Topic: Samba4 for SME 9.x

[jarkor]

Dear all,

I'd lilke to know if it's possible to have samba4 working under any version of SME v9.x
We need SMB2/3 support for W10/1803, because it works fine at file server access enabling SMB1, but we can't run apps from the SME server (SMB1) that connects to ODBC.

Everything worked fine until update 1803 of W10, we can't rollback, so the only solution I can see is to upgrade samba from v3 to v4.

I've already checked this link: https://wiki.contribs.org/Samba4_Development under "SME Server Samba 4 Packages" but redirects to this page that doesn't exists anymore: https://www.leiengineering.com/repository/smeserver/Packages/Samba4_Alpha7/

Anyone had it working? I don't need AD support for the moment.

Thanks in advance,

[ReetP]

The short answer is no.

There are no rpms for CentOS 6.

Technically you could compile yourself (I can tell you it isn't fun) but it would probably break your SME install. The only real answer in this direction is SME v10, but that is still Alpha and not suitable for production. It also won't get much further without some assistance...... Lots of people want it, but no one wants to help.

However, what doesn't make sense is your ODBC issue.

Exactly what are you doing and where is it going wrong?

I'm just not convinced that your ODBC application sudddenly requires SMB v2/3.

So give us a bit more info please.

[jarkor]

Hi ReetP, thanks for your reply.

The short answer is no.

Great

There are no rpms for CentOS 6.

Technically you could compile yourself (I can tell you it isn't fun) but it would probably break your SME install. The only real answer in this direction is SME v10, but that is still Alpha and not suitable for production. It also won't get much further without some assistance...... Lots of people want it, but no one wants to help.

That's not good news....I've evaluated moving to SME v10 also but I don't like to use an alpha release in production...
Well I'm not a dev but I can do some testing if needed, I'm a sme server user since a lot of years.

However, what doesn't make sense is your ODBC issue.

Exactly what are you doing and where is it going wrong?

I'm just not convinced that your ODBC application sudddenly requires SMB v2/3.

So give us a bit more info please.

Basically you can find details about the issue in the following topics, there are lots in the internet.

http://woshub.com/windows-10-1803-cant-run-exe-files-shared-folders/
https://social.msdn.microsoft.com/Forums/en-US/80d86b3b-28ff-4abe-945f-a1efccb5cf8e/rs41803windows-10-1803-wont-run-odbc-sql-connected-application-from-network?forum=windowsgeneraldevelopmentissues

Anyway I will describe the issue trying to simplify:
- In the SME server we have an app (from a 3rd party provider, written in Clarion) and firebird (FirebirdSS-2.5.6.27020-0.i686) for the DB of that app
- The app runs from a mapped drive in windows (something like V:\app\app.exe, where V: is mapped to a shared resource on the SME server \\server\app)
- Until release 1803 of W10 everything worked fine
- When the workstations updated to W10 1803, the app sttoped working, in our scenario, and according to the app dev provider, in other customers with windows servers also.
The app runs, in fact, but when you try to use any function that connects to the Firebird DB, it trows an error like this: "File (SQLFILEadm) coudn't be opened. Error: Unable to complete network request to host "172.16.1.150". Failed to stablish a connection. (08004). Press OK to end this application."
- Testing the ODBC connection (for example with fenixsql) in this scenario is OK, and also we can connect to the DB without any issues.
- In the windows servers, they've enabled SMB v2 at registry level and the app started working again without any further modifications.
- In the SME server, and in the W10/1803 workstation, I've tried lots of different configurations, without success....Since I can't connect to the SME Server in any dialect higher that 1.5 (SMBv1) I don't know if there's anything else I can try.

Thanks for your comments, and have a nice week.
Best regards,

[ReetP]

So it isn't that the applications needs SMB v2/3 as they have not changed.

Have you read on the forums here about needing to make sure the SMB v1 client is added to W10 and I think there are some registry hacks too? There are a number of posts on the subject:

eg

https://forums.contribs.org/index.php/topic,53628.0.html

Re v10 you can't move to it as it is in Alpha. It is not all ready for any serious use.

However, to help development you can get a copy, install, and start testing. Look for bugs in the tracker to test/verify and see what else you can find.

It won't happen by itself.

[jarkor]

So it isn't that the applications needs SMB v2/3 as they have not changed.

Well of course it's a W10/1803 issue, but using SMB v1 is not a solution, because there's something else....I think that some policy was added related to network connections or the ODBC, not only SMB v1. Just guessing.
And that w10/1803 is not able to negotiate SMB v2 with SME server.

Having all the vulnerabilities found on older SMB protocols, I think that the best way is to move to samba4 / SMBv3..

