Password to SMB/LAN resources appears invalid after OSMC update

Are you running a domain controller?

I have always found Linux problematic with this. I use PBIS (used to be Likewise Open) to join clients to the domain.

Sam

Yes, Sam, I am indeed running the server RPi as a domain controller. LDAP Account Manager is the software I use, but that doesn’t prevent OSMC 15 from working, and has worked with the previous RaspBMC versions as well.

Incidentally, as an addendum to my immediately previous post, I tried smbclient to get a list of shares:
smbclient -L node2
And got the following answer:
session setup failed: NT_STATUS_LOGON_FAILURE
This matches the error message in the smb.log on the server, so I am thinking I have an incorrect security protocol specified, possibly in /home/osmc/.smb/smb.conf ?
Or, alternatively is this conf file overidden by the /etc/samba/smb.conf settings (maybe these are for an smb server, which I haven’t configured in the OSMC machine.)

Perhaps I’ll have a look on the actual server smb.conf file for clues regarding the security protocol.

Thanks again,

Kenneth Spencer

Hello Gavin … may I be so bold as to ask whether you have any hints as to downgrading the samba on the OSMC 16.1 installation?

Thanks alot!

Kenneth Spencer

Use strace to find out what configuration file is being used.

Sam

It seems from the strace output that the /etc/samba/smb.conf file is being used.
Therefore I copied the contents of the /home/osmc/.smb/smb.conf file (it has global params only), into it, but that action hasn’t altered anything.
One thing I did note however, was that smbclient went looking for a collection of directories which seemed to be related to the several sec protocols. But it found none of them. I suppose that when smbclient was run, no sec protocol was supplied. But the error at the end of the trace, the message was NT_STATUS_INVALID_PARAMETER. That leads me to think that something is indeed wrong with the security protocol.

I shan’t be online much for the next two days, not over the weekend, so there’s no hurry!

Best wishes,

Kenneth Spencer

Hi Ken,

I think you’re right. What’s happening is that the newer version of Samba on the newest OSMC install is no longer able to use the lower security access method required by the older version of Samba on your PDC.

In the long run the best solution will be to upgrade the PDC to a newer version of Samba, but that has possible impacts on everything else as discussed above.

In the short term I think you have two choices:

  1. Identify which protocol is causing the problem and see whether your existing PDC is capable of handling the higher security protocol and if so add that to the configuration. This post may give you an insight into which protocol you’d need to change.

  2. Downgrade the version of Samba on your OSMC box to that which was used in the last known working version. To do this run dpkg -l | grep -i samba (that’s a lowercase L at the switch) on your current version and also on the last known good version (the version is the string of numbers in the 3rd column. You’ll see a lower version on the 2015 setup and a higher one on the newest one. To perform the downgrade take note of the lower version number(s) and for each package which has a different version run sudo apt-get install <package_name>=<version_number>.

Hope this helps you get back up and running.

Gavin.

AFAIK that would only have an impact if he uses fstab based mounts.

Thanks Gavin (and fz).

I will look at the downgrade option on the OSMC machine, because I cannot really mess about with the Samba on the PDC machine - although I might try Samba v4 experimentally at some point. I had discounted Samba v4 on the PDC because it was only available in Beta when I was building the PDC originally, but I note that now the LDAP Account Manager may be happy with it.

I did try changing the security protocol on Samba v3 on the PDC to ntlmv2, but it appears that Samba v3.6.x does not support the “sec” parameter and I couldn’t easily see an alternative for changing it.

I will do the dkpg thing and get the appropriate version installed over the next few days and let you know what happens. And yes, fz., I will try adding the shares to fstab, which has of course, thus far failed.

Thanks

Kenneth Spencer

IIRC I have forced ntlvm2 support in the kernel, but it was deprecated around Linux 3.12

Hi Ken,

Your plan sounds good. Let us all know how you get on.

Gavin.

OK …

… after a long period of experimentation with OSMC Kodi 16.1 Jarvis, I have been unable to get Samba v4 client on the OSMC machine working with the Samba v3 server on my PDC Data + File server machine. I think I have tried all the suggestions discussed in April 2016 when the changes to OSMC Kodi were first made, but I’m afraid I cannot make it work.

So, for the present I shall revert to OSMC Kodi 15.1, as I need the Media Centre working. I did consider downgrading the Samba client on Kodi 16.1, but I can leave that for now. I’ll watch the forums for any news of other possible solutions, but I think that for the moment I have to accept the incompatibility between my data server and the Kodi client. Even though several of the other Kodi 16.1 implementations are compatible with Samba v3, I have to stick with OSMC Kodi because this experimentation with other Kodi implementations have proved that OSMC is about twice the speed of the others in navigation and media list retrieval.

I realise that the best option would be to update the server OS and Samba to the latest versions - that’s the preferable option but I will have probably to build that from scratch so it’s a job for the future.

Thanks Sam, and Gavin for the help and suggestions, and for your work with Kodi.

Cheers for now,

Kenneth A Spencer

Do you have a guest account enabled on your SMB server? Try adding a SMB guest account even if it doesn’t have permission share anything.

On your raspbian install try

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

sudo nano /etc/samba/smb.conf

Paste the following at the end of the file then edit as appropriate:

[Dummy_share]
 comment = Dummy share, doesn't contain any files
 path = /some/folder/that/contains/nothing
 public = yes
 only guest = yes
 browseable = yes
 read only = no
 writeable = yes
 create mask = 0644
 directory mask = 0755
 force create mask = 0644
 force directory mask = 0755
 force user = pi
 force group = pi

Then restart the raspbian install and try again. Hopefully this will work.

