[SOLVED] kernel upgrade to 4.19 broke Samba

nbd · 2018-11-16 21:52:57

Hello,

for years I have been mounting Samba shares on another Linux machine with command:

sudo mount.cifs //other.host/share1 /mnt/share1 -o username=john

After today's system upgrade files on all shares suddenly became unwritable. After checking it was discovered that all files are now mounted with root:root owner/group.

I changed the command to

sudo mount.cifs //other.host/share1 /mnt/share1 -o username=john,uid=john

After this files became writable. But soon it was discovered that soft links on shares are not handled properly anymore. E.g. a share contains a link to an executable: "/mnt/share1/script.py" which points to "/mnt/share2/script.py". Both shares are mounted. Before upgrade the script could be successfully run by calling "/mnt/share1/script.py". After upgrade - "/mnt/share1/script.py" returns "Command not found". Moreover,

ls -l /mnt/share1/script.py

returns "Permission denied."

After downgrading to kernel 4.10 - all returned to normal. What can this breakage mean?

Last edited by nbd (2018-11-17 13:32:09)

loqs · 2018-11-16 22:19:50

Failure to negotiate CIFS Unix extensions might explain the issue see mount.cifs.

Last edited by loqs (2018-11-16 22:19:57)

nbd · 2018-11-16 22:45:10

@loqs
Thanks for the pointing. I've read the manual but didn't find what factors can cause the failure to negotiate Unix extensions between two Linux machines. One of which runs recently updated Raspbian Stretch, the other - the latest Arch Linux. Especially when from Windows (or with 4.10 kernel) those shares continue to be accessed without any problems or changes. Should I begin searching and trying for another working combination of mounting parameters or wait until the next kernel?

loqs · 2018-11-17 00:01:16

If by next kernel you mean 4.20 you could try 4.20-rc2 from AUR or miffe's unofficial repo contains a built linux-mainline.
I can not see anything cifs/samba related in https://git.kernel.org/pub/scm/linux/ke … queue-4.19 for 4.19.3

seth · 2018-11-17 08:31:09

Try passing ",vers=1.0", this is the wannacry situation that redefaulted the SMB protocol version. v1 is *highly* insecure but afaics currently the only way to make use of the posix extensions :-(
If you can, rather use NFS.

Also update more often, the issue was all over the place at the time.

nbd · 2018-11-17 09:08:23

@seth
Thanks for clarifying. I did a search and see that this situation began with 4.13 kernel and I was using 4.10 until yesterday (and reverted back to it again).

If new defaults have been set intentionally as more modern and secure, how can it be that one must use version 1.0 between two up-to-date Linuxes? AFAIU new default is version 3. Why not to configure to version 3 instead of 1?

progandy · 2018-11-17 10:55:27

UNIX extensions for SMB3 are under development. https://wiki.samba.org/index.php/SMB3-Linux

seth · 2018-11-17 12:55:24

how can it be that one must use version 1.0 between two up-to-date Linuxes?

Because it's not. You must use SMBv1 to get the unix extensions (for now, as pointed out by progandy).

nbd · 2018-11-17 13:02:41

Thank you progandy and seth. Am I correct in understanding the situation as follows: a year ago Samba shares were broken by a change in the kernel, and since then all Samba users were divided into three groups:

1. Those who began using insecure version 1.0 of SMB protocol;
2. Those who stopped using Samba shares altogether;
3. Those who don't use kernel > 4.13

Is this correct or there is some forth group?

progandy · 2018-11-17 13:10:18

There are also those who could work without the UNIX extensions and did not need server-interpreted symlinks in their samba shares. There is an mfsymlinks extension in the cifs driver that the server sees as a simple text file, while the client follows it like a symlink.

https://www.kernel.org/doc/readme/Docum … ifs-README
Recommendations
===============
To improve security the SMB2.1 dialect or later (usually will get SMB3) is now
the new default. To use old dialects (e.g. to mount Windows XP) use "vers=1.0"
on mount (or vers=2.0 for Windows Vista). Note that the CIFS (vers=1.0) is
much older and less secure than the default dialect SMB3 which includes
many advanced security features such as downgrade attack detection
and encrypted shares and stronger signing and authentication algorithms.
There are additional mount options that may be helpful for SMB3 to get
improved POSIX behavior (NB: can use vers=3.0 to force only SMB3, never 2.1):
"mfsymlinks" and "cifsacl" and "idsfromsid"

Last edited by progandy (2018-11-17 13:16:26)

seth · 2018-11-17 13:13:03

No. A year ago SMBv1 was the default protocol you were simply using it.
Then a bunch of stupid windows users clicked one penis enlargement promise too much and the world went nuts.
SMBv1 was "discovered" (what a surprise) to be an insecure mess and the default was turned into SMBv2(.1?) - which however doesn't provide POSIX extensions to the protocol.
Because the current version is SMBv3 anyway, efforts are being made to add POSIX extensions to SMBv3.
Despite the common name, SMBv1 and v2/v3 do not have very much in common, SMBv1 differs *a lot*.
By enforcing the use of SMBv1, you're back to the status quo ante, except we now *know* that's it an uncontrollable and inherently insecure PoS.

If you can, use NFS - which is a network file system and - unlike SMBv1 - not a kitchen sink where MS simply dumped anything remotely network related and that nobody should have been using itfp. /rant

nbd · 2018-11-17 13:31:17

Thank you, progandy! I'm marking thread as solved, then.

progandy · 2018-11-17 14:34:00

seth wrote:

If you can, use NFS - which is a network file system and - unlike SMBv1 - not a kitchen sink where MS simply dumped anything remotely network related and that nobody should have been using itfp. /rant

Compared to SMBv1, it is better. In comparison to smb3, NFS is missing a simple security and encryption layer, though. Kerberos is a bit unwieldy for a small network.

Last edited by progandy (2018-11-17 14:36:25)

Arch Linux

#1 2018-11-16 21:52:57

[SOLVED] kernel upgrade to 4.19 broke Samba

#2 2018-11-16 22:19:50

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

#3 2018-11-16 22:45:10

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

#4 2018-11-17 00:01:16

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

#5 2018-11-17 08:31:09

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

#6 2018-11-17 09:08:23

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

#7 2018-11-17 10:55:27

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

#8 2018-11-17 12:55:24

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

#9 2018-11-17 13:02:41

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

#10 2018-11-17 13:10:18

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

#11 2018-11-17 13:13:03

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

#12 2018-11-17 13:31:17

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

#13 2018-11-17 14:34:00

Re: [SOLVED] kernel upgrade to 4.19 broke Samba

Board footer