Cannot connect to SMB server when min protocol = SMB2 is set

English support forum

Moderators: Hacker, Stefan2, white, sheep

nemonein
Junior Member
Junior Member
Posts: 15
Joined: 2013-05-11, 05:40 UTC

Post by *nemonein » 2017-11-10, 02:01 UTC

Thank you for your answer.

I don't think it's related to firewall.
The samba server's version is 4.3.11 and it's on Ubuntu server.
If I turned on "min protocol = smb2", only MS Windows's file manager can connect to the server, neither Android(Total Commander) nor Ubuntu's file managers(Dolphin, Nautilus, etc..) can.
I haven't tried linux smbclient tool.

I don't know what the problem is.. I'll stick to smb1 for now.

nemonein
Junior Member
Junior Member
Posts: 15
Joined: 2013-05-11, 05:40 UTC

Post by *nemonein » 2017-11-10, 02:23 UTC

I changed the settings for the Samba server, but no luck.
This error message might help to find the cause?

smb.conf

Code: Select all

client min protocol = SMB2_02
Total Command's error message

Code: Select all

Server Connect Error?(Actually it is "서버 연결 오류!" in Korean)
STATUS_ACCESS_DENIED(3221225506/322122///LAN/mySambaServer

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36354
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) » 2017-11-10, 10:20 UTC

I have tried with a Raspberry PI 3 running the latest Raspbian Stretch. It works with both Samba 4.5.8 and now 4.5.12 after apt-get update/upgrade.

I have tried with both
min protocol = smb2
and
min protocol = smb2_02

Using just
client min protocol = SMB2_02
has no effect here, I can still connect with SMB1 when I use that.
Author of Total Commander
http://www.ghisler.com

nemonein
Junior Member
Junior Member
Posts: 15
Joined: 2013-05-11, 05:40 UTC

Post by *nemonein » 2017-11-12, 14:12 UTC

It was false alarm. It works good on Ubuntu 16.04 and Samba 4.3.11.
Making a new settings in T.C's Lan plugin is the point.

Please ignore the below lines.

I tried with several sbcs with a few distributions then I made this conclusion.

Ubuntu Server 16.04(Armbian/CubieTruck or VirtualBox) / Samba 4.3.11 - T.C LAN plugin not Connectable.
Ubuntu Server 17.10(VirtualBox) / Samba 4.6.7 - T.C LAN plugin Connectable.
Debian Server Stretch(Raspbian) / Samba 4.5.12 - T.C LAN plugin Connectable.
** Ubuntu Server 16.04(Armbian/OrangePi) / Samba 4.6.7 - T.C LAN plugin not Connectable.

MS Windows 10 can connect all the Samba servers above.

I am using Ubuntu Server 16.04 and Samba 4.3.11(actually it is Armbian with OrangePi), so I could not connect to the server with T.C Lan plugin.
I'll find a way to use Debian for my sbcs.

Anyway, thank you for your help!
Last edited by nemonein on 2017-11-15, 04:30 UTC, edited 3 times in total.

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36354
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) » 2017-11-12, 14:35 UTC

Thanks for your tests! Did you receive any more meaningfull error messages than "cannot connect"? I looked in the sshj library error tracker, but couldn't find ANY connection issues to Linux/Samba servers:
https://github.com/hierynomus/sshj/issues?page=2&q=is%3Aissue+is%3Aopen
Author of Total Commander
http://www.ghisler.com

nemonein
Junior Member
Junior Member
Posts: 15
Joined: 2013-05-11, 05:40 UTC

Post by *nemonein » 2017-11-13, 04:27 UTC

No more error messages for T.C. I attached samba server's error log below.

Here's my working smb.conf. (If I run it on Ubuntu 17.10 or Debian stretch)

Code: Select all

[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = xxxyyy
security = user
map to guest = bad user
dns proxy = no

max protocol = SMB3
min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10

#============================ Share Definitions ============================== 

[S_Secured]
path = /var/samba_share
valid users = abcduser
guest ok = no
writable = yes
browsable = yes
I'm not quite sure, but only "SMB2_10" worked for me. (not SMB2, SMB2_2)

This is the most important thing: if smb2 is used, an authentication is must. Anonymous share does not work with smb2.
It means 'valid users', 'guest ok' in smb.conf, and creating a user with smbpasswd are all needed.

I run Samba with above smb.conf on Ubuntu 16.04, and I try to connect to it from T.C.
Here's the log of samba server when T.C could not connect to the Samba.

