Negotiate SMB2/3 with a Windows client

After installing Win10 1803 recently I noticed I was no longer able to reach my samba shares on my linux machine. After some digging it turned out, that SMB1 is now disabled by default and my linux machine is apparently using that one as default.

Now I want to fix that so that my smb-server properly negotiates the highest supported procol version available. As far as docs go, smb should support SMB2 and SMB3 without any problems. But if I disable SMB1 in Windows the server disappears completely.

I started to play around with min protocol = SMB2, max protocol = SMB3 and protocol=SMB2 but to no avail. At this point I threw wireshark into the mix and noted some interesting details.

No matter whether I disable SMB1 or have it enabled on my windows machine, it always sends an smb negotiate protocol request with three supported dialects (encapsulated in a SMB packet):

• NT LM 0.12 (SMB1/CIFS)
• SMB 2.002
• SMB 2.???

SMB1 is always part of that list, no matter what. Don't know why, but it shouldn't be a problem if smb picks the highest supported dialect. Sadly the response suggests that SMB2.002 and SMB2.??? are unrecognized.

With the config attached at the bottom I get a negotiate protocol response which picks NL LM 0.12. If I add min protocol = SMB2 to the config the protocol response returns -1 (PC NETWORK PROGRAM 1.0) which results in the oldest protocol variant possible. If I set protocol = SMB2 to circumvent the negotiations completely the server properly sends a SMB2 packet instead of a SMB one and sets the dialect to 0x0202 (SMB2_02) correctly, but windows still refuses to work with that version.

At this point I'm out of Ideas on how to enable support for a SMB protocol version that is not SMB1 between a linux server and a windows client... If anyone has ideas on how to get it working properly, feel free to share them.

Ideally I only want to adjust my server, not the client machines if possible.

Notes

Server:

• Openmediavault (Debian 7)
• smbd & nmbd v3.6.6

Client:

• Win10 1803 (build 17134.48)
• Feature "Support for SMB1.0/CIFS" deactivated

Disabling the service mrxsmb10 may have the same effect as uninstalling the feature.

smb.conf

[global]
workgroup = WORKGROUP
server string = %h server
dns proxy = no
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = yes
aio read size = 16384
aio write size = 16384
null passwords = no
local master = yes
time server = yes
wins support = yes
wins server = NAS

Well, my first try suggested that this setting will work. But then I tried to do an inplace upgrade of OMV — it did not go too well. So I'll have to reinstall the whole system before I can confirm anything...

One question for smbd 4.2 and SMB3: does this require kernel support? Because I have currently 3.2.0.4 (3.16. does not boot yet) and smbd 4.2.14 but setting max protocol to SMB3 breaks samba again and I suspect the kernel but I'm not quite sure...

I wouldn't spend much time debugging the compatibility with the current setup, as the (EOL) clock is ticking. I'd use these four days upgrading to Debian 9 and getting SMB3 to work with it.

Jup, I've already upgraded to debian 8 thats also why I have a newer smbd version. Lets see whether the next upgrade will fix this issue...