[Samba] Windows clients require reboot once a day in order to access mapped drives

L.P.H. van Belle belle at bazuin.nl
Wed May 1 06:23:59 UTC 2019

You can set these also on the share. 

Win7 and10
	    client min protocol = SMB2
	    client max protocol = SMB3

The one for the scanner, 
	    client min protocol = NT1
	    client max protocol = SMB2

Part of my smbstatus -a:  
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
27316   root         root         192.168.xxx.1(ipv4:192.168.xxx.1:50818) SMB2_10           -                    -
27357   username domain users 192.168.xxx.2(ipv4:192.168.xxx.2:63181) SMB3_11           partial(AES-128-CCM) partial(AES-128-CMAC)
27439   username domain users 192.168.x.5 (ipv4:192.168.x.5:1102) NT1               -                    -
27336   root         root         192.168.xxx.3(ipv4:192.168.xxx.3:34540) SMB3_00           -                    -
27337   root         root         192.168.xxx.4(ipv4:192.168.xxx.4:41138) SMB3_00           -                    -

>From above list, top to bottem. 
The first is a windows 7 pc. and the second a win10 PC.  connecting to a share configured with : 
    smb encrypt = auto
    client min protocol = SMB2
    client max protocol = SMB3

the thirth is a Win XP pc, connecting to a separated share configured with: 
    client min protocol = NT1
    client max protocol = SMB2
The last to are 2 Xen xcp-ng servers with samba 4.2.3. 
No configuration is done for this share. 

The above see if it helps you a bit. 



	Van: Mason Schmitt [mailto:mason at ftlcomputing.com] 
	Verzonden: dinsdag 30 april 2019 19:39
	Aan: L.P.H. van Belle
	CC: samba at lists.samba.org
	Onderwerp: Re: [Samba] Windows clients require reboot once a day in order to access mapped drives

		I would check 3 things here before this is reported as bug. 
		Kerberos/Authentication. krb5.conf, Did you change the : clockskew or renew_lifetime
		Set only this : 
		    default_realm = YOUR.REALM.TLD
		    dns_lookup_kdc = true
		    dns_lookup_realm = false

	I have not played with clockskew or renew_lifetime.  Both my DC and file server have the following krb5.conf file.

	        default_realm = YOUR.REALM.TLD
	        dns_lookup_realm = false
	        dns_lookup_kdc = true

		Are the pc's connected to multiple servers. Then on these servers run : smbstatus -A
		Check these outputs. 
		The windows clients, do these have SMB1 still enabled or not? 

	Windows 10 clients (the only ones having the problem) have SMB1 disabled by default.  I have not re-enabled it.

	Currently, when I run smbstatus -A I see clients connection with either protocol version 2_10 or 3_11.


		And what are the windows eventlogs telling ( post event id and part of description ).

	As noted in my previous email, after spending a half hour looking through event logs I didn't see anything.

		Now, you can try these also. I tested samba 4.9.6 and 4.10.2 on Debian 9. 
		    smb encrypt = required

	That will disconnect my win7 clients, so I can't try that.

		    client min protocol = SMB2
		    client max protocol = SMB3

	My reading of the man page suggests that these settings apply to smbclient, not windows clients connecting to the samba server.  I had previously thought, prior to reading the man page, that this would limit which protocols were available to connecting clients, but I can confirm that it does not perform that function.  However, setting server min protocol = SMB2 and/or server max protocol = SMB3, does limit what clients can do.  However, to my surprise, if I set 'server max protocol = SMB2' windows 10 clients cannot connect.  So, my current understanding is that if one has Win10 clients on the network, you cannot set 'server max protocol' to anything less than SMB3.
	I currently can't disable SMB1 on this server, as there is a scanner that connects via SMB1 to one of my shares.  I'm working to change that, but I can't eliminate it just yet.


More information about the samba mailing list