[Samba] [EXTERNAL]Re: SMB1 Domain stopped working after updates quick solution needed
Mark Bannister
mark at injection-moldings.com
Mon Jun 12 20:34:26 UTC 2023
On 6/12/2023 3:16 PM, Mark Bannister via samba wrote:
>
> On 6/12/2023 2:37 PM, Rowland Penny via samba wrote:
>>
>>
>> On 12/06/2023 20:06, Mark Bannister via samba wrote:
>>> Simple small domain network running on a VM instance.
>>>
>>> Windows 10 browsing and shares not working. I MUST have SMB1
>>> working in order for a legacy database (Corel Paradox with Borland
>>> BDE) to work. We are migrating away from this but it won't happen
>>> today. Error message from clients log
>>> "./../source3/smbd/server_exit.c:239(exit_server_common)
>>> Server exit (no protocol supported"
>>>
>>> History:
>>>
>>> Just updated from Ubuntu 18 up to 22.04.2 using stand Ubuntu
>>> repositories.
>>>
>>> Everything seemed to be working but then I couldn't join a new
>>> workstation to the domain (been a long time since that was an
>>> issue). Read a few posts about Windows 22H2 causing isusses so I
>>> updated Samba via add-apt-repository ppa:linux-schools/samba-latest
>>>
>>> Did not fix the issue.
>>>
>>> If I set server max protocol = NT1 to "server Min protocol"
>>> browsing and shares work but I get locking errors on the database
>>> lock files and it freezes the database (note veto op locks parameter
>>> in smb.conf).
>>>
>>> I reverted back to Version 4.15.13-Ubuntu but the same behavior.
>>>
>>> This was a working installation so SMB1 is activated on all Win10
>>> workstations.
>>>
>>> I've got no working database so I need a fast solution as well as a
>>> long term one. We are planning to switch to a Microsoft AD but that
>>> isn't even planned out yet.
>>>
>>>
>>> testparm
>>> Load smb config files from /etc/samba/smb.conf
>>> lpcfg_do_global_parameter: WARNING: The "domain logons" option is
>>> deprecated
>>> Loaded services file OK.
>>> Weak crypto is allowed
>>>
>>> Server role: ROLE_DOMAIN_PDC
>>>
>>> Press enter to see a dump of your service definitions
>>>
>>> # Global parameters
>>> [global]
>>> add machine script = sudo /usr/sbin/useradd -g machines -c
>>> "%u machine account" -d /var/lib/samba -s /bin/false %u
>>> add user script = /usr/sbin/adduser --quiet
>>> --disabled-password --gecos "" %u
>>> dns proxy = No
>>> domain logons = Yes
>>> domain master = Yes
>>> load printers = No
>>> log file = /var/log/samba/log.%m
>>> logon drive = H:
>>> logon home =
>>> logon path =
>>> logon script = logon.bat
>>> map to guest = Bad User
>>> max log size = 1000
>>> name resolve order = wins lmhosts host bcast
>>> ntlm auth = ntlmv1-permitted
>>> obey pam restrictions = Yes
>>> pam password change = Yes
>>> panic action = /usr/share/samba/panic-action %d
>>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>> passwd program = /usr/bin/passwd %u
>>> preferred master = Yes
>>> security = USER
>>> server max protocol = NT1
>>> server role = classic primary domain controller
>>> server string = APP Samba %v %h
>>> template homedir = /home/%U
>>> template shell = /bin/bash
>>> unix password sync = Yes
>>> username map = /usr/local/samba/etc/username.map
>>> wins support = Yes
>>> workgroup = LINGROUP
>>> idmap config lingroup : range = 10000-999999
>>> idmap config lingroup : backend = rid
>>> idmap config * : range = 3000-7999
>>> idmap config * : backend = tdb
>>> admin users = sysadmin
>>> hosts allow = 127.0.0.1 192.168.1. 192.168.0.0/26
>>> hosts deny = 0.0.0.0/0
>>> use client driver = Yes
>>> veto oplock files =
>>> /*.TV/*.FAM/*.dat/*.DAT/*.db/*.DB/*.X??/*.x??/*.Y??/*.y??/*.MB/*.mb/*.VAL/*.val/*.PX/*.px/*.mdb/*.MDB/*.lck/*.LCK/
>>>
>>>
>>> [homes]
>>> browseable = No
>>> comment = Home Directories
>>> create mask = 0700
>>> directory mask = 0700
>>> read only = No
>>> valid users = %S
>>> vfs objects = recycle
>>> recycle:exclude = *.tmp, *~, *.bak
>>> recycle:keeptree = yes
>>> recycle:repository = Recycle_Bin
>>>
>>>
>>> [netlogon]
>>> comment = Network Logon Service
>>> guest ok = Yes
>>> path = /srv/samba/netlogon ; path = /home/samba/netlogon
>>>
>>>
>>> [printers]
>>> browseable = No
>>> comment = All Printers
>>> create mask = 0700
>>> guest ok = Yes
>>> path = /var/spool/samba
>>> printable = Yes
>>>
>>>
>>> [print$]
>>> comment = Printer Drivers
>>> path = /var/lib/samba/printers
>>> write list = root @lpadmin
>>>
>>>
>>> [PDFprinter]
>>> comment = Cups Virtual PDF Printer
>>> guest ok = Yes
>>> lpq command =
>>> path = /var/spool/samba
>>> printable = Yes
>>>
>>>
>>> [DATA]
>>> comment = APP Files
>>> force group = sambashare
>>> force user = nobody
>>> inherit acls = Yes
>>> path = /mnt/APPDATA
>>> read only = No
>>> write list = @sambashare
>>>
>>>
>>> --
>>> Mark B
>>
>>
>> Ubuntu 18.04 used Samba 4.7.6 (if I remember correctly) and didn't
>> require winbind, but from Samba 4.8.0 you need to run winbind. I know
>> this usually requires 'security = domain' but you also have 'server
>> role = classic primary domain controller'. Do you have winbind
>> installed and running ?
>> You might also want to set 'client max protocol = NT1', Samba, by
>> default, move to SMBv2 from 4.11.0
>>
>> Rowland
>>
> Excellent. OK, I installed:
>
> sudo apt install winbind libpam-winbind libnss-winbind krb5-config
> samba-dsdb-modules samba-vfs-modules
>
> Not sure I needed all that. Winbind exits after starting. I see this
> message in the log.winbindd-idmap.log
>
> [2023/06/12 15:08:45.470947, 3]
> ../../source3/winbindd/idmap.c:397(idmap_init_domain)
> idmap backend rid not found
> [2023/06/12 15:08:45.606645, 3]
> ../../lib/util/modules.c:167(load_module_absolute_path)
> load_module_absolute_path: Module
> '/usr/lib/x86_64-linux-gnu/samba/idmap/rid.so' loaded
>
>
> It's been years since if messed with any winbind stuff. Looks like
> I'm missing something?
>
> I added 'client max protocol = NT1'
>
>
Also, to clarify I don't have a Kerberos server running
--
Mark B
More information about the samba
mailing list