[Samba] SMB1 Domain stopped working after updates quick solution needed

Rowland Penny rpenny at samba.org
Mon Jun 12 19:37:38 UTC 2023 


On 12/06/2023 20:06, Mark Bannister via samba wrote:
> Simple small domain network running on a VM instance.
> 
> Windows 10 browsing and shares not working.  I MUST have SMB1 working in 
> order for a legacy database (Corel Paradox with Borland BDE) to work. We 
> are migrating away from this but it won't happen today.  Error message 
> from clients log "./../source3/smbd/server_exit.c:239(exit_server_common)
>    Server exit (no protocol supported"
> 
> History:
> 
> Just updated from Ubuntu 18 up to 22.04.2  using stand Ubuntu repositories.
> 
> Everything seemed to be working but then I couldn't join a new 
> workstation to the domain (been a long time since that was an issue). 
> Read a few posts about Windows 22H2 causing isusses so I updated Samba 
> via add-apt-repository ppa:linux-schools/samba-latest
> 
> Did not fix the issue.
> 
> If I set server max protocol = NT1  to "server Min protocol" browsing 
> and shares work but I get locking errors on the database lock files and 
> it freezes the database (note veto op locks parameter in smb.conf).
> 
> I reverted back to Version 4.15.13-Ubuntu but the same behavior.
> 
> This was a working installation so SMB1 is activated on all Win10 
> workstations.
> 
> I've got no working database so I need a fast solution as well as a long 
> term one.  We are planning to switch to a Microsoft AD but that isn't 
> even planned out yet.
> 
> 
>   testparm
> Load smb config files from /etc/samba/smb.conf
> lpcfg_do_global_parameter: WARNING: The "domain logons" option is 
> deprecated
> Loaded services file OK.
> Weak crypto is allowed
> 
> Server role: ROLE_DOMAIN_PDC
> 
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
>          add machine script = sudo /usr/sbin/useradd -g machines -c "%u 
> machine account" -d /var/lib/samba -s /bin/false %u
>          add user script = /usr/sbin/adduser --quiet --disabled-password 
> --gecos "" %u
>          dns proxy = No
>          domain logons = Yes
>          domain master = Yes
>          load printers = No
>          log file = /var/log/samba/log.%m
>          logon drive = H:
>          logon home =
>          logon path =
>          logon script = logon.bat
>          map to guest = Bad User
>          max log size = 1000
>          name resolve order = wins lmhosts host bcast
>          ntlm auth = ntlmv1-permitted
>          obey pam restrictions = Yes
>          pam password change = Yes
>          panic action = /usr/share/samba/panic-action %d
>          passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>          passwd program = /usr/bin/passwd %u
>          preferred master = Yes
>          security = USER
>          server max protocol = NT1
>          server role = classic primary domain controller
>          server string = APP Samba %v %h
>          template homedir = /home/%U
>          template shell = /bin/bash
>          unix password sync = Yes
>          username map = /usr/local/samba/etc/username.map
>          wins support = Yes
>          workgroup = LINGROUP
>          idmap config lingroup : range = 10000-999999
>          idmap config lingroup : backend = rid
>          idmap config * : range = 3000-7999
>          idmap config * : backend = tdb
>          admin users = sysadmin
>          hosts allow = 127.0.0.1 192.168.1. 192.168.0.0/26
>          hosts deny = 0.0.0.0/0
>          use client driver = Yes
>          veto oplock files = 
> /*.TV/*.FAM/*.dat/*.DAT/*.db/*.DB/*.X??/*.x??/*.Y??/*.y??/*.MB/*.mb/*.VAL/*.val/*.PX/*.px/*.mdb/*.MDB/*.lck/*.LCK/
> 
> 
> [homes]
>          browseable = No
>          comment = Home Directories
>          create mask = 0700
>          directory mask = 0700
>          read only = No
>          valid users = %S
>          vfs objects = recycle
>          recycle:exclude = *.tmp, *~, *.bak
>          recycle:keeptree = yes
>          recycle:repository = Recycle_Bin
> 
> 
> [netlogon]
>          comment = Network Logon Service
>          guest ok = Yes
>          path = /srv/samba/netlogon ; path = /home/samba/netlogon
> 
> 
> [printers]
>          browseable = No
>          comment = All Printers
>          create mask = 0700
>          guest ok = Yes
>          path = /var/spool/samba
>          printable = Yes
> 
> 
> [print$]
>          comment = Printer Drivers
>          path = /var/lib/samba/printers
>          write list = root @lpadmin
> 
> 
> [PDFprinter]
>          comment = Cups Virtual PDF Printer
>          guest ok = Yes
>          lpq command =
>          path = /var/spool/samba
>          printable = Yes
> 
> 
> [DATA]
>          comment = APP Files
>          force group = sambashare
>          force user = nobody
>          inherit acls = Yes
>          path = /mnt/APPDATA
>          read only = No
>          write list = @sambashare
> 
> 
> -- 
> Mark B


Ubuntu 18.04 used Samba 4.7.6 (if I remember correctly) and didn't 
require winbind, but from Samba 4.8.0 you need to run winbind. I know 
this usually requires 'security = domain' but you also have 'server role 
= classic primary domain controller'. Do you have winbind installed and 
running ?
You might also want to set 'client max protocol = NT1', Samba, by 
default, move to SMBv2 from 4.11.0

Rowland

More information about the samba mailing list