[Samba] server max protocol appropriate values

[James]

Hello,

My DC smb.conf currently has the following set

server max protocol = NT1
server min protocol = CORE
client max protocol = NT1
client min protocol = CORE

Is it safe to change both the client and server max to = SMB3? What
about on member servers? Should I be concerned with anything breaking?
I'm using Windows 7 clients to authenticate against Ubuntu 4.1.17 DC's
and a Debian Wheezy as a file server.

This is what I see on
https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Normally this option should not be set as the automatic negotiation
phase in the SMB protocol takes care of choosing the appropriate protocol.

Default: //|server max protocol|/ = |SMB3| /

Example: //|server max protocol|/ = |LANMAN1| /


--
-James

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Gaiseric Vandal]

I have several Samba 3.6.24 domain controllers/file servers .


Server1 - Solaris 10, Samba 3.6.24, max protocol NT1. This is the
main file server.
Server2 - Solaris 10, Samba 3.6.24, max protocol SMB2. 2ndary file
server, not as heavily used as as server1.
Server3 - Solaris 11, Samba 3.6.24, max protocol SMB2 . This was set
up to replace Server 1.


I also have a a Citrix XenApp 6.5 server running on Windows 2008 R2 with
RDP/Terminal Services role



On do of them, I changed the server max protocol from NT1 to SMB2, with
no problem - at first. I was migrating data from server1 to
server3. As I moved data over from , people started having trouble
with being able to establish connections to the new server from the
citrix server. Windows 7 clients were fine (except for a single
problem on a single Win 7 laptop.) It really pointed to something
specific with a Citrix server environment. I think it has something to
do with SMB2 establishing separate connections for each user and
exceeding the default number of permitted sessions on Win 2008.
Rolling back to NT1 seemed to fix it the issues.

On 03/04/15 10:26, James wrote:
> Hello,
>
> My DC smb.conf currently has the following set
>
> server max protocol = NT1
> server min protocol = CORE
> client max protocol = NT1
> client min protocol = CORE
>
> Is it safe to change both the client and server max to = SMB3? What
> about on member servers? Should I be concerned with anything breaking?
> I'm using Windows 7 clients to authenticate against Ubuntu 4.1.17 DC's
> and a Debian Wheezy as a file server.
>
> This is what I see on
> https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
>
> Normally this option should not be set as the automatic negotiation
> phase in the SMB protocol takes care of choosing the appropriate protocol.
>
> Default: //|server max protocol|/ = |SMB3| /
>
> Example: //|server max protocol|/ = |LANMAN1| /
>
>

--

[Marc Muehlfeld]

Hello James,

Am 04.03.2015 um 16:26 schrieb James:
> My DC smb.conf currently has the following set
>
> server max protocol = NT1
> server min protocol = CORE
> client max protocol = NT1
> client min protocol = CORE
>
> Is it safe to change both the client and server max to = SMB3? What
> about on member servers? Should I be concerned with anything breaking?
> I'm using Windows 7 clients to authenticate against Ubuntu 4.1.17 DC's
> and a Debian Wheezy as a file server.

If the new protocol versions are instable, they wouldn't be default. ;-)

At work I have all server (4.1.17) running on their default value. But
we encountered some SMB2 caching problems. But this was client related
and can be controlled via registry/GPO settings, if appearing:
https://technet.microsoft.com/zh-tw/library/ff686200%28v=ws.10%29.aspx


Regards,
Marc

[James]

Hi Marc,

I'm a little confused. The values I provided for client and server
max protocol are default values. At least according to the command
'samba-tool testparm -v'. I have not explicitly set them in my smb.conf
file. I assume SMB3 became the default at some point with a release? I'm
worried now that I must make explicit changes to my smb.conf file when
default values are changed from a prior version. Maybe it's a bug and my
values should've been changed when I updated Samba when smb3 became the
default? I started with 4.0.0 from tar for reference. Sequential version
updates after that. Thanks.

On 3/4/2015 5:43 PM, Marc Muehlfeld wrote:
> Hello James,
>
> Am 04.03.2015 um 16:26 schrieb James:
>> My DC smb.conf currently has the following set
>>
>> server max protocol = NT1
>> server min protocol = CORE
>> client max protocol = NT1
>> client min protocol = CORE
>>
>> Is it safe to change both the client and server max to = SMB3? What
>> about on member servers? Should I be concerned with anything breaking?
>> I'm using Windows 7 clients to authenticate against Ubuntu 4.1.17 DC's
>> and a Debian Wheezy as a file server.
> If the new protocol versions are instable, they wouldn't be default. ;-)
>
> At work I have all server (4.1.17) running on their default value. But
> we encountered some SMB2 caching problems. But this was client related
> and can be controlled via registry/GPO settings, if appearing:
> https://technet.microsoft.com/zh-tw/library/ff686200%28v=ws.10%29.aspx
>
>
> Regards,
> Marc

--

-James

[James]

Hi Gaiseric,

Do you happen to run into any oplock(opportunistic locking) issues?
On my DC I have these issues with my group policy files. I'm hopeful
using smb 2.0 will fix this problem. Thanks.

