Samba 4.19 AD Browsable to a NT 4.0 Server

[Shintaro1969]

Hi,

For some reason, my NT 4.0 Server SP6a (In VirtualBox 7.0) cannot see (browse) to the Samba AD.
Win XP and up can see the Samba AD, even Win 3.11 can see it but can't connect (this could be an Auth issue).

I can ping the Samba server via IP and FQDN from the NT 4 box

I have set:
Network Neighbourhood -> Properties -> Services -> Server -> Properties "Make Browser Broadcasts to LAN Manager 2.x Clients"

Server installed as a Stand alone.
NOT the 128bit High encryption version.

Following protocols installed:
NetBEUI
NetBIOS
TCP/IP

I have set the following in the smb.conf:

server min protocol = CORE
server max protocol = SMB3

client min protocol = CORE
client max protocol = SMB3


Any ideas?

Cheers.

[Hyoenmadan86]

TL;DR You are using too new Samba server.
For older windows SMB NTLM/LM client support, you should use Samba 3. You can use 4, but you will face unexpected issues.

You can also check https://virtuallyfun.com/2023/07/24/joi ... ontroller/
It seems your problem is similar to what is described in that blog post.

[Shintaro1969]

I might have to drop to just a PDC or standalone server, I know that the standalone server works.

The PDC might be nice to try.

It is interesting that the options that I set are "depreciated" but not removed.
So from my understanding, it means they are there (at the moment), but no longer supported.

[Shintaro1969]

Yea, I can still connect (map a drive to a share), from Win 3.11 and NT4.0 Server, if I just use Samba 4 as a Stand Alone server.
I'll try and get a PDC running.

[Zv45Beta]

Have you enabled lanman auth and ntlm auth in smb.conf?

Here's a config I use for my retro PCs (Win3.11 can connect and access the share, latest Samba at the time of writing this on Linux Mint):

Code: Select all

[global]

client min protocol = CORE
client lanman auth = yes
client ntlm auth = yes
server min protocol = CORE
lanman auth = yes
ntlm auth = yes
netbios name = ALP-HP800G2

[public]
   comment = Public share
   path = /data/.public
   guest ok = yes
   browseable = yes
   read only = yes

[Shintaro1969]

Here is my smb.conf. I think that there is some redundancy, but it works.

Code: Select all

global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP

name resolve order = wins host bcast lmhosts  

# server string is the equivalent of the NT Description field
server string = %h server (Samba, Arch)

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z




# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
domain master = yes
local master = yes
preferred master = yes
os level = 64
log level = 2

#security = share
security = auto

# unix extensions = yes

#encrypt passwords = yes

case sensitive = no
default case = upper
preserve case = no
short preserve case = no
# mangle case = yes
mangled names = yes
mangling method = hash2
create mask = 0664
directory mask = 2755
force create mode = 2755

msdfs root = no


#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes

interfaces = enp3s0 
# 10.0.2.0/24

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
#   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server

#	server role = domain controller


# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam


 #  obey pam restrictions = yes


	server min protocol = LANMAN1
#	server min protocol = CORE
#	server min protocol = NT1
#	server min protocol = NT1
	server max protocol = SMB3


	client min protocol = LANMAN1
#	client min protocol = COREPLUS
#	client min protocol = NT1
	client max protocol = SMB3

	lanman auth = yes
 	client lanman auth = yes
	client plaintext auth = yes
	ntlm auth = yes

#	client smb encrypt = disabled

#    CORE: Earliest version. No concept of user names.
#    COREPLUS: Slight improvements on CORE for efficiency.
#    LANMAN1: First modern version of the protocol. Long filename support.
#    LANMAN2: Updates to Lanman1 protocol.
#    NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
#    SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.
#        SMB2_02: The earliest SMB2 version.
#        SMB2_10: Windows 7 SMB2 version.
#        SMB2_22: Early Windows 8 SMB2 version.
#        SMB2_24: Windows 8 beta SMB2 version.
#    By default SMB2 selects the SMB2_10 variant.
#    SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub protocols available.
#        SMB3_00: Windows 8 SMB3 version. (mostly the same as SMB2_24)
#        SMB3_02: Windows 8.1 SMB3 version.
#        SMB3_10: early Windows 10 technical preview SMB3 version.
#        SMB3_11: Windows 10 technical preview SMB3 version (maybe final).
#    By default SMB3 selects the SMB3_11 variant.




# use spnego = no


# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
#   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
  # passwd program = /usr/bin/passwd %u
   #passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
#   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad password

########## Domains ###########

#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set 
#
domain logons = yes

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
   logon drive = H:
   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
 add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.
;   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
#   usershare allow guests = yes