Have you read on the forums here about needing to make sure the SMB v1 client is added to W10 and I think there are some registry hacks too? There are a number of posts on the subject:

eg

https://forums.contribs.org/index.php/topic,53628.0.html

Yes, Ive checked and tested everything I saw, otherwise if we didn't enable SMB v1 we can't access the SME Server using SMB as a File Server. Thanks for noting it, anyway.

Re v10 you can't move to it as it is in Alpha. It is not all ready for any serious use.

However, to help development you can get a copy, install, and start testing. Look for bugs in the tracker to test/verify and see what else you can find.

It won't happen by itself.

Of course. I will do some testing and report if I find any issues.
Best regards,

[Jean-Philippe Pialasse]

there are some samba 4 packages available from centos but they do not allow a full installation, create conflict with samba3 packages  and are not up to date.

Recent version of samba 4 are not buildable on centos6 sme server 9 as they requires a huge amount of dependencies that are not available on centos6.


Do not move to SME 10 for a production server, this is not a matter of  "will it break?" 
This is alpha software, so this is a matter of IT WILL BREAK and mostly numerous times, and I do not speak about is it secure, we are not even at this level of verification in the development process. It will be far more secure currently to use SMB1 than using SME Server 10 in production, even with SME10 we have only confirmation of it working with W10 using SMB1 and failure with SMB2.

Why only alpha? because I have been mainly the one coding on it in the past 2 years and only on spare time. So you are more than welcome to install a SME 10 and start helping on making it workable and secured, but please do not put this in production with your data.

[ReetP]

I think I might be right in saying that the risks with SMB v1 are only really an issue if you are letting those packets off site to a remote malicious SMB server (and using Windows machines)

So a show of hands for all those people who let SMB packets get out through their firewall please?

[jarkor]

I think I might be right in saying that the risks with SMB v1 are only really an issue if you are letting those packets off site to a remote malicious SMB server (and using Windows machines)

So a show of hands for all those people who let SMB packets get out through their firewall please?

You're right ReetP about that point, not sure if the windows endpoints turns vulnerable in the LAN enabling SMB v1
Anyway, in the described scenario, our app is not running when using SMB v1, and going to a higher SMB version is the only way to follow, I think, unless someone else discover the issue or micro$oft releases a patch for this incident.

[Sparkey]

It is my understanding that the issue with SMBv1 is on the server side.  So if you do not allow connections outside of your internal network, there should not be a problem.

----------------------------------------------------------------------------
MS10-020  Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)

Critical - Remote Code Execution This security update resolves one publicly disclosed and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.

[ReetP]

You're right ReetP about that point, not sure if the windows endpoints turns vulnerable in the LAN enabling SMB v1
Anyway, in the described scenario, our app is not running when using SMB v1, and going to a higher SMB version is the only way to follow, I think, unless someone else discover the issue or micro$oft releases a patch for this incident.

Regrettably it would seem that this is a disaster of M$ own making (and now you know why I abandoned the M$ d$llar making machine a long time ago)

There was no need to wreck apps. There should have been clearly documented configs to show you what had changed, why, and how to change it back if required.

I still believe that this is essentially a Windows only issue and SME itself is not fundamentally broken.

You made no changes to your apps, so it is not as if they suddenly required SMB v2 or 3 overnight by themselves. It is Windows that is blocking access.

Clearly this has affected a lot if users. And it seem that some think M$ will release a fix, though who knows.

They have been informed, and said they're working on it. Let's cross fingers and buy a book about Linux

Equally, bearing in mind that CentOS 6 is supported for a few more years, RH should probably have made some inroads into making it SMB v3 capable after the SMB v1 vulnerabilities came to light.

[ReetP]

It is my understanding that the issue with SMBv1 is on the server side.  So if you do not allow connections outside of your internal network, there should not be a problem.

Yup.

HOWEVER, M$ has pulled lots of SMB v1 support out of W10 and buggered the connections, so it matters not where connections go right now

It's a M$ issue fundamentally, but frustrating that there is not a SME solution to it here and now.

[ReetP]

FYI JPP is having a look to see if Samba  can be built on SME v9.

https://bugs.contribs.org/show_bug.cgi?id=10594

It transpires that there ARE Samba 4 packages for CentOS now (Missed that fact)

But don't get your hopes too high just yet... there will need to be a lot of work done to try and make it work correctly - you can't just install and expect it to work.

Equally, DO get your self a test box, follow the bug,  and try helping him.

Particularly needs Windows 10 users for testing. And I don't have ANY Windows boxes myself

[Jean-Philippe Pialasse]

well the main issue persist : without samba 4 here only provide SMB3_00, and Windows 10 negotiate for SMB3_11.

