SMB1 for tumbleweed builds??
I recently discovered that SMB1 is no longer supported for tumbleweed builds. I was trying to use my HP printer's scan to network folder option yesterday and discovered the printer can no longer talk to my Samba server. I grabbed a network trace and saw the printer is only talking SMB1. Looking through the samba change log I saw the update below.
Mon 26 Sep 2022 07:00:00 AM CDT
Noel Power <nopower@suse.com>
- Disable SMB1 for tumbleweed builds.
Does anyone know if there's a community build of samba that still supports SMB1? Bryan
No that no longer seems to work. I've also tried server min protocol and client min protocol and still fails. I'm guessing that samba is compiled without SMB1 support which is an option now in 4.17. I completely understand the reasoning behind it's removal and making that the default. I would just like a samba-smb1 add on rpm or separate samba install to allow users to still add SMB1 support back in. https://www.samba.org/samba/history/samba-4.17.0.html Configure without the SMB1 Server --------------------------------- It is now possible to configure Samba without support for the SMB1 protocol in smbd. This can be selected at configure time with either of the options: --with-smb1-server --without-smb1-server By default (without either of these options set) Samba is configured to include SMB1 support (i.e. --with-smb1-server is the default). When Samba is configured without SMB1 support, none of the SMB1 code is included inside smbd except the minimal stub code needed to allow a client to connect as SMB1 and immediately negotiate the selected protocol into SMB2 (as a Windows server also allows). None of the SMB1-only smb.conf parameters are removed when configured without SMB1, but these parameters are ignored by the smbd server. This allows deployment without having to change an existing smb.conf file. This option allows sites, OEMs and integrators to configure Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. On 11/4/22 08:50, Larry Len Rainey wrote:
It used to support SMB1 if the /etc/samba/smb.conf had the line "min protocol = NT1" - has that option been removed?
Does it work if it is added? (you can change the smb.conf files and do a "systemcfg restart smb nmb" to force samba to restart with the updated config file.)
My samba server is on 15.4 so I cannot test that.
Larry
On 11/4/22 08:38, Bryan Thoreson wrote:
I recently discovered that SMB1 is no longer supported for tumbleweed builds. I was trying to use my HP printer's scan to network folder option yesterday and discovered the printer can no longer talk to my Samba server. I grabbed a network trace and saw the printer is only talking SMB1. Looking through the samba change log I saw the update below.
Mon 26 Sep 2022 07:00:00 AM CDT
Noel Power <nopower@suse.com>
- Disable SMB1 for tumbleweed builds.
Does anyone know if there's a community build of samba that still supports SMB1?
Bryan
On 04.11.2022 17:03, Bryan Thoreson wrote:
It is now possible to configure Samba without support for the SMB1 protocol in smbd. This can be selected at configure time with either of the options:
--with-smb1-server --without-smb1-server
Mon Sep 26 09:38:59 UTC 2022 - Noel Power <nopower@suse.com> - Disable SMB1 for tumbleweed builds. %if 0%{?suse_version} > 1500 --without-smb1-server \ %endif
On 04. 11. 22, 15:45, Andrei Borzenkov wrote:
On 04.11.2022 17:03, Bryan Thoreson wrote:
It is now possible to configure Samba without support for the SMB1 protocol in smbd. This can be selected at configure time with either of the options:
--with-smb1-server --without-smb1-server
Mon Sep 26 09:38:59 UTC 2022 - Noel Power <nopower@suse.com>
- Disable SMB1 for tumbleweed builds.
