Re: [opensuse-factory] Samba issues after snapshot 20160613
I'm just amazed that this kind of thinkering with configuration parameters is even necessary when smbclient is used against localhost for testing purposes. I mean, being the client and the server coming from the same package, they should work each one against the other out-of-the-box, especially since "client ntlmv2 auth = yes" and "client use spnego = yes" are default settings. Thanks, Giuseppe. On Fri, Jun 24, 2016 at 4:25 PM, René Krell <renda.krell@gmail.com> wrote:
2016-06-24 15:40 GMT+02:00 Giuseppe Gorgoglione <gorgogsp@gmail.com>:
I tried to add that to my smb.conf file, but apparently that's not enough: it just made the smbclient error message to change from "protocol negotiation failed: NT_STATUS_IO_TIMEOUT" to "session setup failed "NT_STATUS_INVALID_PARAMETER". Then searching Samba 4.4.2 release notes [1] for the parameter you cited, I found that they introduced two new configuration defaults:
"client ntlmv2 auth = yes" and "client use spnego = yes"
So I reverted those, adding both "client ntlmv2 auth = no" and "client use spnego = no" to my smb.conf. This worked fine but I discovered to my utter surprise (ok, I'm not a Samba expert, and the "client" prefix to those parameters should have made me think better...) that they must be added to the client's smb.conf, not to the server's.
Yes, of course. I forgot to mention. For me, setting "client use spnego = no" in smb.conf at the client side was enough, didn't need the second one. There should be mentioned, that this might bring security issues in environments with newer protocols, no extended security of the protocol is used with this any longer. Maybe some servers do also force extended security.
So now I'm able to access my Linux shares from another Linux box, but still not from Windows, which is my main use case.
With the the above, I have access to all possible shares in the local network around here. I found mainly this response Domain=[MY-DOMAIN] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] For me, there does also work smbclient -m NT1 -U domain_user //server/share So, our shares unfortunately provide just the Samba 1 protocol.
Then, since those parameters are specific to the SMB1 protocol, I tried to force both the client and the server to use SMB2 or SMB3 as min protocol, but didn't worked.
Any idea?
Unfortunately not more. This is a topic for Samba gurus. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Ok, I found a fix and I'm writing about it here just in case anybody is experiencing the same. Analyzing the network traffic with Wireshark I found that when a client tries to connect to the samba server, the server starts spamming the network with DNS requests to resolve its own hostname (nausicaa in my case) and this happens even if you refer to the server by IP address or locally by localhost. This spamming triggers the timeout during the samba protocol negotiation at the beginning of the session. I stopped it just adding one line in /etc/hosts: 127.0.0.1 nausicaa Now the access to the network shares are immediate and reliable, and "client ntlmv2 auth = no" and "client use spnego = no" are no longer needed to me. Cheers, Giuseppe. On Fri, Jun 24, 2016 at 4:42 PM, Giuseppe Gorgoglione <gorgogsp@gmail.com> wrote:
I'm just amazed that this kind of thinkering with configuration parameters is even necessary when smbclient is used against localhost for testing purposes. I mean, being the client and the server coming from the same package, they should work each one against the other out-of-the-box, especially since "client ntlmv2 auth = yes" and "client use spnego = yes" are default settings.
Thanks, Giuseppe.
On Fri, Jun 24, 2016 at 4:25 PM, René Krell <renda.krell@gmail.com> wrote:
2016-06-24 15:40 GMT+02:00 Giuseppe Gorgoglione <gorgogsp@gmail.com>:
I tried to add that to my smb.conf file, but apparently that's not enough: it just made the smbclient error message to change from "protocol negotiation failed: NT_STATUS_IO_TIMEOUT" to "session setup failed "NT_STATUS_INVALID_PARAMETER". Then searching Samba 4.4.2 release notes [1] for the parameter you cited, I found that they introduced two new configuration defaults:
"client ntlmv2 auth = yes" and "client use spnego = yes"
So I reverted those, adding both "client ntlmv2 auth = no" and "client use spnego = no" to my smb.conf. This worked fine but I discovered to my utter surprise (ok, I'm not a Samba expert, and the "client" prefix to those parameters should have made me think better...) that they must be added to the client's smb.conf, not to the server's.
