Correct SMB level for Legacy and Modern Wintel OS's

[CRUNCHIE_77]

Hi

I having one of those bang-your-head moments. I have just built a new Freenas 11.1 U6 appliance which is connected to Active Directory.

So far all good!

However I am having an issue with SAMBA levels. I require legacy (Windows 2003 / XP devices) to connect to the shares to write data. Setting minimum version to NT1 and Maximum to SMB3 resolves this issue. Until i set this i could not even browse to the shares from legacy machines. Also On these devices I have also set NTLMv2 in security policy as "Send NTLMv2 responses only. Refuse LM & NTLM"

However then the corporate domain connected Windows 8 devices (which have SMBv1 disabled) do not connect.

I have other W12r2 servers that are part of the domain but not centrally controlled (so different GPO) and they cannont connect either, nor can a standalone Windows 10 device.

If I set minimum to SMBv2 the Windows 8 devices etc are OK but then the Legacy devices of course cannot connect.

I need to have the best of both worlds as the Legacy devices will be backing up to it.

I have tried setting the maximum to say SMB2_10 but still no good, the corporate devices are refusing to connect. I would have thought that a client device would start with the highest then work its was down. Odd why the W12r2 boxes are OK.

Note I have no bearing of changing any of the GPO's for the Windows 8 devices are they are centrally controlled. I can change anything else.

I am happy to have say a SAMBA share for legacy and a SAMBA share for SMBv2 upwards if that is possible ( i dont think it is but I know nothing!)

Anyideas? Attached is the SMB4.conf file

 

[Johnny Fartpants]

Try changing 'ntlm auth = no' to 'ntlm auth = yes'

PS: Get is so your more modern devices can connect and then add the above line to allow older devices in.

 

[m0nkey_]

SMB1 has been disabled by default as of FreeNAS 11.1-U6, which is what your legacy clients likely need. Instructions to re-enable SMB1 can be found in the release notes: https://www.ixsystems.com/blog/library/freenas-11-1-u6/

 

[CRUNCHIE_77]

Thanks for the responses

Hi Johnny, sorry no difference in setting NTLM to yes (all my clients if you recall are set to use NTLMv2 only anyway.

m0nkey, my issue is that when I set NT1 as minimum my legacy devices connect but my modern devices do not. Unfortunately as I am running NT1 already that has made no difference.

 

[Johnny Fartpants]

Im not sure if 11-1 U6 or even earlier 11-1 versions makes this redundant but it had been the case that if you wanted old Linux and XP machines to connect that can't do SMB2 or higher then adding 'ntlm auth = yes' to your samba config fixes this.

https://redmine.ixsystems.com/issues/21946

Well it does for me anyhow. If you have told your clients NTLMv2 only then I guess it won't work. Any chance you could try not telling them that?

PS: Looks like this is a checkbox in 11/11-1 versions.

 

[CRUNCHIE_77]

Good Call as I can modify that. I set the legacy machine back to NTLM but unfortunately no cigar.

:-(

 

[Johnny Fartpants]

Have you tried restarting samba after you have set the checkbox for NTLMv1 auth?

 

[anodos]

In my experience W98SE2 clients use SMB1. So anything newer than that should not require a protocol lower than that.
W98 -> XP / 2003 = NT1
Vista / 2008 = SMB2_02
W7 = SMB2_10

Dropping the max protocol is usually a bad idea. Windows SMB clients don't like it when you drop the max supported protocol on them.