%if 0%{?suse_version} > 1500 --without-smb1-server \ %endif
So nothing prevents you (not "you" namely, but the reporter) to link the pkg and remove the line. It's unlikely that this default will change. For similar reasons, I linked qemu and added "server min protocol = NT1" to qemu's default samba config. To support winXP. bug 1156872, FTR. regards, -- js suse labs
js, Is there some documentation on how to do this? I've never had a need to make a custom pkg until now. Bryan On 11/7/22 01:19, Jiri Slaby wrote:
On 04. 11. 22, 15:45, Andrei Borzenkov wrote:
On 04.11.2022 17:03, Bryan Thoreson wrote:
It is now possible to configure Samba without support for the SMB1 protocol in smbd. This can be selected at configure time with either of the options:
--with-smb1-server --without-smb1-server
Mon Sep 26 09:38:59 UTC 2022 - Noel Power <nopower@suse.com>
- Disable SMB1 for tumbleweed builds.
%if 0%{?suse_version} > 1500 --without-smb1-server \ %endif
So nothing prevents you (not "you" namely, but the reporter) to link the pkg and remove the line. It's unlikely that this default will change.
For similar reasons, I linked qemu and added "server min protocol = NT1" to qemu's default samba config. To support winXP. bug 1156872, FTR.
regards,
Am Montag, 7. November 2022, 13:18:15 CET schrieb Bryan Thoreson:
Is there some documentation on how to do this? I've never had a need to make a custom pkg until now.
https://en.opensuse.org/Portal:Packaging may be a good starting point
Am 07.11.22 um 13:18 schrieb Bryan Thoreson:
js,
Is there some documentation on how to do this? I've never had a need to make a custom pkg until now.
Bryan
On 11/7/22 01:19, Jiri Slaby wrote:
On 04. 11. 22, 15:45, Andrei Borzenkov wrote:
On 04.11.2022 17:03, Bryan Thoreson wrote:
It is now possible to configure Samba without support for the SMB1 protocol in smbd. This can be selected at configure time with either of the options:
--with-smb1-server --without-smb1-server
Mon Sep 26 09:38:59 UTC 2022 - Noel Power <nopower@suse.com>
- Disable SMB1 for tumbleweed builds.
%if 0%{?suse_version} > 1500 --without-smb1-server \ %endif
So nothing prevents you (not "you" namely, but the reporter) to link the pkg and remove the line. It's unlikely that this default will change.
For similar reasons, I linked qemu and added "server min protocol = NT1" to qemu's default samba config. To support winXP. bug 1156872, FTR.
regards,
you may could use this, its written "samba with smb1" https://build.opensuse.org/package/show/home%3Alaxity/samba only to clarify, i do not know "alaxity" and have not checked what else is different here, so your own risk, and/or contact him. simoN -- www.becherer.de
Am 07.11.22 um 08:19 schrieb Jiri Slaby:
On 04. 11. 22, 15:45, Andrei Borzenkov wrote:
On 04.11.2022 17:03, Bryan Thoreson wrote:
It is now possible to configure Samba without support for the SMB1 protocol in smbd. This can be selected at configure time with either of the options:
--with-smb1-server --without-smb1-server
Mon Sep 26 09:38:59 UTC 2022 - Noel Power <nopower@suse.com>
- Disable SMB1 for tumbleweed builds.
%if 0%{?suse_version} > 1500 --without-smb1-server \ %endif
So nothing prevents you (not "you" namely, but the reporter) to link the pkg and remove the line. It's unlikely that this default will change.
Yes, of course. But this will proliferate package branching even further. network:samba:STABLE/samba is already branched 49 times at the moment. If a package is branched too many times, it is probably a sign that the original package does not meet the needs of the users. Every time the samba package changes, all 49 branches need to re-compile ... I would question the above hunk. SMB1 support needs to be explicitly activated in the smb.conf even without the above hunk. So this is a conscious decision of the user, no additional security will be gained.
For similar reasons, I linked qemu and added "server min protocol = NT1" to qemu's default samba config. To support winXP. bug 1156872, FTR.
regards,
On Monday 2022-11-07 17:34, Manfred Schwarb wrote:
But this will proliferate package branching even further. network:samba:STABLE/samba is already branched 49 times at the moment.
