Koozali.org formerly Contribs.org

Windows, Samba 4, SMB v3 and all that jazz

Offline ReetP

  • *
  • 3,128
Windows, Samba 4, SMB v3 and all that jazz
« on: August 16, 2018, 07:06:10 PM »
Ok, I know all you Windows people out there have had your issues, and clearly the good ole boys at M$ don't give a flying toss about your woes. I don;t have Windows either, so it is a strange place I find myself in. But I love a challenge :-)

I've been messing with docker for a while and have rocketchat running on it, and now a hubot (well, once they fix their friggin regression they introduced in Rocket to break it!!!)

Having messed with trying to compile Samba 4 for CentOS 6 (don't bother - it's a nightmare) I wondered if there were any Samba 4 docker instances kicking about which might give you a Samba service in a docker container.

Now, as luck would have it, it seems there are more than a few :-)

However, nothing in life is simple. The instances want to run their own shares, own smb.conf files etc.

After a lot of wrangling I have finally managed to get an instance up and running and be able to connect to it from SME server.

So here is a lookup from SME (v9.2) using smbclient to a S4 docker container:

Quote
[root@test httpd.conf]# smbclient -L localhost -U smbuser
Enter smbuser's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Windows 6.1] Server=[Samba 4.8.2]

   Sharename       Type      Comment
   ---------       ----      -------
   IPC$            IPC       IPC Service (Samba Server)
Anonymous login successful
Domain=[MYGROUP] OS=[Windows 6.1] Server=[Samba 4.8.2]

   Server               Comment
   ---------            -------
   TEST                 Samba Server

   Workgroup            Master
   ---------            -------
   MYGROUP              TEST

Next was to map the real server samba directory to the container. There are a few wriggles that need modding (guests, printcap, mapped directories etc) but it basically works

Quote
[root@test ~]# smbclient -L localhost -U smbuser
Enter smbuser's password:
Anonymous login successful
Domain=[SME-SERVER] OS=[Windows 6.1] Server=[Samba 4.8.2]

   Sharename       Type      Comment
   ---------       ----      -------
   print$          Disk      Printer drivers
   Primary         Disk      Primary i-bay
   testbay         Disk      testbay
   IPC$            IPC       IPC Service (SME Server)
Anonymous login successful
Domain=[SME-SERVER] OS=[Windows 6.1] Server=[Samba 4.8.2]

   Server               Comment
   ---------            -------
   TEST                 SME Server

   Workgroup            Master
   ---------            -------
   SME-SERVER           

Next I need to somehow get the container to use the local passwd files that it wants.

And then get the damn docker image I built to run automatically.

I have no idea whether this will end up in any form of success, but it is the closest we currently have to S4 on SME v9.

If you have any docker experience, or Alpine linux (it's the core for a lot of docker services), then please speak to me cos I really need a hand :-)

If I get the image auto running I'll post links accordingly.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,128
Re: Windows, Samba 4, SMB v3 and all that jazz
« Reply #1 on: August 18, 2018, 05:03:34 PM »
Well, I have some progress.

First things first though.

Whilst working on this it suddenly dawned on me the biggest issue for Windows users.

There are NO Domain Logons available with Samba 4. None. Zip. Nada.

Samba 4 does not replicate the old PDC.

So, you have two options with Samba 4.

1. Standard Workgroups, just like the old days. This should be easily reproducible with Samba 4. If like me you run Linux desktops you can use stuff like SSSD and LDAP authent.

2. Samba 4 AD. This is 'the way forward' (apparently). It is what M$ want, and Redhat I guess. This replicates Windows AD. It isn't without its issues though, as Greg discovered when experimenting with it.

eg https://wiki.contribs.org/Samba4_Development -  Search for Samba 4 on the wiki for more info.

This has it's own implementation of LDAP and lots of other stuff. It is probably the way to go, because that is what users/admins will want, but you can see from the above page the amount of work it will take.

Anyways, all that not withstanding I have got a Proof of Concept Docker Samba 4 Non AD container running on a test server. I have even managed to write a file from my linux desktop over ipsec to the remote server using SMB.

It still has loads of things to work out, but it fundamentally works.

However, the big problem so far is that in tests with Terry the Tester he can't as yet get Windows 10 to see it.

If he can get to view a share I will post some instructions here for people with VMs and time on their hands.

If you want to have a play then mail me directly (get my email from bugzilla) and I will give you directions. However, as it is highly experimental and flakey as, I won't post it for wider consumption as yet as there will  be too many questions on how to set it up, rather than actually testing it.

