User avatar
misho.petrov
Posts: 41
Joined: Mon Oct 21, 2013 8:52 pm

[SOLVED] Samba on Stretch from WinXP

Wed Sep 27, 2017 7:22 pm

HI

I'm facing a serious problem with Samba installation.
I have tried on both Stretch images - lite and full;
I'm using the exact same procedure I've used with the latest Jessie versions;
...
It doesn't matter - samba is installed, user is added and password secured - samba keeps and keeps asking for user and password every time I try to log on to the share from Windows.

The funny thing is that the root account login is accepted from the first try.

So, the question is - Is there something generally different in samba installation on Stretch, than with the same action on Jessie?

Thanks in advance!
Last edited by misho.petrov on Fri Oct 13, 2017 10:17 am, edited 1 time in total.
1. RPi B 512 MB + Sandisk 2GB c4, vesa mount;
2. RPi B 512 MB + Hama 16GB c10, heat sinks, micro fan, built-in lead-acid battery, duplicated factory plugs, 4,3" TFT, usb mini wireless keyboard, TDA2822 and speakers;
3. RPi 2 + Maxell 16GB c10.

hortimech
Posts: 123
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba on stretch

Wed Sep 27, 2017 7:51 pm

There shouldn't be much difference between Samba on jessie or stretch, can you post your smb.conf, but please remove any commented lines.

fred44nl
Posts: 162
Joined: Sat Jun 25, 2016 11:59 am
Location: Scharendijke, NL

Re: Samba on stretch

Wed Sep 27, 2017 8:02 pm

misho.petrov wrote:
Wed Sep 27, 2017 7:22 pm
samba is installed, user is added and password secured - samba keeps and keeps asking for user and password every time I try to log on to the share from Windows.
.
how and where did you add the user and secure the password ??
headless RPi 3B running from usbhdd.

User avatar
misho.petrov
Posts: 41
Joined: Mon Oct 21, 2013 8:52 pm

Re: Samba on stretch

Wed Sep 27, 2017 8:02 pm

Code: Select all

   workgroup = WORKGROUP
   wins support = yes
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = no
   writeable = yes
   read only = no
   create mask = 0775
   directory mask = 0775
   valid users = %S

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
This is my current configuration (not the actual conf, only the uncommented lines).
1. RPi B 512 MB + Sandisk 2GB c4, vesa mount;
2. RPi B 512 MB + Hama 16GB c10, heat sinks, micro fan, built-in lead-acid battery, duplicated factory plugs, 4,3" TFT, usb mini wireless keyboard, TDA2822 and speakers;
3. RPi 2 + Maxell 16GB c10.

User avatar
misho.petrov
Posts: 41
Joined: Mon Oct 21, 2013 8:52 pm

Re: Samba on stretch

Wed Sep 27, 2017 8:05 pm

fred44nl: maybe my english is a little rusty, but I meant that I have added user with password using the common known way.
1. RPi B 512 MB + Sandisk 2GB c4, vesa mount;
2. RPi B 512 MB + Hama 16GB c10, heat sinks, micro fan, built-in lead-acid battery, duplicated factory plugs, 4,3" TFT, usb mini wireless keyboard, TDA2822 and speakers;
3. RPi 2 + Maxell 16GB c10.

fred44nl
Posts: 162
Joined: Sat Jun 25, 2016 11:59 am
Location: Scharendijke, NL

Re: Samba on stretch

Wed Sep 27, 2017 8:07 pm

at the end, there should also be a section like:
[Toshiba usbhdd]
comment = Toshiba usbhdd
path = /shares
browseable = yes
writeable = yes
read only = no
force user = fred44nl
create mask = 0777
directory mask = 0777
delete readonly = yes
headless RPi 3B running from usbhdd.

User avatar
misho.petrov
Posts: 41
Joined: Mon Oct 21, 2013 8:52 pm

Re: Samba on stretch

Wed Sep 27, 2017 8:16 pm

This looks like an external hard drive configuration.
Anyway, there is no difference even after adding this section (modified by my needs).
1. RPi B 512 MB + Sandisk 2GB c4, vesa mount;
2. RPi B 512 MB + Hama 16GB c10, heat sinks, micro fan, built-in lead-acid battery, duplicated factory plugs, 4,3" TFT, usb mini wireless keyboard, TDA2822 and speakers;
3. RPi 2 + Maxell 16GB c10.