If a package is branched too many times, it is probably a sign that the original package does not meet the needs of the users.
On the contrary. If you look at e.g. Github, you will find that many users just fork repos for no apparent reason. Thousands of repos have the headline "This branch is 1234 commits behind thesource:master." and only a few have "This branch is up to date with thesource:master." or "This branch is 8 commits ahead, 1234 commits behind thesource:master." (the names don't matter. pick "develop" or something instead of "master", whatever is applicable to a particular repo forest)
Every time the samba package changes, all 49 branches need to re-compile ...
Seems like it's an OBS anti-feature. When issuing `osc branch`, you get a _link file that contains <link project="origin" baserev="092e23b58e1c124cb45e8f34c30b671a"> I don't know why this is not enough for version pinning. It actually takes <link project="origin" package="abc" rev="5"> to get the desired behavior that things don't rebuild (just like your branches on Github don't autoadvance when origin pushes).
On Nov 07 2022, Jan Engelhardt wrote:
Seems like it's an OBS anti-feature. When issuing `osc branch`, you get a _link file that contains
<link project="origin" baserev="092e23b58e1c124cb45e8f34c30b671a">
baserev is used for merging, to record the merge base (and is required for <branch> links). This is unrelated to pinning.
I don't know why this is not enough for version pinning. It actually takes
<link project="origin" package="abc" rev="5">
You get that with osc setlinkrev. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different."
I'm moving forward with two solutions. First option for now is a custom Samba build using OBS. Here's my repo for Tumbleweed x86_64 if anyone is interested. https://build.opensuse.org/package/show/home:bgthoreson/samba-with-smb1 OBS was much easier than I expected which was awesome. Second option is to keep the Leap vm I created and keep it static and isolated to accept SMB1 just from my printer. On 11/8/22 02:50, Andreas Schwab wrote:
On Nov 07 2022, Jan Engelhardt wrote:
Seems like it's an OBS anti-feature. When issuing `osc branch`, you get a _link file that contains
<link project="origin" baserev="092e23b58e1c124cb45e8f34c30b671a"> baserev is used for merging, to record the merge base (and is required for <branch> links). This is unrelated to pinning.
I don't know why this is not enough for version pinning. It actually takes
<link project="origin" package="abc" rev="5"> You get that with osc setlinkrev.
Am 08.11.22 um 17:53 schrieb Bryan Thoreson:
I'm moving forward with two solutions. First option for now is a custom Samba build using OBS. Here's my repo for Tumbleweed x86_64 if anyone is interested. https://build.opensuse.org/package/show/home:bgthoreson/samba-with-smb1
OBS was much easier than I expected which was awesome.
Second option is to keep the Leap vm I created and keep it static and isolated to accept SMB1 just from my printer.
Hi bryan, thanks, will use it after next update, think it will be end of this year, or beginning next year. .... and if i will find some time in the next 10 years ;-))) i will ask you how to start with obs simoN -- www.becherer.de ----------------------------------------------- - Das ist die vorlaeufig endgueltige Version! - Herbert C. Maier Dipl.-Ing. (FH) -----------------------------------------------
Am 04.11.22 um 14:50 schrieb Larry Len Rainey:
It used to support SMB1 if the /etc/samba/smb.conf had the line "min protocol = NT1" - has that option been removed?
Does it work if it is added? (you can change the smb.conf files and do a "systemcfg restart smb nmb" to force samba to restart with the updated config file.)