Code: Select all

[2017/11/13 13:06:29.084534,  3] ../source3/smbd/oplock.c:1328(init_oplocks)
  init_oplocks: initializing messages.
[2017/11/13 13:06:29.085170,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 0 of length 61 (0 toread)
[2017/11/13 13:06:29.085554,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBnegprot (pid 7802) conn 0x0
[2017/11/13 13:06:29.096660,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [SMB 2.002]
[2017/11/13 13:06:29.097125,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [SMB 2.???]
[2017/11/13 13:06:29.098155,  3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2017/11/13 13:06:29.098416,  5] ../source3/auth/auth.c:491(make_auth_context_subsystem)
  Making default auth method list for server role = 'standalone server', encrypt passwords = yes
[2017/11/13 13:06:29.098651,  5] ../source3/auth/auth.c:48(smb_register_auth)
  Attempting to register auth backend trustdomain
[2017/11/13 13:06:29.098886,  5] ../source3/auth/auth.c:60(smb_register_auth)
  Successfully added auth method 'trustdomain'
[2017/11/13 13:06:29.099071,  5] ../source3/auth/auth.c:48(smb_register_auth)
  Attempting to register auth backend ntdomain
[2017/11/13 13:06:29.099250,  5] ../source3/auth/auth.c:60(smb_register_auth)
  Successfully added auth method 'ntdomain'
[2017/11/13 13:06:29.099413,  5] ../source3/auth/auth.c:48(smb_register_auth)
  Attempting to register auth backend guest
[2017/11/13 13:06:29.099576,  5] ../source3/auth/auth.c:60(smb_register_auth)
  Successfully added auth method 'guest'
[2017/11/13 13:06:29.099734,  5] ../source3/auth/auth.c:48(smb_register_auth)
  Attempting to register auth backend sam
[2017/11/13 13:06:29.099897,  5] ../source3/auth/auth.c:60(smb_register_auth)
  Successfully added auth method 'sam'
[2017/11/13 13:06:29.100055,  5] ../source3/auth/auth.c:48(smb_register_auth)
  Attempting to register auth backend sam_ignoredomain
[2017/11/13 13:06:29.100221,  5] ../source3/auth/auth.c:60(smb_register_auth)
  Successfully added auth method 'sam_ignoredomain'
[2017/11/13 13:06:29.100381,  5] ../source3/auth/auth.c:48(smb_register_auth)
  Attempting to register auth backend winbind
[2017/11/13 13:06:29.100543,  5] ../source3/auth/auth.c:60(smb_register_auth)
  Successfully added auth method 'winbind'
[2017/11/13 13:06:29.100700,  5] ../source3/auth/auth.c:48(smb_register_auth)
  Attempting to register auth backend unix
[2017/11/13 13:06:29.100904,  5] ../source3/auth/auth.c:60(smb_register_auth)
  Successfully added auth method 'unix'
[2017/11/13 13:06:29.101068,  5] ../source3/auth/auth.c:48(smb_register_auth)
  Attempting to register auth backend wbc
[2017/11/13 13:06:29.101232,  5] ../source3/auth/auth.c:60(smb_register_auth)
  Successfully added auth method 'wbc'
[2017/11/13 13:06:29.101389,  5] ../source3/auth/auth.c:378(load_auth_module)
  load_auth_module: Attempting to find an auth method to match guest
[2017/11/13 13:06:29.101555,  5] ../source3/auth/auth.c:403(load_auth_module)
  load_auth_module: auth method guest has a valid init
[2017/11/13 13:06:29.101720,  5] ../source3/auth/auth.c:378(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam
[2017/11/13 13:06:29.101885,  5] ../source3/auth/auth.c:403(load_auth_module)
  load_auth_module: auth method sam has a valid init
[2017/11/13 13:06:34.149229,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2017/11/13 13:06:34.149629,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2017/11/13 13:06:34.149824,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2017/11/13 13:06:34.150001,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'spnego' registered
[2017/11/13 13:06:34.150179,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'schannel' registered
[2017/11/13 13:06:34.150354,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2017/11/13 13:06:34.150599,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2017/11/13 13:06:34.150786,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2017/11/13 13:06:34.150965,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2017/11/13 13:06:34.151142,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'http_basic' registered
