Web lists-archives.com

Re: [Samba] Can't connect after Ubuntu 18.04.1 Upgrade???

On Mon, 20 Aug 2018 18:38:53 +0000 (UTC)
Thomas Rieff via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Thanks for the replys... 
> Just a basic samba server...being accessed by windows 7 to the gc and
> tmr shares with \\\gc and \\\tmr This has been
> running for a year without any issues...till the update yesterday
> afternoon :-( The file server is Ubuntu 18.04 and there was an update
> to Ubuntu 18.04.1, which I thought would be a mild step. The current
> version of samba is... Samba version 4.7.6-Ubuntu, don't know what it
> was before, thought it was up to date??? Below is the testparm and
> the dump of configurations. Also, I do see an error in the one log
> below. Hope all is well. Tom 
> root@gc9:~# testparm 
> Server role: ROLE_STANDALONE 
> # Global parameters 
> [global] 
> dns proxy = No 
> log file = /var/log/samba/log.%m 
> map to guest = Bad User 
> max log size = 1000 
> obey pam restrictions = Yes 
> pam password change = Yes 
> panic action = /usr/share/samba/panic-action %d 
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> passwd program = /usr/bin/passwd %u server role = standalone server 
> server string = %h server (Samba, Ubuntu) 
> syslog = 0 
> unix password sync = Yes 
> usershare allow guests = Yes 
> wins support = Yes 
> workgroup = CLS 
> idmap config * : backend = tdb 

If you check the Ubuntu changelog, you will find this:

samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.2) bionic-security; urgency=medium
  * SECURITY UPDATE: Weak authentication protocol allowed
    - debian/patches/CVE-2018-1139-*.patch: Do not allow ntlmv1 over SMB1
      and add tests.
    - CVE-2018-1139

The default setting for ntlm auth is ntlmv2-only, but before the
update, even though it wasn't really allowed by the default setting,
NTLMv1 worked, now it doesn't. I think it is highly likely your
clients are using NTLMv1.
You can easily test this, add 'ntlm auth = yes' to smb.conf and
restart. If this cures your problem, then you have two choices, leave
it alone and put up with a possibly insecure server, or fix your
clients to only use NTLMv2 and remove the line from smb.conf.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba