workgroup = WORKGROUP
netbios name = BRATPIT
wins support = no

server string = Samba Server %v
#client max protocol =  NT1
encrypt passwords = yes
client ntlmv2 auth = yes
lanman auth = no
#server signing = auto
#client signing = auto
name resolve order = bcast hosts wins
socket options = TCP_NODELAY
case sensitive = no

# Treat unknown users as a guest (where permitted)
security = user
map to guest = Bad User
guest account = nobody
force user = brat

# Don't allow the use of root for network shares
invalid users = root

domain master = no
local master = no
preferred master = no
os level = 0

# Always advertise the shares automatically
auto services = global

 usershare allow guests = Yes
 usershare max shares = 100
 usershare owner only = False

Quote:

The help page for that template state this setting default is "not configured" and it is the same as disabled on Win10. The not configured allows unauthorized access to shares.

Help page. What?
These two sentences are logically excluded if your client is really W10 1709 .
If "not configured allows unauthorized /mean guest/ access to shares" as you say why is off by default in W10 1709 ???
Check it in W$ registry .
Google is your friend and then test and test and..

bamunds · 03-04-2018, 05:59 PM

Quote:

Originally Posted by BratPit

Here at home I do not have W$ network /only slackware sshfs/ so I can not help you practically using your smb.conf.
These two sentences are logically excluded if your client is really W10 1709 .
If "not configured allows unauthorized /mean guest/ access to shares" as you say why is off by default in W10 1709 ???
Check it in W$ registry .
Google is your friend and then test and test and..

Thank you for the sample smb.conf.
On my Win10 Pro64 1709 state the referred to function setting are at the original setting of "Not Configured". The pop-up help window for that setting states "Not Configure" is default setting and is same as allow access to shares.

I've scoured the Samba mail archives the last day and find many others stating that browsing is built on SMB1. Which means that to elimiate SMB1 means implementing network mapping of shares and printers. I've done the network mapping both directions already for the two PC's attached to the subnet.

Zeroconf using wsDiscovery and Avahi will be my next experiments. We'll see how that goes. Perhaps it will replace the need for Samba all together. Which is acceptable since mostly my millenial age kids are bringing Apple products with iTunes/Bonjour, which is also zeroconf based to the house WIFI for access to printing. Each home office network is unique and setups are therefore going to be unique. Samba does give me the ability to use shared printers, which is helpful when one of them runs out of ink and a spare cardridge isn't available, it's happened.

hoodlum7 · 03-07-2018, 05:56 PM

If you want managed printers for windows clients, I would suggest setting up IPP printing. You setup the printers on a Linux platform and use CUPS/IPP. All versions of Windows from Windows 2000 have supported IPP.

https://zedt.eu/tech/windows/install...in-windows-10/

bamunds · 03-21-2018, 02:57 PM

@hoodlum7 Thank you for the suggestion for shared printing which is already setup. As a result of shutting down SMB1 now removing the network browsing. I've moved to remove Samba altogether and will simply use mapped drives and IPP printing as needed. Marking this solved, although there really is NO solution found to browsing between Win10 and Linux under SMB2/3. Cheers.

bamunds · 03-22-2018, 11:05 AM

Turns out I can't remove samba because libsmbclient.so is a link in Mplayer that allows streaming from local sources, and mplayer fails without Samba installed. So.. back to the drawing board and using Samba and local browsing

orbea · 03-22-2018, 11:53 AM

MPlayer does not require samba and if you really want to remove samba while still using mplayer than its as simple as rebuilding mplayer with Pat's slackbuild while samba is not installed.