[2017/11/13 13:06:34.151323,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2017/11/13 13:06:34.151502,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'krb5' registered
[2017/11/13 13:06:34.151679,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2017/11/13 13:06:34.152628,  3] ../source3/smbd/negprot.c:744(reply_negprot)
  Selected protocol SMB 2.???
[2017/11/13 13:06:34.161236,  3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_10
[2017/11/13 13:06:34.161482,  5] ../source3/auth/auth.c:491(make_auth_context_subsystem)
  Making default auth method list for server role = 'standalone server', encrypt passwords = yes
[2017/11/13 13:06:34.161680,  5] ../source3/auth/auth.c:378(load_auth_module)
  load_auth_module: Attempting to find an auth method to match guest
[2017/11/13 13:06:34.161859,  5] ../source3/auth/auth.c:403(load_auth_module)
  load_auth_module: auth method guest has a valid init
[2017/11/13 13:06:34.162028,  5] ../source3/auth/auth.c:378(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam
[2017/11/13 13:06:34.162197,  5] ../source3/auth/auth.c:403(load_auth_module)
  load_auth_module: auth method sam has a valid init
[2017/11/13 13:06:34.175629,  5] ../source3/auth/auth.c:491(make_auth_context_subsystem)
  Making default auth method list for server role = 'standalone server', encrypt passwords = yes
[2017/11/13 13:06:34.175897,  5] ../source3/auth/auth.c:378(load_auth_module)
  load_auth_module: Attempting to find an auth method to match guest
[2017/11/13 13:06:34.176079,  5] ../source3/auth/auth.c:403(load_auth_module)
  load_auth_module: auth method guest has a valid init
[2017/11/13 13:06:34.176250,  5] ../source3/auth/auth.c:378(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam
[2017/11/13 13:06:34.176419,  5] ../source3/auth/auth.c:403(load_auth_module)
  load_auth_module: auth method sam has a valid init
[2017/11/13 13:06:34.177315,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe0888215
[2017/11/13 13:06:34.195094,  3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
  Got user=[] domain=[] workstation=[] len1=0 len2=162
[2017/11/13 13:06:34.195511,  3] ../source3/param/loadparm.c:3817(lp_load_ex)
  lp_load_ex: refreshing parameters
[2017/11/13 13:06:34.196082,  3] ../source3/param/loadparm.c:542(init_globals)
  Initialising global parameters
[2017/11/13 13:06:34.196902,  3] ../source3/param/loadparm.c:2746(lp_do_section)
  Processing section "[global]"
[2017/11/13 13:06:34.198029,  2] ../source3/param/loadparm.c:2763(lp_do_section)
  Processing section "[Torrent]"
[2017/11/13 13:06:34.198688,  2] ../source3/param/loadparm.c:2763(lp_do_section)
  Processing section "[S_Secured]"
[2017/11/13 13:06:34.199454,  3] ../source3/param/loadparm.c:1586(lp_add_ipc)
  adding IPC service
[2017/11/13 13:06:34.199851,  5] ../source3/auth/auth_util.c:123(make_user_info_map)
  Mapping user []\[] from workstation []
[2017/11/13 13:06:34.200057,  5] ../source3/auth/auth_util.c:144(make_user_info_map)
  Mapped domain from [] to [xxxyyy] for user [] from workstation []
[2017/11/13 13:06:34.200236,  5] ../source3/auth/user_info.c:62(make_user_info)
  attempting to make a user_info for  ()
[2017/11/13 13:06:34.200402,  5] ../source3/auth/user_info.c:70(make_user_info)
  making strings for 's user_info struct
[2017/11/13 13:06:34.200627,  5] ../source3/auth/user_info.c:108(make_user_info)
  making blobs for 's user_info struct
[2017/11/13 13:06:34.200799,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user []\[]@[] with the new password interface
[2017/11/13 13:06:34.200966,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [xxxyyy]\[]@[]
[2017/11/13 13:06:34.201405,  5] ../source3/passdb/pdb_tdb.c:600(tdbsam_getsampwnam)
  pdb_getsampwnam (TDB): error fetching database.
   Key: USER_
[2017/11/13 13:06:34.201669,  3] ../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user '' in passdb.
[2017/11/13 13:06:34.201843,  5] ../source3/auth/auth.c:252(auth_check_ntlm_password)
  check_ntlm_password: sam authentication for user [] FAILED with error NT_STATUS_NO_SUCH_USER
[2017/11/13 13:06:34.202176,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER
[2017/11/13 13:06:34.202364,  3] ../source3/auth/auth_util.c:1610(do_map_to_guest_server_info)
  No such user  [] - using guest account

