3

Running a Samba server, I guess it is a good idea to require encryption and SMB3. So I tried setting these two options in /etc/samba/smb.conf (see documentation) in the [global] section:

smb encrypt = mandatory
min protocol = SMB3

After a sudo systemctl restart smbd.service the shares could not be listed any longer in thunar and I got the following error on command line:

$ smbclient -U myuser -L //myserver
Unable to initialize messaging context
Enter WORKGROUP\myuser's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    myshare1        Disk      my comment1
    myshare2        Disk      my comment2
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

Without the additional lines in smb.conf there is also the "Unable to initialize messaging context" message (what ever that means...) but the SMB1 warning is not there:

$ smbclient -U myuser -L //myserver
Unable to initialize messaging context
Enter WORKGROUP\myuser's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    myshare1        Disk      my comment1
    myshare2        Disk      my comment2
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            MYCLIENTHOSTNAME

After experimenting for very long time, I noticed that SMB3_11 is actually chosen automatically as it should:

$ smbclient -d10  -U myuser -L //myserver 2>&1 | grep SMB      
 negotiated dialect[SMB3_11] against server[myserver]
signed SMB2 message
Reconnecting with SMB1 for workgroup listing.

But it seems as if there is some SMB1 and SMB2 thing being used later on. I assume this is only used for listing or so, because Thunar can connect without problem by entering the URL smb://myserver/myshar1 directly. Only smb://myserver/ is empty with the restricted smb.conf.

Is it a good idea to put these two lines into smb.conf to avoid unencrypted connections in our large LAN (also external users allowed to connect)? Any solution for the broken listing for Linux users? Will this work on >= Windows 8?

Update: I think I slightly misunderstood the symptoms. Actually the additional lines work fine. smbclient can also list the shares, but Thunar cannot for some reason.

Update 2: It seems as if Thunar is not able to list shares without SMB1, but I don't understand why.

lumbric
  • 234
  • 2
  • 9

0 Answers0