-James

[Rowland Penny]

There is something wrong here with either what the default is in
smb.conf on an AD DC or the manpage for smb.conf

From 'samba-tool testparm -v' :

server max protocol = NT1

BUT 'man smb.conf' says this :

Default: server max protocol = SMB3

OK, one of these is wrong, but which ???

Rowland

[James]

Using Wireshark I see the protocol used as SMB2. Using a Windows
workstation I tested by navigating to files and folders on my member
server or to my sysvol folder on a DC.

-James

[Gaiseric Vandal]

I have not had problems. As this is Samba 3.x, group policy files do
not come into play.

[Marc Muehlfeld]

Am 06.03.2015 um 14:56 schrieb Rowland Penny:
>> From 'samba-tool testparm -v' :
>>
>> server max protocol = NT1
>>
>> BUT 'man smb.conf' says this :
>>
>> Default: server max protocol = SMB3
>>
>> OK, one of these is wrong, but which ???

If you run 4.1 or later, then SMB3 is the default.

Am 06.03.2015 um 16:30 schrieb James:
> Using Wireshark I see the protocol used as SMB2. Using a Windows
> workstation I tested by navigating to files and folders on my member
> server or to my sysvol folder on a DC.

Win7 doesn't speak SMB3.

SMB 2.0 was introduced by Vista/2008
SMB 2.1 by Win7/2008R2
SMB 2.2 aka 3.0 by Win8/2012
SMB 3.02 by 8.1/2012R2


Regards,
Marc

[Rowland Penny]

On 06/03/15 17:05, Marc Muehlfeld wrote:
> Am 06.03.2015 um 14:56 schrieb Rowland Penny:
>>> From 'samba-tool testparm -v' :
>>>
>>> server max protocol = NT1
>>>
>>> BUT 'man smb.conf' says this :
>>>
>>> Default: server max protocol = SMB3
>>>
>>> OK, one of these is wrong, but which ???
> If you run 4.1 or later, then SMB3 is the default.
>
>
>
> Am 06.03.2015 um 16:30 schrieb James:
>> Using Wireshark I see the protocol used as SMB2. Using a Windows
>> workstation I tested by navigating to files and folders on my member
>> server or to my sysvol folder on a DC.
> Win7 doesn't speak SMB3.
>
> SMB 2.0 was introduced by Vista/2008
> SMB 2.1 by Win7/2008R2
> SMB 2.2 aka 3.0 by Win8/2012
> SMB 3.02 by 8.1/2012R2
>
>
> Regards,
> Marc

OK, so I sorted my problem, it was the old 'testparm -v' and 'samba-tool
testparm -v' giving different results problem, the man page is correct.

Sorry for the noise :-)

Rowland

[James]

OK. Now I'm really confused. I was not aware of two 'testparm' commands.
Running 'testparm -v' shows correct default values. So whats the
difference?

-James

[Tim]

I will check testparm -v, but samba-tool testparm -v gives the result you wrote.

With max = SMB3 and min = SMB2 for both, server and client, samba-tool time doesn't work anymore (see related thread).

Am 6. März 2015 19:01:05 MEZ, schrieb Rowland Penny <rowlan...@googlemail.com>:
>On 06/03/15 17:35, Tim wrote:
>> I have to add noise: Provisioning a DC with sernet 4.1.x called NT1
>as max default with me.

>No, as Marc says 'SMB3' is the default, if you run 'samba-tool testparm
>
>-v' you will find this: 'server max protocol = NT1', but if you run
>'testparm -v' you will find this: 'server max protocol = SMB3'
>
>I understand that from 4.2, the two commands should return the same
>results.
>
>Rowland

[Rowland Penny]

On 06/03/15 17:35, Tim wrote:
> I have to add noise: Provisioning a DC with sernet 4.1.x called NT1 as max default with me.
>
>
>
> Am 6. März 2015 18:28:55 MEZ, schrieb James <lingpa...@gmail.com>:

No, as Marc says 'SMB3' is the default, if you run 'samba-tool testparm

-v' you will find this: 'server max protocol = NT1', but if you run
'testparm -v' you will find this: 'server max protocol = SMB3'

I understand that from 4.2, the two commands should return the same results.

Rowland

--

[Tim]

I have to add noise: Provisioning a DC with sernet 4.1.x called NT1 as max default with me.

Am 6. März 2015 18:28:55 MEZ, schrieb James <lingpa...@gmail.com>:

[Helmut Hullen]

Hallo, James,

Du meintest am 06.03.15:

> OK. Now I'm really confused. I was not aware of two 'testparm'
> commands. Running 'testparm -v' shows correct default values. So
> whats the difference?

testparm -s

shows what is defined in "smb.conf"


testparm -sv

shows what ist actually used (including the default values).

Viele Gruesse!
Helmut