[Samba] samba behavior change with version upgrade

Rowland Penny rpenny at samba.org
Thu Jun 7 18:49:17 UTC 2018 

On Thu, 7 Jun 2018 14:24:57 -0400
"David H. Durgee via samba" <samba at lists.samba.org> wrote:

> Rowland Penny via samba wrote:
> > On Thu, 7 Jun 2018 14:57:34 +0100
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >
> >> On Thu, 7 Jun 2018 14:51:11 +0100
> >> Rowland Penny via samba <samba at lists.samba.org> wrote:
> >>
> >>> On Thu, 7 Jun 2018 15:43:07 +0200
> >>> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> >>>
> >>>> David,
> >>>>
> >>>> So only Rowland is allowed to help?? If everybody does that them
> >>>> in feeling really sorry for him. There are lots of people here
> >>>> with very good knowledge. Even if its a long post, everything
> >>>> might be relevant, i suggest, you try it.. It does not hurt.
> >>>> Anonimize the config if needed.
> >>>>
> >>> I am trying to do two things at once, re-writing the time server
> >>> wikipage and reading (and shortening) the smb.conf files I was
> >>> sent, give me a few minutes and I will post them with a comment.
> >>>
> >>> Rowland
> >>>
> >> OK, here are thr two smb.conf files without commented lines and
> >> obvious default lines.
> >>
> >> This is what the OP should have posted:
> >>
> >> MAYA:
> >>
> >> [global]
> >>     workgroup = AGI-NET
> >>     server string = %h server (Samba, LinuxMint)
> >>     dns proxy = no
> >>     log file = /var/log/samba/log.%m
> >>     max log size = 2048
> >>     log level = 0
> >>     syslog = 0
> >>     panic action = /usr/share/samba/panic-action %d
> >>     obey pam restrictions = yes
> >>     unix password sync = yes
> >>     passwd program = /usr/bin/passwd %u
> >>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> >> *Retype\snew\s*\spassword:* %n\n
> >> *password\supdated\ssuccessfully* . pam password change = yes map
> >> to guest = bad user client lanman auth = yes
> >>     client ntlmv2 auth = no
> >>     lanman auth = yes
> >>     usershare allow guests = yes
> >>
> >> [printers]
> >>     comment = All Printers
> >>     browseable = no
> >>     path = /var/spool/samba
> >>     printable = yes
> >>     guest ok = no
> >>     read only = yes
> >>     create mask = 0700
> >>
> >> [print$]
> >>     comment = Printer Drivers
> >>     path = /var/lib/samba/printers
> >>     browseable = yes
> >>     read only = yes
> >>     guest ok = no
> >>
> >> [testing]
> >> 	comment = Samba test shared directory
> >> 	read only = no
> >> 	locking = no
> >> 	path = /var/tmp
> >>      guest ok = yes
> >>
> >> SYLVIA:
> >>
> >> [global]
> >>     workgroup = AGI-NET
> >> 	server string = %h server (Samba, LinuxMint)
> >>     dns proxy = no
> >>     log file = /var/log/samba/log.%m
> >>     max log size = 2048
> >>    log level = 0
> >>     syslog = 0
> >>     panic action = /usr/share/samba/panic-action %d
> >>     server role = standalone server
> >>     obey pam restrictions = yes
> >>     unix password sync = yes
> >>     passwd program = /usr/bin/passwd %u
> >>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> >> *Retype\snew\s*\spassword:* %n\n
> >> *password\supdated\ssuccessfully* . pam password change = yes map
> >> to guest = bad user client lanman auth = yes
> >>     client ntlmv2 auth = no
> >>     lanman auth = yes
> >>     usershare allow guests = yes
> >>
> >> [printers]
> >>     comment = All Printers
> >>     browseable = no
> >>     path = /var/spool/samba
> >>     printable = yes
> >>     guest ok = no
> >>     read only = yes
> >>     create mask = 0700
> >>
> >> [print$]
> >>     comment = Printer Drivers
> >>     path = /var/lib/samba/printers
> >>     browseable = yes
> >>     read only = yes
> >>     guest ok = no
> >>
> >> [testing]
> >> 	comment = Samba test shared directory
> >> 	read only = no
> >> 	locking = no
> >> 	path = /var/tmp
> >>      guest ok = yes
> >>
> > OK, remove these lines:
> >
> >     client lanman auth = yes
> >     client ntlmv2 auth = no
> >     lanman auth = yes
> >
> > They are the exact opposites to what you need.
> >
> > Rowland
> 
> I'm not sure of that.  My LAN has two OS/2 systems on it and I mount 
> network shares from them.  Neither of them use network shared
> resources from my linux system, but my linux system must be able to
> mount those network shares.  To the best of my knowledge lanman auth
> is a requirement for accessing OS/2 shares.  Perhaps given that the
> sharing is all from linux to OS/2 one of those can be changed.

Why does it sometimes feel like pulling teeth, you could have said
something earlier.

You are running a very insecure network, give me half an hour and I
will give you all your passwords.

> 
> Are these entries of any consequence for another linux mint sylvia 
> system performing gvfs-mount via gigolo of the testing share?
> Likewise they are in both smb.conf files, so why would 4.3.11-Ubuntu
> have problems with them that 3.6.25 doesn't?

Probably because the code has changed so much between the two versions,
there were also releases to deal with these CVE's:

CVE-2016-2119 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112
CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118

And they were just in the 4.3 release series and they dealt with
authentication.

Try removing the lines (you could just comment them out) restart Samba
and see if it cures your present problem. If it does, you just have to
find a way around the problem of having two out of date servers in
your network.

Rowland

More information about the samba mailing list