Is SMBv1 Required to join Freenas to AD?

[fullspeed]

I'm currently on : FreeNAS-9.3-STABLE-201605170422 / Fresh Install

I have eight Freenas boxes setup which have been running for a long with without reboots and they can query the domain happily, my new box I cannot get to join to AD for the life of me.

It didn't take me long to figure out that someone disable SMBv1 on the DC's because of a major security bug, OK fair enough. Is it simply not possible to join without SMBv1? if not should I just use LDAP or will that be broken as well?

I've searched many threads but everyone just ends up enabling SMBv1, that's not an option in my case.

Thanks!

 

[Ericloewe]

That sounds very weird. My guess is "no", but I don't know where to begin looking into this.

 

[anodos]

I'm currently on : FreeNAS-9.3-STABLE-201605170422 / Fresh Install

I have eight Freenas boxes setup which have been running for a long with without reboots and they can query the domain happily, my new box I cannot get to join to AD for the life of me.

It didn't take me long to figure out that someone disable SMBv1 on the DC's because of a major security bug, OK fair enough. Is it simply not possible to join without SMBv1? if not should I just use LDAP or will that be broken as well?

I've searched many threads but everyone just ends up enabling SMBv1, that's not an option in my case.

Thanks!

SMB1 is not required. You might want to review logs under /var/log/samba4/log.wb-* and on your DC to figure out why the join is failing.

 

[fullspeed]

That sounds very weird. My guess is "no", but I don't know where to begin looking into this.

SMB1 is not required. You might want to review logs under /var/log/samba4/log.wb-* and on your DC to figure out why the join is failing.

I can take a look but I confirmed that once I turned SMBv1 back on all my Freenas boxes were able to authenticate ( Set-SmbServerConfiguration -EnableSMB1Protocol $true )

I tried everything to get it working and the only thing that fixed it was re-enabling SMBv1 on my DCs

Vulnerability notes here:
https://community.tenable.com/thread/11156

 

[anodos]

I can take a look but I confirmed that once I turned SMBv1 back on all my Freenas boxes were able to authenticate ( Set-SmbServerConfiguration -EnableSMB1Protocol $true )

I tried everything to get it working and the only thing that fixed it was re-enabling SMBv1 on my DCs

Vulnerability notes here:
https://community.tenable.com/thread/11156

I'll take a look at it, but I probably won't have free time until Monday.

 

[fullspeed]

I'll take a look at it, but I probably won't have free time until Monday.

No problem in the mean time ill just powershell enable/disable if I need to reboot these boxes.

 

[anodos]

I can take a look but I confirmed that once I turned SMBv1 back on all my Freenas boxes were able to authenticate ( Set-SmbServerConfiguration -EnableSMB1Protocol $true )

I tried everything to get it working and the only thing that fixed it was re-enabling SMBv1 on my DCs

Vulnerability notes here:
https://community.tenable.com/thread/11156

Per the Tenable thread, I removed SMB1 from the DCs on my network via the powershell command PS C:\> Remove-WindowsFeature FS-SMB1 . This broke AD connection for my Centos 6.8 server so it definitely knocked out SMB1.

Rebooted FreeNAS-9.10.2-U1. wbinfo -u wbinfo -t returned expected results. Server stayed joined to domain.

Rebooted FreeNAS-9.3. wbinfo -u wbinfo -t failed. Server no longer on domain. I didn't have much time to troubleshoot the reasons why it wasn't working (FreeNAS 9.10 seems to be less capricious in this regard).

Conclusion: SMB1 on DC is required for legacy samba installs, and possibly for FreeNAS 9.3.

Best course of action - test upgrading to 9.10.

 

[anodos]

Per the Tenable thread, I removed SMB1 from the DCs on my network via the powershell command PS C:\> Remove-WindowsFeature FS-SMB1 . This broke AD connection for my Centos 6.8 server so it definitely knocked out SMB1.

Rebooted FreeNAS-9.10.2-U1. wbinfo -u wbinfo -t returned expected results. Server stayed joined to domain.

Rebooted FreeNAS-9.3. wbinfo -u wbinfo -t failed. Server no longer on domain. I didn't have much time to troubleshoot the reasons why it wasn't working (FreeNAS 9.10 seems to be less capricious in this regard).

Conclusion: SMB1 on DC is required for legacy samba installs, and possibly for FreeNAS 9.3.

Best course of action - test upgrading to 9.10.

I'm still not very happy with this conclusion. I ran out of time for testing and will test again in a week or so when I have some free time.

 

[SweetAndLow]

I'm still not very happy with this conclusion. I ran out of time for testing and will test again in a week or so when I have some free time.

Seems like a pretty darn good reason. Especially since no one should be using 9.3 anymore. It's end of life so probably has worst security issues than that ad problem.

Sent from my Nexus 5X using Tapatalk

 

[anodos]

Seems like a pretty darn good reason. Especially since no one should be using 9.3 anymore. It's end of life so probably has worst security issues than that ad problem.

Sent from my Nexus 5X using Tapatalk

Some samba security fixes were backported in 9.3, but it's a good idea to upgrade. The winbind component of samba creates an IPC$ connection to the AD DC to handle domain joins. In samba 4.3.13, the client ipc max protocol defaults to SMB3_11, and the servers should automatically negotiate the proper protocol. There were various fixes in samba between 4.3.6 -> 4.4.5 related to ipc$ connections. I guess it's possible that they're for some reason being downgraded to SMB1. The OP can try forcing SMB2 or higher of IPC$ connections using the global auxiliary parameter client ipc min protocol = SMB2

The parameter client ipc min/max protocol was introduced to address CVE-2016-2115. I'm not sure if the samba build in 9.3 includes this fix. If not, then the proper parameters to control IPC$ connection protocols will be client min protocol and client max protocol.