Backup-data fails with CIFS SMB2/SMB3

backup

(Davide Del Grande) #1

Hello,

I’m on latest NS version, trying to use the backup-data package with a Windows 2016 server as a CIFS repository (actually, it’s a Microsoft free Hyper-V 2016 server).

The backup-data.log says:
2018-02-17 01:00:10 - ERROR - Error while mounting 192.168.168.5:Backup : mount error(112): Host is down Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) 2018-02-17 01:00:10 - ERROR - Event pre-backup-data failed - 1

Searching the “Host is down” error, I found this thread

Indeed the missing option seems to be “-o vers=2.0”, since SMB1 has been disabled on this server due its to recent vulnerabilities.

Is there an option to enable it in the server manager or on command line ?
Thank you!
Davide.


Backup data on Smb share now doesn't work
(Davide Del Grande) #2

Ok, digging more, I found /etc/e-smith/events/actions/mount-cifs
and changed line:

$err = qx(/bin/mount -t cifs “//$smbhost/$smbshare” $mntdir -o vers=2.0,credentials=$tmp,nounix 2>&1);

It works!
But I’m a bit afraid that my change will be overwritten by next packages updates.
Would be nice to be able to set CIFS compatibility level in the web gui.

Bye!


(Giacomo Sanchietti) #3

Thank you for the report.

We should probably add a new prop named something like SMBProtocolVersion.
The default should be v1 but the user must be able to choose v2 directly from the web interface.

What do you think?


(Filippo Carletti) #4

I don’t like it.
Even if I fear some regressions, I think that we should try to mount using the best protocol and try to fall back to earlier versions if the mount fails.

From mount.cifs manual we can try in order: 3.0 2.1 2.0 1.0


(Michael Kicks) #5

And if an SMB server locks out after 3 login attempts? I suggest that interface can let the admin choose which version use.


(Filippo Carletti) #6

Protocol version is not only about login.
We should always try to hide complexity.
And a future update from upstream will do what I’m suggesting.


(Michael Kicks) #7

Hide complexity is useful for not-skilled people. There’s already a specific distro which is called for human beings.
Or there’s another software for servers, homebased at Redmon.
Therefore, IMO, a toggle is preferrable.


(Davide Del Grande) #8

I second the “best version first” approach, expecially given the recent commitment from Microsoft to try retiring the INSECURE SMB1: https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

NS users are sysadmins, so I would expect that anyone at least knows that there are different SMB/CIFS protocol versions.

My preference would go to a GUI-toggle, with latest or at least 2.0 being the default - and maybe an “insecure” warning next to the SMBv1 choice (helps spreading the awareness).


(Michael Träumner) #9

Of course we all can choose a protocol version 1 or 2, but I think @filippo_carletti is at the right way, because the target of Nethserver is:

Making sysadmin’s life easier

It is one thing less you have to look for.


(Giacomo Sanchietti) #10

In my Fedora, the man states:

vers=arg
The default since v4.13.5 is for the client and server to negotiate the highest possible version greater than or equal to 2.1. In kernels prior to v4.13, the default was 1.0. For kernels
between v4.13 and v4.13.5 the default is 3.0.

Probably we will have this patch in the upcoming kernel for RHEL 7.5 (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7-beta/html/7.5_release_notes/new_features_kernel).

But if we are not getting this improvements, @Davide_Del_Grande would you like to open a PR to the code which tries all samba protocol version?

This is the relevant code: https://github.com/NethServer/nethserver-backup-data/blob/master/root/etc/e-smith/events/actions/mount-cifs#L66

IMHO I would like to also have a prop to force a specific protocol, even if the prop could not been exposed inside the web interface.