[Samba] 4.20: smb.conf include = %I.conf / server min protocol

Moertenhumer Martin martin.moertenhumer at lisec.com
Fri Mar 14 12:07:44 UTC 2025 

Hello, 

in the past I've used host-based configurations to allow older Windows XP machines to connect to recent servers (without reducing security for the entire network). Up until samba 4.19 this worked for me. Using 4.20 I'm facing the issue that  "server min protocol = NT1" does not work when set in include=.../%I.conf. (setting server min protocol = NT1 in smb.conf's global section works). 

Any insights/ideas are highly appreciated.

Kernel: 
5.14.0-503.29.1.el9_5.x86_64
Red Hat Enterprise Linux release 9.5 (Plow) Samba version: samba-4.20.2-2.el9_5.x86_64

smb.conf:
[global]
        allow insecure wide links = yes
        netbios aliases = somethingTEST somethingTEST
        acl allow execute always = True
        passdb backend = tdbsam
        wins support = true
        security = user
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        read raw = no
        map to guest = Bad Password
        cups options = raw
        follow symlinks = yes
        preferred master = yes
        load printers = yes
        guest account = liprod
        write raw = no
        os level = 20
        netbios name = something
        wide links = yes
        workgroup = ratherNOTtell
        include = /etc/samba/client_based_cfg/%I.conf

/etc/samba/client_based_cfg/10.2.10.4.conf:
[global]
        server min protocol = NT1
        map to guest = Bad Password
        ntlm auth = yes
        guest ok = yes
        log level = 3

Log (/var/log/samba/log.10.2.10.4)
[2025/03/14 12:50:31.095021,  2] ../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[printers]"
[2025/03/14 12:50:31.095068,  2] ../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[pcidos]"
[2025/03/14 12:50:31.095126,  2] ../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[fab]"
[2025/03/14 12:50:31.095174,  2] ../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[liident]"
[2025/03/14 12:50:31.095200,  2] ../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[sw-tank]"
[2025/03/14 12:50:31.095228,  2] ../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[labels]"
[2025/03/14 12:50:31.095253,  2] ../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[bar]"
[2025/03/14 12:50:31.095278,  2] ../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[benteler]"
[2025/03/14 12:50:31.095306,  2] ../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[shape]"
[2025/03/14 12:50:31.095319,  2] ../../source3/param/loadparm.c:2901(lp_do_section)
  Processing section "[test]"
[2025/03/14 12:50:31.095341,  3] ../../source3/param/loadparm.c:1686(lp_add_ipc)
  adding IPC service
  added interface eth0 ip=10.2.10.1 bcast=10.2.10.255 netmask=255.255.255.0
[2025/03/14 12:50:31.095513,  3] ../../source3/smbd/smb2_negprot.c:1203(smb2_multi_protocol_reply_negprot)
  smb2_multi_protocol_reply_negprot: No protocol supported !
[2025/03/14 12:50:31.095627,  3] ../../source3/smbd/server_exit.c:229(exit_server_common)
  Server exit (no protocol supported
  )

Thanks,
Martin

More information about the samba mailing list