at least as client it still works. in the /etc/samba/smb.conf of my notebook i have this NT1 setting enabled and i am able to browse/open the shares i need, which are still using SMB1 protocol. at least, the last time i spoke with sysadmin about the shares, he told me, they are still using SMB1. -- Best Regards | Freundliche Grüße | Cordialement | Cordiali Saluti | Atenciosamente | Saludos Cordiales *DI Rainer Klier* DevOps, Research & Development
In my case I'm running a Samba server on my Tumbleweed desktop. Below is a copy of my smb.conf Globals and scanner-upload Share section. I have confirmed I'm able to connect to my shares via SMB2 just not SMB1 [global] workgroup = WORKGROUP passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ security = user wins support = yes usershare max shares = 100 netbios name = LINUX-THOR client min protocol = NT1 server min protocol = NT1 local master = yes preferred master = yes [scanner-upload] inherit acls = Yes path = /iDrive/scanner-upload read only = No follow symlinks = Yes browseable = yes guest ok = no create mask = 0600 directory mask = 0700 On 11/4/22 09:14, Rainer Klier wrote:
Am 04.11.22 um 14:50 schrieb Larry Len Rainey:
It used to support SMB1 if the /etc/samba/smb.conf had the line "min protocol = NT1" - has that option been removed?
Does it work if it is added? (you can change the smb.conf files and do a "systemcfg restart smb nmb" to force samba to restart with the updated config file.)
at least as client it still works.
in the /etc/samba/smb.conf of my notebook i have this NT1 setting enabled and i am able to browse/open the shares i need, which are still using SMB1 protocol.
at least, the last time i spoke with sysadmin about the shares, he told me, they are still using SMB1.
Am 04.11.22 um 15:34 schrieb Bryan Thoreson:
In my case I'm running a Samba server on my Tumbleweed desktop. Below is a copy of my smb.conf Globals and scanner-upload Share section. I have confirmed I'm able to connect to my shares via SMB2 just not SMB1
[scanner-upload] inherit acls = Yes path = /iDrive/scanner-upload read only = No follow symlinks = Yes browseable = yes guest ok = no create mask = 0600 directory mask = 0700
only a suggestion (i am on a older samba version but will hit your problem in near future) are you sure you are using samba 1, or "only" the old authentication modes from samba 1? in my case (opposite way than yours) accessing windows98share with tumbleweed samba only way to get it to work was to disable passwords at all. so maybe you could try to disable password for the scanner share (if you are in a save environment (because smb1 is insecure you could also remove passwords at all and should not lose security) i am hard interested in your solution otherwise i am not able to update samba for recent tumbleweed, i have also samba shares where i have to get access from windows 98. if nothing will help, maybe a virtual qemu-raspberry and: https://github.com/danmons/retronas will be the overkill, but solve the problem. but to discuss this a support list would be the correct place. simoN -- www.becherer.de ----------------------------------------------- - Das ist die vorlaeufig endgueltige Version! - Herbert C. Maier Dipl.-Ing. (FH) -----------------------------------------------
On Friday 2022-11-04 18:08, Simon Becherer wrote:
In my case I'm running a Samba server on my Tumbleweed desktop. [..] I have confirmed I'm able to connect to my shares via SMB2 just not SMB1
only a suggestion (i am on a older samba version but will hit your problem in near future)
are you sure you are using samba 1, or "only" the old authentication modes from samba 1?
SMB is a protocol. It is not to be confused with Samba (an implementation of/for/with SMB protocol functionality). Nobody should remember Samba 1.x, except maybe those people that ran SUSE Linux 5.3 in 1998 (had samba-1.9.18).
I did a quick test with a Leap 15.4 Jeos virtual machine running samba-4.15.8+git.527.8d0c05d313e-150400.3.14.1.x86_64 This samba config works but does not with the latest 4.17 that was built using the --without-smb1-server. [global] workgroup = WORKGROUP passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = Yes security = user server min protocol = NT1 [scanner-upload] inherit acls = Yes path = /iDrive/scanner-upload read only = No follow symlinks = Yes browseable = yes guest ok = no create mask = 0600 directory mask = 0700
participants (10)
-
Andreas Schwab -
Andrei Borzenkov -
Axel Braun -
Bryan Thoreson -
Jan Engelhardt -
Jiri Slaby -
Larry Len Rainey -
Manfred Schwarb -
Rainer Klier -
Simon Becherer