User avatar
misho.petrov
Posts: 41
Joined: Mon Oct 21, 2013 8:52 pm

Re: Samba on stretch

Wed Sep 27, 2017 8:19 pm

Code: Select all

[homes]
   comment = Home Directories
   browseable = no
   writeable = yes
   read only = no
   create mask = 0775
   directory mask = 0775
   
These are the only lines I've used to add at Jessie's samba configuration file and it works flawlessly. But on Stretch it does not.
1. RPi B 512 MB + Sandisk 2GB c4, vesa mount;
2. RPi B 512 MB + Hama 16GB c10, heat sinks, micro fan, built-in lead-acid battery, duplicated factory plugs, 4,3" TFT, usb mini wireless keyboard, TDA2822 and speakers;
3. RPi 2 + Maxell 16GB c10.

hortimech
Posts: 123
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba on stretch

Thu Sep 28, 2017 1:48 pm

Try adding 'security = user'

Also, I take it you are unaware that 'writeable = yes' and 'read only = no' mean the same thing, so you do not need both :)

User avatar
misho.petrov
Posts: 41
Joined: Mon Oct 21, 2013 8:52 pm

Re: Samba on stretch

Thu Sep 28, 2017 4:12 pm

Nope. Same deal...
1. RPi B 512 MB + Sandisk 2GB c4, vesa mount;
2. RPi B 512 MB + Hama 16GB c10, heat sinks, micro fan, built-in lead-acid battery, duplicated factory plugs, 4,3" TFT, usb mini wireless keyboard, TDA2822 and speakers;
3. RPi 2 + Maxell 16GB c10.

User avatar
thagrol
Posts: 326
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK

Re: Samba on stretch

Thu Sep 28, 2017 9:05 pm

Might be an issue with linux permissions or drivers on the mounted HDD.

is you HDD formatted as NTFS? If so try instaling ntfs-3g:

Code: Select all

sudo apt install ntfs-3g
then reboot.

Can your linux user (fred44nl ?) read and write to the mounted HDD directly on the pi?

DarrenHill
Posts: 160
Joined: Fri Oct 03, 2014 3:03 pm

Re: Samba on stretch

Mon Oct 02, 2017 8:49 am

Your homes configuration above seems to be lacking in a path line to tell it exactly what needs to be shared?

User avatar
thagrol
Posts: 326
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK

Re: Samba on stretch

Mon Oct 02, 2017 1:45 pm

DarrenHill wrote:
Mon Oct 02, 2017 8:49 am
Your homes configuration above seems to be lacking in a path line to tell it exactly what needs to be shared?
[homes] doesn't need a path. It's a samba special share. The path is calculated (and different) for each user.

User avatar
misho.petrov
Posts: 41
Joined: Mon Oct 21, 2013 8:52 pm

Re: Samba on stretch

Fri Oct 13, 2017 10:15 am

I've forgot to tell you, that the machine I'm trying to connect from is XP-based (for a number of reasons) netbook. Recently and experimentally I've installed a Win10 Pro copy on the same PC and tried the coneection again - everything worked perfectly. Today I rolled back to XP and .. nothing - same deal; cant access the share and samba keeps asking for credentials.
Anyway, I assumed (wrongly by the way), that the reason was at the operating system - XP.
After some digging I've found the solution. I just needed to add the following three lines to the [global] section of smb.conf:

Code: Select all

server max protocol = NT1
lanman auth = yes
ntlm auth = yes

and the problem was solved. Although I do not know (yet) what will be the consequences and the possible security issues from this setup.

Nevertheless - thanks to all of your replys.
1. RPi B 512 MB + Sandisk 2GB c4, vesa mount;
2. RPi B 512 MB + Hama 16GB c10, heat sinks, micro fan, built-in lead-acid battery, duplicated factory plugs, 4,3" TFT, usb mini wireless keyboard, TDA2822 and speakers;
3. RPi 2 + Maxell 16GB c10.

hortimech
Posts: 123
Joined: Wed Apr 08, 2015 5:52 pm

Re: [SOLVED] Samba on Stretch from WinXP

Fri Oct 13, 2017 4:33 pm

If you want to use stronger authentication, have a look here:
http://www.imss.caltech.edu/node/397

wally333
Posts: 77
Joined: Mon Jun 06, 2016 7:09 pm

Re: Samba on stretch

Fri Oct 13, 2017 7:44 pm

misho.petrov wrote:
Fri Oct 13, 2017 10:15 am

After some digging I've found the solution. I just needed to add the following three lines to the [global] section of smb.conf:

Code: Select all

server max protocol = NT1
lanman auth = yes
ntlm auth = yes

and the problem was solved. Although I do not know (yet) what will be the consequences and the possible security issues from this setup.
I think the security implications are pretty severe, as if I recall correctly, its how the WanaCry ransomware spread to multiple machines on a network if one was infected with via a phishing attack.

DouglasBremer
Posts: 4
Joined: Mon Oct 30, 2017 11:17 pm

Re: [SOLVED] add "ntlm auth = yes" to smb.conf

Mon Oct 30, 2017 11:36 pm

Thanks for your post. It really helped me.
I've been using Linux and Samba for years and have systems running that have been up for almost forever.
I have a Raspberry Pi (one of the originals) that's been running continuously for over three years. It stores security video.
I have two Banana Pi's running as personal file servers with Samba. These systems are rock-solid and run 24/7/365.

YET!!!

I tried to setup a Samba server with this latest and greatest Raspian-Stretch version and Samba user login was rejected. It was simple as pie to allow GUEST access, but a real user could not get it. I've farted around with this all day long.

