SMB proxy server using ntvfs cifs

Thu Jan 28 11:30:55 UTC 2016

After scanning traffic with wireshark and restricting protocols at client and/or server I have got the proxy working with SMB1 (and an AD DC setup to join another windows domain controller)...

To restrict to SMB1 etc

Smb.conf -> 'server max protocol = NT1’  to restrict in the global section on the server side

Or 

use smbclient (it defaults to SMB1) and to test (smbclient \\\\machine\\share\\ -U user)

When the server is not restricted with max protocol

use smbclient with SMB2+ (smbclient \\\\machine\\share\\ -U user -mSMB2

Any negotiation with SMB2 doesn’t work, nothing much in the logs. There is an incomplete vfs_smb2 module in the NTVFS directory…

Thanks all

On 27/01/2016, 22:16, "Chris Miller" <chris at cmiller.co.uk> wrote:

>Hi,
>
>I now have the server configured as a AD DC (with another Windows AD server that was set up first and handles DNS and Kerberos). I followed:  https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory
>
>This is working to serve local files and shares but it doesn’t serve the vfs_cifs remote content as yet (I’ve tried several different configs for the sys parameters). There are no obvious errors in the logs (at least to me, conf below). The NTVFS binding lines do show up and so do the debug lines from the code in the vfs_cifs.c module itself within the connect function.
>
>
>Could someone let me know/point me in the right direction -  Does the vfs_cifs module work with incoming SMB2 traffic or only SMB1 incoming traffic. Also on the outgoing side (it doesn’t fully connect for me yet), but in wireshark, I only see SMB1 traffic as output.
>
>Do both the input and output to and from this module have to be in SMB1 or is it possible to mix and match with SMB2 in some way?
>
>Many Thanks
>
>
>
>Config for reference, note that there are no changes with +smb - s3fs form the samba-tool output apart from logging and shares. The samba process is also run. This machine does show up as a domain controller on the windows AD DC and windows user accounts act as you would expect looking at the local shares.
>
># Global parameters
>[global]
>	workgroup = SMBDOMAIN
>	realm = smbdomain.net
>	netbios name = SAMBADC
>	interfaces = lo enp0s8
>	bind interfaces only = Yes
>	server role = active directory domain controller
>	server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns, smb
>	dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
>	log file = /usr/local/samba/samba.log
>	log level = 5
>
>[netlogon]
>	path = /usr/local/samba/var/locks/sysvol/smbdomain.net/scripts
>	read only = No
>
>[sysvol]
>	path = /usr/local/samba/var/locks/sysvol
>	read only = No
>
>[basic]
>	path = /usr/share/someshare/test
>	read only = No
>
>[test03]
>	ntvfs handler = cifs
>	cifs:server = 192.168.0.22
>	cifs:domain = SMBDOMAIN.NET
>	cifs:user = testuser
>	cifs:password = terstpass
>	cifs:share = Share2
>	path = /usr/share/someshare/noop
>	writable = yes
>
>
>
>
>
>On 27/01/2016, 16:06, "samba-technical on behalf of Rowland Penny" <samba-technical-bounces at lists.samba.org on behalf of repenny241155 at gmail.com> wrote:
>
>>On 27/01/16 15:11, Chris Miller wrote:
>>> Thanks Rowland,
>>>
>>> Sorry, the smbd, nmbd etc starts were just to demonstrate that the server worked in the non ntvfs mode and served content. After that step, and changing the smb.conf to include the 'server services = +smb - s3fs' lines,  it is run with ‘samba’ or 'samba -i’ only.
>>
>>To run the 'samba' deamon, you need to provision as an AD DC, as far as 
>>I am aware, you shouldn't create your own smb.conf to use with the 
>>'samba' deamon
>>
>>
>>>
>>> Would you mind clarifying the following please:
>>>
>>> Is it not possible to act as a cifs proxy (using source4/ntvfs/cifs/vfs_cifs.c) as a domain member?
>>
>>I do not think so, vfs_cifs.c is part of ntvfs and you cannot run ntvfs 
>>on a domain member
>>
>>>
>>> If not, is it possible in another configuration (AC DC or standalone etc) to use vfs_cifs?
>>
>>It looks like you would have to provision Samba as an AD DC using the 
>>ntvfs backend and as I said, the ntvfs backend is depreciated.
>>
>>>
>>> Can you only access vfs_cifs without  +smb -s3fs and ‘samba’
>>
>>I think you meant, run 'samba' with '+smb -s3fs' , if so the yes, I 
>>think this is the only way to use vfs_cifs
>>
>>>
>>> The functionality in the ntvfs module cifs to proxy is the main driver and I don’t think its currently possible elsewhere...
>>>
>>> Many Thanks
>>>
>>>
>>>
>>
>>It was written as part of 'ntvfs' and this hasn't received any updates 
>>for quite some time and to be honest, I wouldn't use any of its code.
>>
>>Rowland
>>
>>
>