[Samba] What is needed to allow Network Browsing of the file server in Windows

L.P.H. van Belle belle at bazuin.nl
Mon Sep 28 15:10:59 UTC 2020 

https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/ 
Just read it and think again.
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nick 
> Howitt via samba
> Verzonden: maandag 28 september 2020 16:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] What is needed to allow Network 
> Browsing of the file server in Windows
> 
> 
> 
> On 28/09/2020 15:21, Rowland penny via samba wrote:
> > 
> > On 28/09/2020 14:52, Nick Howitt via samba wrote:
> >>
> >>
> >> On 28/09/2020 12:36, Rowland penny via samba wrote:
> >>>
> >>> On 28/09/2020 12:01, Nick Howitt via samba wrote:
> >>>> I am using Samba as a simple file server but I cannot browse its 
> >>>> shares in Windows Explorer. I do not use SMB1. Am I 
> missing a trick 
> >>>> or is it not possible without SMB1?
> >>> No you are not missing a trick, Network Browsing requires SMBv1. 
> >>> Windows now uses Network Discovery instead, you should be 
> able to use 
> >>> this instead: https://github.com/christgau/wsdd
> >>>>
> >>>> I am using ClearOS7 with the Centos7 4.10.4 samba package.
> >>>
> >>> Samba is starting to remove everything to do with SMBv1, 
> 4.13.0 (just 
> >>> released) has deprecated a few of the parameters required 
> for a PDC, 
> >>> so can I suggest you upgrade to Samba AD as soon as 
> possible, this 
> >>> will mean using non distro packages or changing distro, 
> because you 
> >>> cannot provision an AD DC on the Centos packages.
> >>>
> >>> Rowland
> >>>
> >> Thanks. wsdd seems to do the trick.
> >>
> >> I'm afraid I can't upgrade Samba as I am stuck with what upstream 
> >> supply, so it is what I need to be able to support. ClearOS itself 
> >> will need quite a rework to handle an AD/DC as it also does file 
> >> serving and has a fair amount of stuff integrated with OpenLDAP 
> >> including a few schema additions. Really the only feasible 
> stage to do 
> >> an upgrade would be when they change to 8.x. Even then, 
> the easiest 
> >> route would be to keep going with the current file server 
> set up and 
> >> run an AD/DC in docker with something like 
> >> https://github.com/Fmstrat/samba-domain then join the 
> server to the 
> >> docker domain. You would hate this as it you strongly 
> recommend (for 
> >> understandable reasons) keeping an AD/DC on a separate machine. 
> >> Unfortunately the ClearOS concept was for an all-in-one 
> box acting as 
> >> a router and server. Thankfully I am not a system architect and 
> >> someone else is going to have to come up with the system design.
> >> Nick
> >>
> >>
> > You do not seem to understand, SMBv1 is insecure and the 
> first stage (as 
> > far as Samba is concerned) is to deprecate SMBv1, the next 
> stage will be 
> > to remove it. Now this isn't likely to happen overnight but 
> it could be 
> > Samba 4.15.0, at which point your PDC will have virtually 
> nothing to 
> > talk to, because I am fairly sure that when Samba removes SMBv1, 
> > Microsoft will do the same.
> > 
> > ClearOS is based on RHEL and RHEL doesn't seem to want an AD DC, so 
> > ClearOS (and Centos) are unlikely to have one either 
> (unless they break 
> > with RHEL).
> > 
> > When SMBv1 is removed, you will probably have three 
> options. Continue 
> > with ClearOS using a version of Samba that is unlikely to 
> get updates 
> > and has limited clients, switch to freeIPA (RHEL 8 no 
> longer comes with 
> > openldap and smbldap-tools) or change distro to a Debian based one.
> > 
> > I personally think it is better to decide now, rather than 
> waiting until 
> > you are forced to make a choice.
> > 
> > Rowland
> > 
> > 
> Yes, I am aware of the issues. I don't use smb1 or domains so 
> I should 
> be able to live with the current product.
> For customers who use NT4 domains things are a little more difficult. 
> Currently you can still use them with 4.10 without SMB1, but 
> you said in 
> earlier correspondence that you needed SMB1 but I am not sure 
> with what 
> level of Samba. This is the first thing that scares me (a lot).
> It will be interesting to see what upstream do, bearing in 
> mind they are 
> still on 4.10. I am very concerned about the future and would really 
> like to see ClearOS move to v8 when everything is up for 
> grabs. There is 
> too much baggage in 7.x to upgrade as there is too much other stuff 
> built into the O/S which would need refactoring, as I was trying to 
> point out. Also, if they push an upgrade to AD/DC it would 
> have to be an 
> automatic push converting over existing NT4 domains and I am not sure 
> this is a possibility, or even safe to force on clients.
> 
> Nick
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list