One or more of the lines in your solution did the trick. Through trial and error, I'll figure out which one(s).

The downside to Raspberry Pi is that it is SO DISCOURAGING to use. I spend more time working around bugs and crazy anomalies in new versions than actually learning something new.

Thanks again!

Retired IT guy with decades of experience.

P.S. The solution is to manually add "ntlm auth = yes" to your smb.conf config file. It belongs in the [global] section.
Samba changed the default for this setting from "YES" to "NO", so you must manually set it.
Last edited by DouglasBremer on Tue Oct 31, 2017 12:17 am, edited 1 time in total.

DouglasBremer
Posts: 4
Joined: Mon Oct 30, 2017 11:17 pm

Re: [SOLVED] Samba on Stretch from WinXP

Tue Oct 31, 2017 12:10 am

Google "ntlm auth = yes" and you will find that Samba changed the default behavior of this and other settings.
Typical Linux stuff where defaults are changed and become holes that swallow up users.

Here's the solution if you can no longer connect to Samba with your Windows computers.
Add "ntlm auth = yes" to your /etc/samba/smb.conf file.

This setting no longer defaults to "yes" , it defaults to "no"

hortimech
Posts: 123
Joined: Wed Apr 08, 2015 5:52 pm

Re: [SOLVED] Samba on Stretch from WinXP

Tue Oct 31, 2017 8:46 am

We changed it for a very good reason, it is insecure. If you have to set this on the Samba server, then find out how to upgrade to NTLMv2 on the client.

DouglasBremer
Posts: 4
Joined: Mon Oct 30, 2017 11:17 pm

Re: [SOLVED] Samba on Stretch from WinXP

Tue Oct 31, 2017 3:06 pm

As a former network administrator it was my responsibility to keep my systems secure, not yours.
I never played the blame game; it's the hardware, no it's the software, not it's the hardware . . .
And the last thing I wanted to do was frustrate my users. Hence, I never used Linux as a solution professionally.
I use it now that I'm retired because I have the time to mess with it.

Samba should have added a comment to smb.conf informing users of the vulnerability and left the default alone.
That's just my opinion.

hortimech
Posts: 123
Joined: Wed Apr 08, 2015 5:52 pm

Re: [SOLVED] Samba on Stretch from WinXP

Tue Oct 31, 2017 5:59 pm

Look at what happened when it was left up to the sysadmin, anybody remember 'wanacry' ?

NTLMv1 is insecure, it is so insecure, you very well might as well just use plain passwords.

The change was documented in the Samba release notes.

I repeat, if you have to use 'ntlm auth = yes' in your smb.conf, your clients are not secure and you should investigate how to get your clients to use NTLMv2 at least.

I (and whilst I cannot speak for the rest of the Samba developers, I am sure they will agree) will not apologise for making Samba more secure.

DouglasBremer
Posts: 4
Joined: Mon Oct 30, 2017 11:17 pm

Re: [SOLVED] Samba on Stretch from WinXP

Thu Nov 02, 2017 11:20 pm

I wouldn't expect you to; it's just not in your genes.
I'm not at the center of this, you are. Watch the complaints come in.

hortimech
Posts: 123
Joined: Wed Apr 08, 2015 5:52 pm

Re: [SOLVED] Samba on Stretch from WinXP

Fri Nov 03, 2017 11:51 am

This changed 12 months ago with the release of Samba 4.5.0. I can count on the fingers of one hand the number of people who have asked about this on the Samba mailing list. All that have asked, have accepted it was a change for the better. You are the only person that will not accept that Samba should make things more secure by default. If you want to run an insecure system, you can easily do this by adding 'ntlm auth = yes' to smb.conf, but don't come crying to me if you get hacked.

Rowland Penny
Samba team member

hippy
Posts: 2344
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Samba on stretch

Fri Nov 03, 2017 3:21 pm

misho.petrov wrote:
Fri Oct 13, 2017 10:15 am
After some digging I've found the solution. I just needed to add the following three lines to the [global] section of smb.conf:

Code: Select all

server max protocol = NT1
lanman auth = yes
ntlm auth = yes
You are a hero. I have been trying to get my XP system to connect to my Pi with the same access it had before I upgraded to Stretch for weeks now, pretty much since the day Stretch was released.

I couldn't figure it out as there was no difference to how I had configured either side before the upgrade but that finally did the job. I will now read up on implications and making it most appropriate. My Pi is on an entirely personal LAN so security is less of a concern than being able to drag and drop files again.

hortimech
Posts: 123
Joined: Wed Apr 08, 2015 5:52 pm

Re: [SOLVED] Samba on Stretch from WinXP

Fri Nov 03, 2017 5:29 pm

To make XP use NTLMv2, have a look here: https://www.imss.caltech.edu/node/396

Return to “Troubleshooting”

Who is online

Users browsing this forum: klricks and 82 guests