However, during the negotiation they should find a protocol between SMB2 and SMB3_00 but this seems to fail...

I believe there are more modification to do either on windows registry or samba configuration...

[jarkor]

FYI JPP is having a look to see if Samba  can be built on SME v9.

https://bugs.contribs.org/show_bug.cgi?id=10594

It transpires that there ARE Samba 4 packages for CentOS now (Missed that fact)

But don't get your hopes too high just yet... there will need to be a lot of work done to try and make it work correctly - you can't just install and expect it to work.

Equally, DO get your self a test box, follow the bug,  and try helping him.

Particularly needs Windows 10 users for testing. And I don't have ANY Windows boxes myself

Good news, installing and testing....
I have a w10 vm to do the testing....

Thanks!

[jarkor]

well the main issue persist : without samba 4 here only provide SMB3_00, and Windows 10 negotiate for SMB3_11.

However, during the negotiation they should find a protocol between SMB2 and SMB3_00 but this seems to fail...

I believe there are more modification to do either on windows registry or samba configuration...

I agree.
I've just installed, now the SMB server looks fine:

server max protocol = SMB3
server min protocol = LANMAN1

But W10 is unable to negotiate, I can't access shared resources. From a W7 workstation, everything is OK.
I'll try to check some settings later.

Best,

[ReetP]

Jarkor,

If you are testing please put your notes on the bug so we can track progress.

Devs don't necessarily check the forums regularly, but we all get a mail every time you comment on a bug so you are going to get a faster reaction there than here.

[Stefano]

According to many sites, the min protocol must be smb2

[jarkor]

Jarkor,

If you are testing please put your notes on the bug so we can track progress.

Devs don't necessarily check the forums regularly, but we all get a mail every time you comment on a bug so you are going to get a faster reaction there than here.

Thanks ReetP, noted.

regards,

[jarkor]

According to many sites, the min protocol must be smb2

Setting:
server min protocol = SMB2

we got the same issue.
Thanks

[Jean-Philippe Pialasse]

According to many sites, the min protocol must be smb2

Stefano can you point some ?

[TerryF]

Looks interesting:

https://www.riedmann.it/blog/?p=303

[jarkor]

Looks interesting:

https://www.riedmann.it/blog/?p=303

Yes, it's exactly the same issue we're having, anyway, for us under SME 9.x with samba3 or samba4, setting the option:

Code: [Select]

max protocol = SMB2
dind't help at all

[Jean-Philippe Pialasse]

https://blogs.technet.microsoft.com/josebda/2015/05/05/whats-new-in-smb-3-1-1-in-the-windows-server-2016-technical-preview-2/

https://social.technet.microsoft.com/Forums/windows/en-US/58ca8cfa-a013-4b65-80de-622943127cc4/1703-update-smbcifs-shares-inaccessible?forum=win10itpronetworking

https://serverfault.com/questions/895570/how-to-configure-samba-to-work-with-windows-10-1709

https://forum.nas-central.org/viewtopic.php?f=249&t=21821

For the obdc issue https://social.technet.microsoft.com/Forums/windows/en-US/4c2a029b-327a-4ad7-a2ce-7bd4fcc25226/windows-10-after-update-1803-odbc-sql-server-connect-problem?forum=win10itprogeneral

[Jean-Philippe Pialasse]

https://lists.samba.org/archive/samba/2015-September/193886.html

Samba 4.3 minimum for windows 10

[ReetP]

Some KB aeticles here

https://www.theregister.co.uk/2018/06/08/windows_10_smb1/

[TerryF]

One can but be eternally hopeful, see not at end of article:

https://support.microsoft.com/en-nz/help/4284835/windows-10-update-kb4284835

[TerryF]

More reading, but getting closer..

https://social.msdn.microsoft.com/Forums/ie/en-US/80d86b3b-28ff-4abe-945f-a1efccb5cf8e/rs41803windows-10-1803-wont-run-odbc-sql-connected-application-from-network?forum=windowsgeneraldevelopmentissues

This relates to another post/bug that had this exact problem

[TerryF]

Latest update for Win 10 2018-06 Cumulative Update for Windows Server 2016 (1803) for x64-based Systems (KB4284848)

Reported as fixing issues raised with r1803

Added: see comments at end re this update : https://social.msdn.microsoft.com/Forums/ie/en-US/80d86b3b-28ff-4abe-945f-a1efccb5cf8e/rs41803windows-10-1803-wont-run-odbc-sql-connected-application-from-network?forum=windowsgeneraldevelopmentissues