Hi Ken,

I’m sorry we couldn’t get it working for you. The only other options I can see for you to have a smooth upgrade would be:

  1. Check what version of Samba is installed on LibreElec and try and install the same or a previous version on your OSMC Jarvis installation.

  2. Change from SMB to NFS for video shares, but this would mean different paths and so would require rebuilding your library.

To be honest though with the release of Kodi Krypton (17) relatively close now, it may be worth pausing efforts until Krypton is released to save possible repeat effort.

I think in the long term though the only truly safe and reliable (as reliable as Samba ever gets) solution will be to upgrade your PDC and all other clients to Samba 4 and use a safer security method.

Again, sorry wr couldn’t get you up and running, but I’m sure we’ve all learned something.

Gavin.

They use Samba 3.6, which is what Kodi still builds against for other platforms. We use Samba 4 and we have patched Badlock et al; so a bit different.

Kodi has no future plans to use Samba4, as it uses WAF (Python based build system) which does not fit in well with their current build system. It is an extremely painful build system to use, and I can empathise with them.

Thanks Sam, Martin and Gavin.

Yes indeed, LibreElec works with Samba v3.6, but I found it slow, and also is more difficult to work with in a few other respects.
Martin: I’ll try your ideas and report back. I may be able to do something with it over the weekend.
Gavin: yes, an interesting, if frustrating exercise! Eventually, yes, you are right, I will accept a rebuild of the PDC but I haven’t the time to do that just yet.
Sam: Presumably when you say: [quote=“sam_nazarko, post:46, topic:20081”] Kodi has no future plans to use Samba4 …[/quote] you are still referring to LibreElec, rather than Kodi in general. But it would have to improve it’s speed and one or two other aspects before I’d consider it.

I’ll keep everyone informed!

Thanks all,

Kenneth Spencer

No – I’m referring to Team Kodi and Kodi itself. They will build against libsamba of the target distro, but their depends system still uses Samba 3.6. There are some comments about this where they are struggling with WAF, which supersedes autoconf used prior to Samba 4.

We have some patches with our version of Kodi that do treat Samba 4 better, but as you can see, there are still some problems.

I’m still slightly suspicious of the domain controller setup though.

Is there an easy way for me to replicate this kind of setup in a VM so I can wireshark or tcpdump and have a look?

Cheers

Sam

Thanks, Sam.

I don’t mind you being suspicious of the domain controller!

It does a lot, but it works happily with everything else and has done for quite a few years now, after I got rid of my Windows 2003 R2 server. Let me know what you need to know to replicate the setup, and I’d be happy to supply it.

In the meantime here is more background info:

  • provides data via MySQL for 3 websites hosted locally on another RPi under Apache2;
  • provides nightly webstat collection from 3 above websites hosted locally on another RPi;
  • provides nightly webstat collection from 4 (soon only 3) remotely hosted domains (in the LINX);
  • provides nightly backups of daily changing data (accounts/SW_Dev/documents etc etc);
  • provides Windows (XP/Vista/7/10) PCs access to shares, users by groups and individually;
  • hosts 5,722 music files (51.5GB), 1708 video files (475GB own videos + Movies etc) and numerous photographs, for OSMC/Kodi;
  • provides DNS Bind9 v9.8.4, DHCP ISC DHCPd v4.2.2, SSH Open SSH v6 & FTP ProFTPd v1.34
    Machine is a Raspberry Pi model 2B. OS is Debian Linux 7.11. Samba is v3.6.6 - all have current latest updates installed.
    Nightly Backups of daily changing data are to a 128 GB USB stick on the PDC.
    All Shared Data is in a 4TB USB fixed disc on the PDC.
    Machine Management is via Webmin 1.8.20.
    Account Management is via LDAP AM OpenLDAP 58397 which controls access to shares via Hosts, Groups & Users. And of course, until the Jarvis update of OSMC/Kodi, Media storage & access worked extremely well.

As I have run online services from my office since 1995, I have tested the security of all my systems from inside & outside the LAN and within the limits of my security knowledge it seems secure. I regularly detect attempts to hack the sites and the servers and to use various techniques to use vulnerabilities of files & systems to gain access and block every such IP address used. One of my forums for local village use was hacked on an externally hosted site owing to a vulnerability in PhpBB, but I no longer run any forums now.

If you would like any of the configuration files I could send them but might prefer not to do so over the forum.

Thanks again for your interest and help.

Best wishes,

Kenneth Spencer

I wonder if you could do the following?

From your 2015 OSMC hold the following packages in apt:

samba-common
samba-libs
libsmbclient
rbp2-mediacenter-osmc

and then run apt-get dist-upgrade

That should allow you to benefit from all the security upgrades etc in the last year but without compromising your samba setup and without upgrading kodi to Jarvis.

I’m not 100% sure it would work, @sam_nazarko would be able to confirm that.

You could just hold libsmbclient and samba packages with a March version. Media center does not need to be held. Your device would be vulnerable to Badlock CVE though.

[quote=“sam_nazarko, post:51, topic:20081”]Your device would be vulnerable to Badlock CVE though.
[/quote]

As his PDC is vulnerable this would be a moot point really, no?