Problem accessing samba share
Hi all,
I have samba 4.6.2 on RHEL 7.
We have a production server still on Windows 2003 R2.
I need the Windows server to access one of the Samba shares, but I'm having problems. It was previously connected to a Samba share on a RHEL6 platform with older Samba.
I have tried the share credentials from a Windows 10 box with success, so I suspect I either need to increase Samba 4's compatibility level (if possible via the config) or change something in the Windows server's registry/policy.
Does anyone have any experience with this, and/or any advice?
My smb.conf:
"
[global]
security = user
passdb backend = tdbsam
case sensitive = yes
dns proxy = No
domain master = No
#encrypt passwords = yes
map to guest = Bad User
load printers = no
local master = No
log file = /var/log/samba/%m.log
log level = 1
max log size = 50
preferred master = No
server string = DB3 Samba Server
smb ports = 139 445
unix extensions = no
workgroup = xxxxx
[edi]
browseable = no
create mode = 0700
directory mask = 0700
follow symlinks = yes
path = /sambashares/edi
read only = No
guest ok = No
valid users = jbloggs, ediuser
wide links = yes
"
Thank you
Elliot
Responses
I think Windows 2003 is the last SMBv1-only version of server-oriented Windows, and since the WannaCry ransomware attacks, most modern SMB clients and servers by now should have SMBv1 disabled by default.
To enable server-side SMBv1 in Samba, the parameter you might need is
server min protocol = NT1
Update: also, Windows 2003 does not use NTLMv2 by default, and the default settings of modern Samba versions disable NTLMv1 as it is no longer secure. So, you'll need to either enable NTLMv2 on Windows 2003 by doing something similar to this or allow the use of NTLMv1 in Samba 4.5 or above by smb.conf setting:
ntlm auth = yes
If your set-up involves Kerberos (e.g. the Samba server is joined to a Windows Active Directory domain), then you'll also need to check that the Kerberos on the RHEL 7 host is configured to allow the legacy Kerberos encryption types: DES-CBC-CRC, DES-CBC-MD5 and/or RC4-HMAC. Windows 2003 won't support Kerberos enctypes newer than that, and these types are considered as no longer secure by modern Kerberos implementations.
To view the current state of all Samba options, including those that are not specified in the configuration file and thus are using built-in defaults, use testparm -sv | less.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
