Web lists-archives.com

Re: [Samba] Can't connect after Ubuntu 18.04.1 Upgrade???




On Mon, 20 Aug 2018 18:38:53 +0000 (UTC)
Thomas Rieff via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 
> Thanks for the replys... 
> Just a basic samba server...being accessed by windows 7 to the gc and
> tmr shares with \\10.10.171.9\gc and \\10.10.171.9\tmr This has been
> running for a year without any issues...till the update yesterday
> afternoon :-( The file server is Ubuntu 18.04 and there was an update
> to Ubuntu 18.04.1, which I thought would be a mild step. The current
> version of samba is... Samba version 4.7.6-Ubuntu, don't know what it
> was before, thought it was up to date??? Below is the testparm and
> the dump of configurations. Also, I do see an error in the one log
> below. Hope all is well. Tom 
> 
> root@gc9:~# testparm 
> Server role: ROLE_STANDALONE 
> 
> # Global parameters 
> [global] 
> dns proxy = No 
> log file = /var/log/samba/log.%m 
> map to guest = Bad User 
> max log size = 1000 
> obey pam restrictions = Yes 
> pam password change = Yes 
> panic action = /usr/share/samba/panic-action %d 
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> passwd program = /usr/bin/passwd %u server role = standalone server 
> server string = %h server (Samba, Ubuntu) 
> syslog = 0 
> unix password sync = Yes 
> usershare allow guests = Yes 
> wins support = Yes 
> workgroup = CLS 
> idmap config * : backend = tdb 
> 

If you check the Ubuntu changelog, you will find this:

samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.2) bionic-security; urgency=medium
..............
........
  * SECURITY UPDATE: Weak authentication protocol allowed
    - debian/patches/CVE-2018-1139-*.patch: Do not allow ntlmv1 over SMB1
      and add tests.
    - CVE-2018-1139

The default setting for ntlm auth is ntlmv2-only, but before the
update, even though it wasn't really allowed by the default setting,
NTLMv1 worked, now it doesn't. I think it is highly likely your
clients are using NTLMv1.
You can easily test this, add 'ntlm auth = yes' to smb.conf and
restart. If this cures your problem, then you have two choices, leave
it alone and put up with a possibly insecure server, or fix your
clients to only use NTLMv2 and remove the line from smb.conf.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba