activate smb1

[codin]

Hello Guys, i have problem to acces from old linux the shares and i search on forum and guide how to activate smb1, after a lot of digging i find that option what is not posted in any thread and even on the Guide i didn't find that option! (But i find advices that is deprecated and is recomended to not activate that!)
For old sistems to work like old Ubuntu after you activate Windows Share SMB go at Services SMB (edit) and you have there "Enable SMB1 support"
I decided to write that after spending long time finding why i can't acces the share from old ubuntu, but without any problem can acces from Windows.

 

[jgreco]

I decided to write that after spending long time finding why i can't acces the share from old ubuntu,

Because you're supposed to keep your Ubuntu system up to date, just like Windows is doing automatically.

 

[codin]

In Lan without internet and no external connection (closed circuit) no chance for internet! In my case the internet is forbbiden in scada or essencial services in airport!

 

[jgreco]

no chance for internet!

Easily resolved. There's this thing we used to call sneakernet. You burn a DVD somewhere where there is Internet access, then put the DVD into the airgapped system.

There's a problem with airgap strategies, in that failing to address security issues by pretending that the lack of Internet access makes you safe is very dangerous; all it takes is some lummox hooking up an infected laptop to your network. As exploits have gotten more sophisticated, actively scanning for vulnerabilities, this becomes similar to leaving your user/root accounts with an empty password. Sure, maybe you think that it is impossible that someone will errantly try hooking up to get Internet from your network, and hopefully you're even correct, but it is still a risk.

 

[danb35]

There's this thing we used to call sneakernet.

I think you misspelled Stuxnet.

 

[HoneyBadger]

If I can put on my "Enterprise Hat" for a moment.

Updating using offline repositories burned to DVD (preferably the official installation media or repository bundle, if this is a controlled-access airgap) is the likely answer here as proposed by @jgreco - but as this environment likely has very tight controls regarding updates to its systems be absolutely sure that you've gone through any necessary change-control measures in place at your organization first, before bringing in your own USB DVD drive and forging ahead.

 

[jgreco]

but as this environment likely has very tight controls regarding updates to its systems be absolutely sure that you've gone through any necessary change-control measures in place at your organization first, before bringing in your own USB DVD drive and forging ahead.

The same thing could be said for enabling SMB1 support.

Microsoft has advised customers to stop using SMBv1 because it is extremely vulnerable and full of known exploits.

 

[codin]

guys some automation systems are using windows 95 and the app didn't work on any other OS, what update and what else if the circuit are phisicaly separated by internet / and also in the room of equipaments + in the patch cables are forbbiden to cross other lines of utp/ftp/etc. with internet on it! I know that for some of you are crazy that but all is working nice from long time ago... uptime at some systems is more than 10 years with no any error... i have just need to stop the systems because at visual inspection i see some condensators that are little inflated and i need to change complette the mainboard with same characteristics pentium 3....

 

[jgreco]

(as the Church Lady:) Well isn't that fragile.

What's going to happen when something catastrophic happens here? You're not going to be able to replace hardware, you're not going to be able to activate Windows, and when something Stux-like stampedes through your systems and destroys everything, you're going to be in trouble. Windows 95 has been deprecated by Windows 98 has been deprecated by Windows XP has been deprecated by Windows Vista has been deprecated by Windows 7 has been deprecated by Windows 8 has been deprecated by Windows 10, which is now being replaced by Windows 11. That sounds like a nightmare.

 

[somethingweird]

my thoughts -

Instead of running SMB1 directly from trueNAS - with a little work run it on a separate JAIL/container for SMB1 - limit the access via IP/username (add firewall rules for outbound/inbound also, and whatever else you can think of or have ) and limit the shared folders - keep it less exposed.

 

[codin]

(as the Church Lady:) Well isn't that fragile.

What's going to happen when something catastrophic happens here? You're not going to be able to replace hardware, you're not going to be able to activate Windows, and when something Stux-like stampedes through your systems and destroys everything, you're going to be in trouble. Windows 95 has been deprecated by Windows 98 has been deprecated by Windows XP has been deprecated by Windows Vista has been deprecated by Windows 7 has been deprecated by Windows 8 has been deprecated by Windows 10, which is now being replaced by Windows 11. That sounds like a nightmare.

:)) I see you didn't work in automation, the producers are using also this days at new sistems pentium 1 or pentium 2 or very rare rasbery, for example just google for "kaba gates" or "vanderlande Conveyors" ... you will understand why they are using P1 or P2 instead of very high speed systems. (the data processed in a full day is less than 20mb for a single finger, or a gate)

 

[anodos]

my thoughts -

Instead of running SMB1 directly from trueNAS - with a little work run it on a separate JAIL/container for SMB1 - limit the access via IP/username (add firewall rules for outbound/inbound also, and whatever else you can think of or have ) and limit the shared folders - keep it less exposed.

The second Samba instance wouldn't have same state files (for implementing oplocks, leases, file change notification, and other SMB features). This may be problematic, or at least would require some careful testing on the sysadmin's side.

 

[somethingweird]

The second Samba instance wouldn't have same state files (for implementing oplocks, leases, file change notification, and other SMB features). This may be problematic, or at least would require some careful testing on the sysadmin's side.

Oh! didn't think of that. I was thinking of isolating the shared files/folders from the SMB service of truenas - and running from the jail/container only for those SMB1 clients.