Web lists-archives.com

Re: [Samba] samba behavior change with version upgrade




Rowland Penny via samba wrote:
On Thu, 7 Jun 2018 14:24:57 -0400
"David H. Durgee via samba" <samba@xxxxxxxxxxxxxxx> wrote:

Rowland Penny via samba wrote:
On Thu, 7 Jun 2018 14:57:34 +0100
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

On Thu, 7 Jun 2018 14:51:11 +0100
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

On Thu, 7 Jun 2018 15:43:07 +0200
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

David,

So only Rowland is allowed to help?? If everybody does that them
in feeling really sorry for him. There are lots of people here
with very good knowledge. Even if its a long post, everything
might be relevant, i suggest, you try it.. It does not hurt.
Anonimize the config if needed.

I am trying to do two things at once, re-writing the time server
wikipage and reading (and shortening) the smb.conf files I was
sent, give me a few minutes and I will post them with a comment.

Rowland

OK, here are thr two smb.conf files without commented lines and
obvious default lines.

This is what the OP should have posted:

MAYA:

[global]
     workgroup = AGI-NET
     server string = %h server (Samba, LinuxMint)
     dns proxy = no
     log file = /var/log/samba/log.%m
     max log size = 2048
     log level = 0
     syslog = 0
     panic action = /usr/share/samba/panic-action %d
     obey pam restrictions = yes
     unix password sync = yes
     passwd program = /usr/bin/passwd %u
     passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* . pam password change = yes map
to guest = bad user client lanman auth = yes
     client ntlmv2 auth = no
     lanman auth = yes
     usershare allow guests = yes

[printers]
     comment = All Printers
     browseable = no
     path = /var/spool/samba
     printable = yes
     guest ok = no
     read only = yes
     create mask = 0700

[print$]
     comment = Printer Drivers
     path = /var/lib/samba/printers
     browseable = yes
     read only = yes
     guest ok = no

[testing]
	comment = Samba test shared directory
	read only = no
	locking = no
	path = /var/tmp
      guest ok = yes

SYLVIA:

[global]
     workgroup = AGI-NET
	server string = %h server (Samba, LinuxMint)
     dns proxy = no
     log file = /var/log/samba/log.%m
     max log size = 2048
    log level = 0
     syslog = 0
     panic action = /usr/share/samba/panic-action %d
     server role = standalone server
     obey pam restrictions = yes
     unix password sync = yes
     passwd program = /usr/bin/passwd %u
     passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* . pam password change = yes map
to guest = bad user client lanman auth = yes
     client ntlmv2 auth = no
     lanman auth = yes
     usershare allow guests = yes

[printers]
     comment = All Printers
     browseable = no
     path = /var/spool/samba
     printable = yes
     guest ok = no
     read only = yes
     create mask = 0700

[print$]
     comment = Printer Drivers
     path = /var/lib/samba/printers
     browseable = yes
     read only = yes
     guest ok = no

[testing]
	comment = Samba test shared directory
	read only = no
	locking = no
	path = /var/tmp
      guest ok = yes

OK, remove these lines:

     client lanman auth = yes
     client ntlmv2 auth = no
     lanman auth = yes

They are the exact opposites to what you need.

Rowland
I'm not sure of that.  My LAN has two OS/2 systems on it and I mount
network shares from them.  Neither of them use network shared
resources from my linux system, but my linux system must be able to
mount those network shares.  To the best of my knowledge lanman auth
is a requirement for accessing OS/2 shares.  Perhaps given that the
sharing is all from linux to OS/2 one of those can be changed.
Why does it sometimes feel like pulling teeth, you could have said
something earlier.

You are running a very insecure network, give me half an hour and I
will give you all your passwords.

Are these entries of any consequence for another linux mint sylvia
system performing gvfs-mount via gigolo of the testing share?
Likewise they are in both smb.conf files, so why would 4.3.11-Ubuntu
have problems with them that 3.6.25 doesn't?
Probably because the code has changed so much between the two versions,
there were also releases to deal with these CVE's:

CVE-2016-2119 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112
CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118

And they were just in the 4.3 release series and they dealt with
authentication.

Try removing the lines (you could just comment them out) restart Samba
and see if it cures your present problem. If it does, you just have to
find a way around the problem of having two out of date servers in
your network.

Rowland

As requested I commented out the lines and rebooted the system. Behavior on sylvia is identical to what it is with those lines enabled.  Next?

Dave

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba