[Samba] [EXTERNAL]Re: SMB1 Domain stopped working after updates quick solution needed
Mark Bannister
mark at injection-moldings.com
Mon Jun 12 20:16:57 UTC 2023
On 6/12/2023 2:37 PM, Rowland Penny via samba wrote:
>
>
> On 12/06/2023 20:06, Mark Bannister via samba wrote:
>> Simple small domain network running on a VM instance.
>>
>> Windows 10 browsing and shares not working. I MUST have SMB1 working
>> in order for a legacy database (Corel Paradox with Borland BDE) to
>> work. We are migrating away from this but it won't happen today.
>> Error message from clients log
>> "./../source3/smbd/server_exit.c:239(exit_server_common)
>> Server exit (no protocol supported"
>>
>> History:
>>
>> Just updated from Ubuntu 18 up to 22.04.2 using stand Ubuntu
>> repositories.
>>
>> Everything seemed to be working but then I couldn't join a new
>> workstation to the domain (been a long time since that was an issue).
>> Read a few posts about Windows 22H2 causing isusses so I updated
>> Samba via add-apt-repository ppa:linux-schools/samba-latest
>>
>> Did not fix the issue.
>>
>> If I set server max protocol = NT1 to "server Min protocol" browsing
>> and shares work but I get locking errors on the database lock files
>> and it freezes the database (note veto op locks parameter in smb.conf).
>>
>> I reverted back to Version 4.15.13-Ubuntu but the same behavior.
>>
>> This was a working installation so SMB1 is activated on all Win10
>> workstations.
>>
>> I've got no working database so I need a fast solution as well as a
>> long term one. We are planning to switch to a Microsoft AD but that
>> isn't even planned out yet.
>>
>>
>> testparm
>> Load smb config files from /etc/samba/smb.conf
>> lpcfg_do_global_parameter: WARNING: The "domain logons" option is
>> deprecated
>> Loaded services file OK.
>> Weak crypto is allowed
>>
>> Server role: ROLE_DOMAIN_PDC
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>> add machine script = sudo /usr/sbin/useradd -g machines -c
>> "%u machine account" -d /var/lib/samba -s /bin/false %u
>> add user script = /usr/sbin/adduser --quiet
>> --disabled-password --gecos "" %u
>> dns proxy = No
>> domain logons = Yes
>> domain master = Yes
>> load printers = No
>> log file = /var/log/samba/log.%m
>> logon drive = H:
>> logon home =
>> logon path =
>> logon script = logon.bat
>> map to guest = Bad User
>> max log size = 1000
>> name resolve order = wins lmhosts host bcast
>> ntlm auth = ntlmv1-permitted
>> obey pam restrictions = Yes
>> pam password change = Yes
>> panic action = /usr/share/samba/panic-action %d
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> passwd program = /usr/bin/passwd %u
>> preferred master = Yes
>> security = USER
>> server max protocol = NT1
>> server role = classic primary domain controller
>> server string = APP Samba %v %h
>> template homedir = /home/%U
>> template shell = /bin/bash
>> unix password sync = Yes
>> username map = /usr/local/samba/etc/username.map
>> wins support = Yes
>> workgroup = LINGROUP
>> idmap config lingroup : range = 10000-999999
>> idmap config lingroup : backend = rid
>> idmap config * : range = 3000-7999
>> idmap config * : backend = tdb
>> admin users = sysadmin
>> hosts allow = 127.0.0.1 192.168.1. 192.168.0.0/26
>> hosts deny = 0.0.0.0/0
>> use client driver = Yes
>> veto oplock files =
>> /*.TV/*.FAM/*.dat/*.DAT/*.db/*.DB/*.X??/*.x??/*.Y??/*.y??/*.MB/*.mb/*.VAL/*.val/*.PX/*.px/*.mdb/*.MDB/*.lck/*.LCK/
>>
>>
>> [homes]
>> browseable = No
>> comment = Home Directories
>> create mask = 0700
>> directory mask = 0700
>> read only = No
>> valid users = %S
>> vfs objects = recycle
>> recycle:exclude = *.tmp, *~, *.bak
>> recycle:keeptree = yes
>> recycle:repository = Recycle_Bin
>>
>>
>> [netlogon]
>> comment = Network Logon Service
>> guest ok = Yes
>> path = /srv/samba/netlogon ; path = /home/samba/netlogon
>>
>>
>> [printers]
>> browseable = No
>> comment = All Printers
>> create mask = 0700
>> guest ok = Yes
>> path = /var/spool/samba
>> printable = Yes
>>
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/printers
>> write list = root @lpadmin
>>
>>
>> [PDFprinter]
>> comment = Cups Virtual PDF Printer
>> guest ok = Yes
>> lpq command =
>> path = /var/spool/samba
>> printable = Yes
>>
>>
>> [DATA]
>> comment = APP Files
>> force group = sambashare
>> force user = nobody
>> inherit acls = Yes
>> path = /mnt/APPDATA
>> read only = No
>> write list = @sambashare
>>
>>
>> --
>> Mark B
>
>
> Ubuntu 18.04 used Samba 4.7.6 (if I remember correctly) and didn't
> require winbind, but from Samba 4.8.0 you need to run winbind. I know
> this usually requires 'security = domain' but you also have 'server
> role = classic primary domain controller'. Do you have winbind
> installed and running ?
> You might also want to set 'client max protocol = NT1', Samba, by
> default, move to SMBv2 from 4.11.0
>
> Rowland
>
Excellent. OK, I installed:
sudo apt install winbind libpam-winbind libnss-winbind krb5-config
samba-dsdb-modules samba-vfs-modules
Not sure I needed all that. Winbind exits after starting. I see this
message in the log.winbindd-idmap.log
[2023/06/12 15:08:45.470947, 3]
../../source3/winbindd/idmap.c:397(idmap_init_domain)
idmap backend rid not found
[2023/06/12 15:08:45.606645, 3]
../../lib/util/modules.c:167(load_module_absolute_path)
load_module_absolute_path: Module
'/usr/lib/x86_64-linux-gnu/samba/idmap/rid.so' loaded
It's been years since if messed with any winbind stuff. Looks like I'm
missing something?
I added 'client max protocol = NT1'
More information about the samba
mailing list