Yes, of course. I forgot to mention. For me, setting "client use spnego = no" in smb.conf at the client side was enough, didn't need the second one. There should be mentioned, that this might bring security issues in environments with newer protocols, no extended security of the protocol is used with this any longer. Maybe some servers do also force extended security.
So now I'm able to access my Linux shares from another Linux box, but still not from Windows, which is my main use case.
With the the above, I have access to all possible shares in the local network around here. I found mainly this response Domain=[MY-DOMAIN] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] For me, there does also work smbclient -m NT1 -U domain_user //server/share So, our shares unfortunately provide just the Samba 1 protocol.
Then, since those parameters are specific to the SMB1 protocol, I tried to force both the client and the server to use SMB2 or SMB3 as min protocol, but didn't worked.
Any idea?
Unfortunately not more. This is a topic for Samba gurus. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2016-06-27 16:25 GMT+02:00 Giuseppe Gorgoglione <gorgogsp@gmail.com>:
Ok, I found a fix and I'm writing about it here just in case anybody is experiencing the same. ...
I stopped it just adding one line in /etc/hosts: 127.0.0.1 nausicaa
Now the access to the network shares are immediate and reliable, and "client ntlmv2 auth = no" and "client use spnego = no" are no longer needed to me.
Ok, in this case your server "speaks" a newer protocol, not NT1, right? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Right, I my case the server is my Tumbleweed box itself, now running Samba 4.4.4, the client is a Windows 10 box. During the session, they exchange SMB2 packets with protocol dialect 2.02 or higher. I don't know why "client ntlmv2 auth = no" and "client use spnego = no" were helping to some degree. Maybe the hostname resolution request is part of the ntlmv2 authentication or some other step which is skipped with those options. Anyway, the main point here is that if you have a local samba server with a static hostname, which is a quite common setup if you want to share files in a home network, you have to set /etc/hosts accordingly. It was not clear to me. Cheers, Giuseppe On Mon, Jun 27, 2016 at 5:07 PM, René Krell <renda.krell@gmail.com> wrote:
2016-06-27 16:25 GMT+02:00 Giuseppe Gorgoglione <gorgogsp@gmail.com>:
Ok, I found a fix and I'm writing about it here just in case anybody is experiencing the same. ...
I stopped it just adding one line in /etc/hosts: 127.0.0.1 nausicaa
Now the access to the network shares are immediate and reliable, and "client ntlmv2 auth = no" and "client use spnego = no" are no longer needed to me.
Ok, in this case your server "speaks" a newer protocol, not NT1, right? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On lundi, 27 juin 2016 17.59:21 h CEST Giuseppe Gorgoglione wrote:
Right, I my case the server is my Tumbleweed box itself, now running Samba 4.4.4, the client is a Windows 10 box. During the session, they exchange SMB2 packets with protocol dialect 2.02 or higher.
I don't know why "client ntlmv2 auth = no" and "client use spnego = no" were helping to some degree. Maybe the hostname resolution request is part of the ntlmv2 authentication or some other step which is skipped with those options.
Anyway, the main point here is that if you have a local samba server with a static hostname, which is a quite common setup if you want to share files in a home network, you have to set /etc/hosts accordingly. It was not clear to me.
Cheers, Giuseppe
On Mon, Jun 27, 2016 at 5:07 PM, René Krell <renda.krell@gmail.com> wrote:
2016-06-27 16:25 GMT+02:00 Giuseppe Gorgoglione <gorgogsp@gmail.com>:
Ok, I found a fix and I'm writing about it here just in case anybody is experiencing the same. ...
I stopped it just adding one line in /etc/hosts: 127.0.0.1 nausicaa
Now the access to the network shares are immediate and reliable, and "client ntlmv2 auth = no" and "client use spnego = no" are no longer needed to me.
Ok, in this case your server "speaks" a newer protocol, not NT1, right?
Certainly because you should always have a working dns system. -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Bruno Friedmann -
Giuseppe Gorgoglione -
René Krell