[Samba] Can't connect after Ubuntu 18.04.1 Upgrade???
Rowland Penny
rpenny at samba.org
Mon Aug 20 19:17:06 UTC 2018
On Mon, 20 Aug 2018 18:38:53 +0000 (UTC)
Thomas Rieff via samba <samba at lists.samba.org> wrote:
>
> Thanks for the replys...
> Just a basic samba server...being accessed by windows 7 to the gc and
> tmr shares with \\10.10.171.9\gc and \\10.10.171.9\tmr This has been
> running for a year without any issues...till the update yesterday
> afternoon :-( The file server is Ubuntu 18.04 and there was an update
> to Ubuntu 18.04.1, which I thought would be a mild step. The current
> version of samba is... Samba version 4.7.6-Ubuntu, don't know what it
> was before, thought it was up to date??? Below is the testparm and
> the dump of configurations. Also, I do see an error in the one log
> below. Hope all is well. Tom
>
> root at gc9:~# testparm
> Server role: ROLE_STANDALONE
>
> # Global parameters
> [global]
> dns proxy = No
> log file = /var/log/samba/log.%m
> map to guest = Bad User
> max log size = 1000
> obey pam restrictions = Yes
> pam password change = Yes
> panic action = /usr/share/samba/panic-action %d
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> passwd program = /usr/bin/passwd %u server role = standalone server
> server string = %h server (Samba, Ubuntu)
> syslog = 0
> unix password sync = Yes
> usershare allow guests = Yes
> wins support = Yes
> workgroup = CLS
> idmap config * : backend = tdb
>
If you check the Ubuntu changelog, you will find this:
samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.2) bionic-security; urgency=medium
..............
........
* SECURITY UPDATE: Weak authentication protocol allowed
- debian/patches/CVE-2018-1139-*.patch: Do not allow ntlmv1 over SMB1
and add tests.
- CVE-2018-1139
The default setting for ntlm auth is ntlmv2-only, but before the
update, even though it wasn't really allowed by the default setting,
NTLMv1 worked, now it doesn't. I think it is highly likely your
clients are using NTLMv1.
You can easily test this, add 'ntlm auth = yes' to smb.conf and
restart. If this cures your problem, then you have two choices, leave
it alone and put up with a possibly insecure server, or fix your
clients to only use NTLMv2 and remove the line from smb.conf.
Rowland
More information about the samba
mailing list