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36354
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) » 2017-11-13, 15:00 UTC

pdb_getsampwnam (TDB): error fetching database.
Key: USER_
[2017/11/13 13:06:34.201669, 3] ../source3/auth/check_samsec.c:399(check_sam_security)
check_sam_security: Couldn't find user '' in passdb.
It looks like the server doesn't get a user name! It tries to look up the empty user, which fails.

Are you sure you filled in the "User name" field in the LAN plugin?
Author of Total Commander
http://www.ghisler.com

nemonein
Junior Member
Junior Member
Posts: 15
Joined: 2013-05-11, 05:40 UTC

Post by *nemonein » 2017-11-13, 15:20 UTC

Yes, I did fill the "User Name" field.

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36354
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) » 2017-11-13, 16:20 UTC

Then why does your server report an empty name? It doesn't make any sense. :(
Author of Total Commander
http://www.ghisler.com

User avatar
hlloyge
Member
Member
Posts: 115
Joined: 2006-11-02, 23:14 UTC

Post by *hlloyge » 2017-11-13, 21:45 UTC

Yeah, similar problems. I am using Kodibuntu with old version of Ubuntu underneath - Ubuntu 14.04.5 LTS. Can't connect to SMB shares there with TCMD Android LAN plugin. Funny thing, I can connect with Android Samba Client, new application form Google, you can find it here:
https://play.google.com/store/apps/details?id=com.google.android.sambadocumentsprovider
They have sources on github. It is supposed to "create" some "folder" in Downloads visible with something called 'Downloads' application, but I can't see that as I have Samsung mobile phone and their file manager.
My SMB shares don't have any password, as thy are local and read-only, innacessible from anywhere but my local LAN. And I want them to stay that way. Mr. Ghisler, can you make use of this program, or at least add support for showing it's mounted shares inside Total Commander on Android?

nemonein
Junior Member
Junior Member
Posts: 15
Joined: 2013-05-11, 05:40 UTC

Post by *nemonein » 2017-11-14, 02:47 UTC

@ghisler
I have no idea why that happens. It' weird but it is the problem of Samba with Ubuntu 16.04.
Or, Could it be the problem of my Android devices(5.x)?

@hlloyge
I wish I could try the application, but it supports only android 6 and up. My android devices stay in Android 5.x.

nemonein
Junior Member
Junior Member
Posts: 15
Joined: 2013-05-11, 05:40 UTC

Post by *nemonein » 2017-11-14, 07:19 UTC

I think I've found what causes this.
I'll post it later.

I have to tell you this first, "Now it works fine." on Ubuntu 16.04.

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36354
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) » 2017-11-14, 16:30 UTC

Is there anything I can do to make it work with Ubuntu 16.04 without needing your change?
Author of Total Commander
http://www.ghisler.com

nemonein
Junior Member
Junior Member
Posts: 15
Joined: 2013-05-11, 05:40 UTC

Post by *nemonein » 2017-11-15, 04:25 UTC

I think you need to do something.
The reason why I failed to connect to the mofied(smb1 ➙ smb2) Samba server is I used previous settings in T.C.

To make the long story short, creating a new setting for the Samba server works good. Using previous(also modified) setting does not work.

Here's the long story. The server I used here is Ubuntu 16.04, and Samba 4.3.11.
  • 1. I configured the Samba server with smb1, no authentication. (no userid, no password.)
    2. In T.C, I made a setting for Samba server(#1), named it as 'Samba_1', set the server name by its IP address(192.168.x.x) and the user id, password fileds are all emptied.
I used the Samba server and T.C until Lan plugin was upgraded 3.x.
After Lanplugin is upgraded to 3.x, I did something like this.
  • 3. I reconfigured smb.conf file in Samba server, by adding smb2 related lines.
    4. Because smb2 needs authentication, I created a password by 'smbpasswd'. That's all for the Samba setting.
    5. I changed the setting 'Samba_1' in T.C's Lan plugin, turned on SMB2(check box), and added User name and password made in #4.
After these steps, I tried to connect Samba from T.C using 'Samba_1' setting.
And you know the result, it failed. (No user error. "Couldn't find user '' in passdb.")

I thought it was related Ubuntu or Samba, so I tried with new Ubuntu(17.10), then I 'CREATED' a new setting(let's say it's Samba_2) in T.C's Lan plugin for the modified Samba server.
That was the point. Because it works fine, I thought there might be problems in Ubuntu 16.04.


I couldn't connect to the modified(smb1 -> smb2) Samba server using previous setting in T.C.
If I make a new setting for the Samba server, it works fine.

Maybe Lan plugin do not detect the setting's status?

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36354
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) » 2017-11-15, 16:56 UTC

Did you perhaps have "older NAS compatibility" option checked? If this is checked, the SMB2 option will be ignored because the two are exclusive (you can't have both at the same time).

Also SMB2 is now disabled by default for older connections, it has to be checked manually. I changed this in 3.01 (in 3.0, SMB2 was on by default) so older connections don't get broken by the update when the server doesn't support SMB2.
Author of Total Commander
http://www.ghisler.com

Post Reply