I'll be back when I have some more news.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
    • Firewall Services, la sécurité des réseaux
Re: Windows, Samba 4, SMB v3 and all that jazz
« Reply #2 on: August 18, 2018, 05:43:40 PM »
There are NO Domain Logons available with Samba 4. None. Zip. Nada.

Samba 4 does not replicate the old PDC.

Yes it does. You can run samba4 in the old PDC way (nt4 domain controller). But in this case, it has no advantage compared to samba3
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 3,128
Re: Windows, Samba 4, SMB v3 and all that jazz
« Reply #3 on: August 18, 2018, 09:54:24 PM »
Yes it does. You can run samba4 in the old PDC way (nt4 domain controller). But in this case, it has no advantage compared to samba3

Dan, you are right and I had missed something.

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_NT4_PDC_(Quick_Start)
https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains

I have been trying to work if it is possible to run Samba 4 to mimic the old Samba 3 style and let Windows boxes that have been hobbled connect to SME. With Samba v3 it doesn't look like new domain logons are possible whatever anyone tries? I presume that with Samba 4 if you restore SMB v1 and various bits to W10 it will connect to Samba 4?

I don't have any Windows so a bit stuffed with testing.

There are two issues at least I can see in mimicking the old style.

First is how to modify the existing smb.conf from Samba 4 to mimic the old style ?

Second is assuming I can actually do that, will it actually work?

I have Samba 4 effectively running as a service now using the existing host settings. It runs under docker and seems to stop, start, & restart OK. So it is currently a case of trying to figure how to set up the smb.conf settings correctly, and map any exiting stuff such as the files in /var/lib/samba?

In the docker container I mapped /etc//samba to /etc/samba in the container so it uses the host smb.conf.

However, I know there are a load of tdb files in the host in /var/lib/samba but the container seems to be using tdb files located in various other locations.
eg

/home/e-smith/files/docker/devicemapper/mnt/461a05e611167b0ebac537939c785d4f46172f01e6dbb5294434dcc7f2a17d49/rootfs/var/cache/samba/names.tdb
(this seems to have been mapped to /var/cache/samba in the container)

/home/e-smith/files/docker/volumes/148348ac1e3bdd9367ebbb453b9495ed8b64a5a39bb51c580b04dfbf7f079aee/_data/registry.tdb

Any tips or pointers welcome....

(note to self)
https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,128
Re: Windows, Samba 4, SMB v3 and all that jazz
« Reply #4 on: August 20, 2018, 07:12:54 PM »
Well, FWIW I can now connect a Win 7 to S4 using SMB2 in workgroup mode, but not with SMB3.

server min protocol=SMB2
domain logons = no
domain master = yes
sever role = standalone

I am *just* using the existing files in /etc/samba currently.

/ # smbstatus

Samba version 4.8.2
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing             
----------------------------------------------------------------------------------------------------------------------------------------
20      john         john         192.168.10.28 (ipv4:192.168.10.28:50321)  SMB2_10           -                    - 

If I change the samba server to minimum version SMB3 if will not connect at present.


Regarding Domain logons.

Yes, you can theoretically logon to a NT style domain on Samba 4 if you use SMB1.

However.

First, this assumes you are running SMB1 and have not previously joined a domain, which is where the issues seem to lie.

I have been messing with about with Win 7. It has SMB1 and 2 (at least). I can connect fine to the S4 server now when I am using 'workgroup' mode. I decided to see what happened when I tried to join a Domain, and noticed it immediately sprang up a box asking to join a Active Directory domain. I don't remember that happening before, though I could be wrong.

It set me thinking a little. What if you have SMB1 installed, but if there is a higher version installed/enabled it will default to that and want a AD login?

So I disabled SMB2 using this: Note there are settings for disabling the Server and Workstation components.

https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

A reboot later and no network browsing or ability to connect, and some errors in the Event logs.

"The computer browser service depends on the the Workstation service which failed to start because of the following error
The dependency service does not exist or has been marked for deletion"

"The workstation service depends on the following service: nis
This service might not be installed"

What I am thinking is possibly there is a circular dependency malarkey here. The SMB1 service won't start because most likely the NSI service has a dependency on SMB2, so when you do it enable SMB2 the system defaults to using SMB2 and then starts hunting AD stuff for domain logons.

Could have gotten the registry settings completely wrong, so this may be a load of old rubbish, but I haven't touched Windows in years so a bit out of it. (Reminds me I won't be going back either... .!)

Unfortunately I don't have enough bits littered about here to test this properly (the test box is actually across an ipsec link !!!!)

I need to tidy my Docker S4 install a bit more and paste some instructions for use if anyone is actually interested.

Any thoughts welcomed.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation