Cannot access shares after upgrading to 1.0

[Chris Archer]

Upgraded from 0.1RC6 to 1.0 on my DNS-323 A1 with working Samba shares.
After upgrade established shares still seemed to be fine.

I noticed that both SMB1 and SMB2 were enabled, so I disabled SMB1, and had to reboot my machine because of some updates.
Since then I can no longer access the shares on either the restarted machine nor another that had not been restarted. Re-enabling SMB1 and restarting the NAS does not help.

Attempts to connect to the Samba shares on the DNS-323 A1 from my machine return the following error:

"Unhandled error message. Failed to retrieve share list from server: Connection timed out"


On the NAS, log.smbd shows:

[2017/06/29 09:32:23,  0] smbd/server.c:1072(smbd_main)
  smbd version 3.6.25 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2011
[2017/06/29 09:32:23.148487,  1] ../lib/util/charset/codepoints.c:60(load_case_tables_library)
  Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
[2017/06/29 09:32:23.149427,  1] ../lib/util/charset/codepoints.c:64(load_case_tables_library)
  Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
[2017/06/29 09:33:50.823938,  0] smbd/negprot.c:706(reply_negprot)
  No protocol supported !


log.nmbd shows:

[2017/06/29 09:32:22,  0] nmbd/nmbd.c:861(nmbd_main)
  nmbd version 3.6.25 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2011
[2017/06/29 09:32:23,  1] ../lib/util/charset/codepoints.c:60(load_case_tables_library)
  Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
[2017/06/29 09:32:23,  1] ../lib/util/charset/codepoints.c:64(load_case_tables_library)
  Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules

[Chris Archer]

I also can no longer get to the SWAT utility, e.g. press Services -> Network -> smb -> Configure -> Advanced

Firefox throws an error about invalid certificate (unknown issuer) and refuses to add an exception.

Chris.

[Chris Archer]

RESOLVED by sheer persistence :-)

1. Based on Paulo's problem with not seeing the SMB1 and SMB2 check-boxes because of an older version of Samba, i decided to see what samba packages I had installed and their versions.
Uninstalled samba-modules 3.5.22 and samba-doc 3.5.22 (first had to uninstall nuts, which I had installed a LONG time ago to try to monitor UPS and seems to have some sort of dependency relationship)

2. Checked error

[2017/06/29 09:33:50.823938,  0] smbd/negprot.c:706(reply_negprot)
  No protocol supported !

and found
https://forums.freenas.org/index.php?threads/smbd-no-protocol-supported.22349/
which suggested the error could be resolved by ensuring SMB1 was enabled. Sure enough, enabling SMB1 resolved the problem and I can now access shares.
but, I can see from smb.conf that

    #min protocol = SMB2
   
    server signing = auto
    client signing = auto
    client ipc signing = auto
    max protocol = SMB2

I'm not sure if enabling SMB1 is safe given the recent Samba issues (WannaCry?) that suggest it should be disabled, but for now it seems necessary.

The following also still show in the smbd and nmbd logs

[2017/06/30 01:27:33.923856,  1] ../lib/util/charset/codepoints.c:60(load_case_tables_library)
  Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
[2017/06/30 01:27:33.924809,  1] ../lib/util/charset/codepoints.c:64(load_case_tables_library)
  Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules

Waiting for Joao's input (when he's done vacation) to ease my mind.

Chris.

[Paulo Elifaz Andrielli]

I didnt have time to check the performance for both....

Currently, I left mine with SMB1 and SMB2 activated. So, based on your experience, should I keep this way then?

[]'s
Paulo
sent from Android

--
You received this message because you are subscribed to the Google Groups "Alt-F" group.
To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/alt-f.
For more options, visit https://groups.google.com/d/optout.

[Chris Archer]

I'd say yes, at least until Joao responds.

Chris.

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+un...@googlegroups.com.

[João Cardoso]

On Friday, 30 June 2017 06:45:21 UTC+1, Chris Archer wrote:

RESOLVED by sheer persistence :-)

1. Based on Paulo's problem with not seeing the SMB1 and SMB2 check-boxes because of an older version of Samba, i decided to see what samba packages I had installed and their versions.
Uninstalled samba-modules 3.5.22 and samba-doc 3.5.22 (first had to uninstall nuts, which I had installed a LONG time ago to try to monitor UPS and seems to have some sort of dependency relationship)

2. Checked error

[2017/06/29 09:33:50.823938,  0] smbd/negprot.c:706(reply_negprot)
  No protocol supported !

That means that both SMB1 and SMB2 was disabled. I remember seeing that during my tests, but can't remember under what conditions

 

and found
https://forums.freenas.org/index.php?threads/smbd-no-protocol-supported.22349/
which suggested the error could be resolved by ensuring SMB1 was enabled. Sure enough, enabling SMB1 resolved the problem and I can now access shares.

I'm pretty sure that I tested all options, SMB1 only, SMB2 only, and SMB1 and SMB2. Notice that these are the options the server advertises as available, the client has to select which one he wants.

For the tests I used 'smbclient -m NT1|SMB2' from a linux machine. I only have access to a Vista machine, no 7/8/8.1/10 testing was done.

 

but, I can see from smb.conf that

    #min protocol = SMB2
   
    server signing = auto

That is a RC6 leftover. From users reports on Win-8/8.1 'server signing' should be set to 'disabled'

 

    client signing = auto
    client ipc signing = auto
    max protocol = SMB2

 

I'm not sure if enabling SMB1 is safe given the recent Samba issues (WannaCry?)  that suggest it should be disabled, but for now it seems necessary.

 

Nobody can tell if it is safe or not, I expressed my non-expert views on the RC6 thread. In short, SMB1 will not be world-wide disabled because there are too much embedded devices that rely on it (MS even released a patch to already unsupported MS versions), and most SMB1 issues are specific to MS-Win SMB implementation, not necessarily to the samba implementation. See the newer Petya attack.

If by "recent Samba Issues" you mean CVE-2017-7494, the patch is applied.

You can try to debug your SMB1/SMB2 issue, the relevant directives are (test with 'server signing' disabled)

max protocol = SMB2

min protocol = SMB2

being commented or not.

-both commented, means that only SMB1 (actualy NT1) is advertised

-if only 'min protocol = SMB2' is uncommented, then only SMB2 is advertised

-if only 'max protocol = SMB2' is uncommented, both SMB1 and SMB2 are offered

As SMB might take some minutes to settle, and data is cached in both the server and the client, you can't be in a hurry to test changes.

It is easy to restart samba on the server without caching:

rcsmb stop # stop samba

rm -rf /var/cache/samba # remove cached info

rm -rf /var/log/samba # clean logs

rcsmb start # start samba

After clearing cache and restarting samba, the log will show a lot of warnings regarding tdb files missing etc, the final log entry will be similar to "waiting for connections". The log is rotated when it reaches 32KB.

The following also still show in the smbd and nmbd logs

[2017/06/30 01:27:33.923856,  1] ../lib/util/charset/codepoints.c:60(load_case_tables_library)
  Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
[2017/06/30 01:27:33.924809,  1] ../lib/util/charset/codepoints.c:64(load_case_tables_library)
  Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules

Harmless

Regarding the https certificate, there has been a change, mainly because of chrome requirements; creating a new certificate under System->Utilities generates less scaring (if possible) messages under chrome. Self-signed certificates as used by Alt-F always generate those kind of messages (unknow certification autority or similar)

I tested that under firefox using the Alt-F simulator and found that you have to remove the existing box certificate from firefox in order for it to add an exception.

Regarding swat, I can't comment

 

Waiting for Joao's input (when he's done vacation) to ease my mind.

Don't expect too much, but I'm not unreachable.

[Chris Archer]

Hi Joao:

Thank you as always for making the time to respond.

I've just confirmed that turning off SMB1  (either via the GUI or setting min protocol = SMB2) causes the error

[2017/06/29 09:33:50.823938,  0] smbd/negprot.c:706(reply_negprot)
  No protocol supported !

on 1.0

I checked my existing RC6 and found the following in smb.conf
    # min protocol = SMB2

   
    client signing = auto
    client ipc signing = auto
    max protocol = SMB2

which according to what you said means that SMB1 is likely enabled. This is the only setting that allows Samba to work properly for me, on both RC6 and 1.0

As I mentioned before
https://forums.freenas.org/index.php?threads/smbd-no-protocol-supported.22349/
seems to suggest SMB1 must be enabled.

FYI, all my client machines are all Linux (Fedora) machines.
Based on the fact that this is a patched version of Samba with no Windows machines involved, I'm satisfied everything is okay.

However, my observation is that on both RC6 and 1.0 disabling SMB1 breaks Samba for me.

Chris.

[Paulo Elifaz Andrielli]

Just made some tests this weekend....

Win10 and MacOS can see SMB2 shares.

However, Android devices (my phone and my AndroidTV) cannot access the files.

So, I need to keep SMB1 enabled to make them to see the files. Is this somehow expected?

And when only SMB2 enabled, I didnt see any improvements on the transfer rate. Still 5Mb/s.... :-(

[]'s
Paulo
sent from Android

--
You received this message because you are subscribed to the Google Groups "Alt-F" group.

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+unsubscribe@googlegroups.com.