Password to SMB/LAN resources appears invalid after OSMC update

IIRC I have forced ntlvm2 support in the kernel, but it was deprecated around Linux 3.12

Hi Ken,

Your plan sounds good. Let us all know how you get on.

Gavin.

OK …

… after a long period of experimentation with OSMC Kodi 16.1 Jarvis, I have been unable to get Samba v4 client on the OSMC machine working with the Samba v3 server on my PDC Data + File server machine. I think I have tried all the suggestions discussed in April 2016 when the changes to OSMC Kodi were first made, but I’m afraid I cannot make it work.

So, for the present I shall revert to OSMC Kodi 15.1, as I need the Media Centre working. I did consider downgrading the Samba client on Kodi 16.1, but I can leave that for now. I’ll watch the forums for any news of other possible solutions, but I think that for the moment I have to accept the incompatibility between my data server and the Kodi client. Even though several of the other Kodi 16.1 implementations are compatible with Samba v3, I have to stick with OSMC Kodi because this experimentation with other Kodi implementations have proved that OSMC is about twice the speed of the others in navigation and media list retrieval.

I realise that the best option would be to update the server OS and Samba to the latest versions - that’s the preferable option but I will have probably to build that from scratch so it’s a job for the future.

Thanks Sam, and Gavin for the help and suggestions, and for your work with Kodi.

Cheers for now,

Kenneth A Spencer

Do you have a guest account enabled on your SMB server? Try adding a SMB guest account even if it doesn’t have permission share anything.

On your raspbian install try

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

sudo nano /etc/samba/smb.conf

Paste the following at the end of the file then edit as appropriate:

[Dummy_share]
 comment = Dummy share, doesn't contain any files
 path = /some/folder/that/contains/nothing
 public = yes
 only guest = yes
 browseable = yes
 read only = no
 writeable = yes
 create mask = 0644
 directory mask = 0755
 force create mask = 0644
 force directory mask = 0755
 force user = pi
 force group = pi

Then restart the raspbian install and try again. Hopefully this will work.

Hi Ken,

I’m sorry we couldn’t get it working for you. The only other options I can see for you to have a smooth upgrade would be:

  1. Check what version of Samba is installed on LibreElec and try and install the same or a previous version on your OSMC Jarvis installation.

  2. Change from SMB to NFS for video shares, but this would mean different paths and so would require rebuilding your library.

To be honest though with the release of Kodi Krypton (17) relatively close now, it may be worth pausing efforts until Krypton is released to save possible repeat effort.

I think in the long term though the only truly safe and reliable (as reliable as Samba ever gets) solution will be to upgrade your PDC and all other clients to Samba 4 and use a safer security method.

Again, sorry wr couldn’t get you up and running, but I’m sure we’ve all learned something.

Gavin.

They use Samba 3.6, which is what Kodi still builds against for other platforms. We use Samba 4 and we have patched Badlock et al; so a bit different.

Kodi has no future plans to use Samba4, as it uses WAF (Python based build system) which does not fit in well with their current build system. It is an extremely painful build system to use, and I can empathise with them.

Thanks Sam, Martin and Gavin.

Yes indeed, LibreElec works with Samba v3.6, but I found it slow, and also is more difficult to work with in a few other respects.
Martin: I’ll try your ideas and report back. I may be able to do something with it over the weekend.
Gavin: yes, an interesting, if frustrating exercise! Eventually, yes, you are right, I will accept a rebuild of the PDC but I haven’t the time to do that just yet.
Sam: Presumably when you say: [quote=“sam_nazarko, post:46, topic:20081”] Kodi has no future plans to use Samba4 …[/quote] you are still referring to LibreElec, rather than Kodi in general. But it would have to improve it’s speed and one or two other aspects before I’d consider it.

I’ll keep everyone informed!

Thanks all,

Kenneth Spencer

No – I’m referring to Team Kodi and Kodi itself. They will build against libsamba of the target distro, but their depends system still uses Samba 3.6. There are some comments about this where they are struggling with WAF, which supersedes autoconf used prior to Samba 4.

We have some patches with our version of Kodi that do treat Samba 4 better, but as you can see, there are still some problems.

I’m still slightly suspicious of the domain controller setup though.

Is there an easy way for me to replicate this kind of setup in a VM so I can wireshark or tcpdump and have a look?

Cheers

Sam

Thanks, Sam.

I don’t mind you being suspicious of the domain controller!

It does a lot, but it works happily with everything else and has done for quite a few years now, after I got rid of my Windows 2003 R2 server. Let me know what you need to know to replicate the setup, and I’d be happy to supply it.

In the meantime here is more background info:

  • provides data via MySQL for 3 websites hosted locally on another RPi under Apache2;
  • provides nightly webstat collection from 3 above websites hosted locally on another RPi;
  • provides nightly webstat collection from 4 (soon only 3) remotely hosted domains (in the LINX);
  • provides nightly backups of daily changing data (accounts/SW_Dev/documents etc etc);
  • provides Windows (XP/Vista/7/10) PCs access to shares, users by groups and individually;
  • hosts 5,722 music files (51.5GB), 1708 video files (475GB own videos + Movies etc) and numerous photographs, for OSMC/Kodi;
  • provides DNS Bind9 v9.8.4, DHCP ISC DHCPd v4.2.2, SSH Open SSH v6 & FTP ProFTPd v1.34
    Machine is a Raspberry Pi model 2B. OS is Debian Linux 7.11. Samba is v3.6.6 - all have current latest updates installed.
    Nightly Backups of daily changing data are to a 128 GB USB stick on the PDC.
    All Shared Data is in a 4TB USB fixed disc on the PDC.
    Machine Management is via Webmin 1.8.20.
    Account Management is via LDAP AM OpenLDAP 58397 which controls access to shares via Hosts, Groups & Users. And of course, until the Jarvis update of OSMC/Kodi, Media storage & access worked extremely well.

As I have run online services from my office since 1995, I have tested the security of all my systems from inside & outside the LAN and within the limits of my security knowledge it seems secure. I regularly detect attempts to hack the sites and the servers and to use various techniques to use vulnerabilities of files & systems to gain access and block every such IP address used. One of my forums for local village use was hacked on an externally hosted site owing to a vulnerability in PhpBB, but I no longer run any forums now.

If you would like any of the configuration files I could send them but might prefer not to do so over the forum.

Thanks again for your interest and help.

Best wishes,

Kenneth Spencer

I wonder if you could do the following?

From your 2015 OSMC hold the following packages in apt:

samba-common
samba-libs
libsmbclient
rbp2-mediacenter-osmc

and then run apt-get dist-upgrade

That should allow you to benefit from all the security upgrades etc in the last year but without compromising your samba setup and without upgrading kodi to Jarvis.

I’m not 100% sure it would work, @sam_nazarko would be able to confirm that.

You could just hold libsmbclient and samba packages with a March version. Media center does not need to be held. Your device would be vulnerable to Badlock CVE though.

[quote=“sam_nazarko, post:51, topic:20081”]Your device would be vulnerable to Badlock CVE though.
[/quote]

As his PDC is vulnerable this would be a moot point really, no?

It’s not something I’d really worry about, no.

For the benefit of the OP then, if all else fails this should get you working with newest OSMC and the newest Kodi.

Working from non-updated image:

sudo apt-mark hold samba-common
sudo apt-mark hold samba-libs
sudo apt-mark hold libsmbclient
sudo apt-get dist-upgrade

Hope this helps.

Now chaps, that looks helpful. I’ll give it a try and let you know.

Badlock CVE is new to me! But ignorance is (was) bliss. I’m reading about it now.

Thanks again!

Kenneth Spencer

OK, I have carried out the procedure Gavin suggested for holding the Samba components. I have also gone ahead with upgrade of OSMC Kodi from the 2015 release to the November 2016 release.

At first, I had the same symptoms as before: refusal of the Username/Password Lock dialogue to accept a valid user & password. But then I had a thought … maybe some of the files from the working Kodi 2015 release had been overwritten by the upgrade. So I wrote back:

  • /home/osmc/.smb/smb.conf
    and
  • /home/osmc/.kodi/userdata/passwords.xml
    with the versions that worked in the 2015 release, as these two files had been overwritten in the upgrade.
    Then Hey Presto - it works!

All this has given me one new idea which I may well mess about with at some point, but in the meantime, thanks alot. It is now resolved until I have the considerable amount of time I’d require to do a complete update of the PDC software.

So, if you, Sam, or Gavin, are likely to be anywhere near West Wiltshire let me know - I owe you a pint! (Well I suppose we owe Sam rather more then one!)

Best wishes,

Kenneth Spencer

Hi Ken,

I’m so glad we managed to get you working!

It’s definitely worth looking at the upgrade in the long run, but at least you can benefit from the latest OSMC in the meantime.

As for the pint, if I’m ever those few miles further southwest I’ll drop you a message :slight_smile:

Gavin.

PS. I’d keep backups of those files you had to replace in case future upgrades overwrite them also.