Nethserver-dc-1.9.2-1.ns7.x86_64 breaking samba shares and client connections

schulzstefan · July 24, 2023, 12:08pm

NethServer Version: NethServer 7.9.2009
Module: nethserver-dc/samba

Workstations
Windows 10 Pro
22H2
19045.2846
Windows Feature Experience Pack 120.2212.4190.0

Nethserver is up-to-date. Nethserver is PDC with AD. Applying the latest nethserver-dc (nethserver-dc-1.9.2-1.ns7.x86_64) is breaking samba shares and net connections from workstations to the server. Downgrading to nethserver-dc-1.9.1-1.ns7.x86_64 fixed this issue.

Maybe it helps someone.

regards,
stefan

dnutan · July 24, 2023, 12:32pm

Any more info from logs or error messages on Windows clients?
Arem’t these updates installed on Windows?

giacomo · July 24, 2023, 1:04pm

Please also take a look at Samba AD: Windows 10/11 lost trust relationship · Issue #6755 · NethServer/dev · GitHub

schulzstefan · July 24, 2023, 2:48pm

No. Not installed.

schulzstefan · July 24, 2023, 2:52pm

I read this: 15418 – secure channel faulty since Windows 10/11 update 07/2023

We also still have winxp clients - I confirm, that with the new version of nethserver-dc the clients are not able to connect to any share of the domain. Rolling back solved the issue for the xp clients too.

Andy_Wismer · July 25, 2023, 2:11am

Hi @giacomo

I’d also like to confirm that on my up to date NethServer at home, I can’t access any Samba shares using my Macbook or Nextcloud (Also on NethServer)…

My 2 cents
Andy

giacomo · July 25, 2023, 6:24am

Reading upstream issues and ML, it seems the problem reported is not strictly related.

You can take a look to this mitigation: cve-details

Regarding the faulty clients:

Windows XP is EOL since 2014
I do not know about MacOS, it really depends on the supported SMB protocol
NethServer 7 should be able to use newer protocols, but we need more details to help workaround the issue

schulzstefan · July 25, 2023, 7:50am

In our company WinXP OS is (and will be) still in use for some of our drilling machines. It’ll never happen, that we’ll replace a machine because EOL of the PC OS. That would never ever make any sense.

BTW we do also have machines with (different) MacOS. As I already said - the costs of replacing machines because of software updates or EOL of an OS, will never be a discussion.

What details are needed? If I am guided I can provide information.

regrads,
stefan

giacomo · July 25, 2023, 12:58pm

I can understand it, but the Samba team can’t support discontinued OS.

Nothing for these kind of machines. The only thing you can do is trying the workaround posted in my previous message. Or, as you already did, keep the old nethserver-dc version but keep in mind that it wont work with newer clients.

If you have a NS7 as samba client, we’d appreciate to have the version of involved packages (at least samba and nethserver-samba). Also the log of both client and server are very important to track down the issue.
If you have troubles with Nextcloud, post also relevant part of Nextcloud log.

In the meanwhile, we have conducted the following tests (thanks to @nrauso!):

NS7, updated, on which we have installed nethserver-dc-1.9.2-1.ns7.x86_64, ibay, and nethserver-nextcloud-1.22.0-1.ns7.noarch:

We accessed the ibay using smbclient:
We accessed the ibay from a Windows 11 client not joined to the domain:
We accessed the ibay from a Windows 11 client joined to the domain:
We configured the ibay as an external storage on Nextcloud:

Another NS7, updated, joined to the NS7 acting as a DC, with nethserver-nextcloud-1.22.0-1.ns7.noarch:

We accessed the remote ibay using smbclient:
We configured the remote ibay as an external storage on Nextcloud:

In all cases, if there are ACLs configured on the ibay, we confirmed that they are respected.

We cannot replicate the issues reported.

saitobenkei · July 25, 2023, 1:50pm

I corrected for you

schulzstefan · July 25, 2023, 2:35pm

@giacomo

Is this OS also already discontinued? As I posted, nethserver-dc-1.9.2-1.ns7.x86_64 did not work.

We don’t use nextcloud - the different clients needs to have access to files on shares (ibays), that’s all.

IMVHO that’s exactly what

SME (Small and Medium-sized Enterprises) server should cover. Regardless if an OS is still supported from M$ or not. And regardless if the shares are providing files for machines, or i.e. if the business is a lawyer or consultant office. In any other case I feel like walking to the dead end M$. Means everybody should immediately update to WIN11. Seriously?

This is nothing personal against anybody in here - it’s just my very personal opinion.

schulzstefan · July 25, 2023, 6:08pm

For those who installed the above mentioned updates - try to uninstall. Yes, this can be a pain. Then tell windows not to update. There are a few ways to do this. Additionally/optionally downgrade to nethserver-dc-1.9.1-1.ns7.x86_64. Lock this version with yum versionlock at least, as the smoke is gone. If you are dealing with DNS-blacklists you may want to block wsus servers in your router/firewall/pi-hole. This one may be of help: GitHub - schrebra/Windows.10.DNS.Block.List: Windows DNS Block List. READ THE BLOCKLIST CAREFULLY. Adjust where needed.

This is a workaround - not a fix. But at least your clients are able to access the server resources.

regards, stefan

giacomo · July 26, 2023, 6:34am

It’s not: reading Windows doc, it is supported until October 2025.
Please share your logs and we will try our best to help.

Better, report the issue to the upstream Samba project:

You can try downgrade it. The support team gave me these commands (it will take some time):

yum downgrade --noplugins nethserver-dc
systemctl stop nsdc
cd /var/lib/machines/ ; mv nsdc nsdc.old
restore-config

Thank you for sharing the workaround.