Bug 13676 - samba-tool SMB/sysvol connections do not work if SMBv1 is disabled
Summary: samba-tool SMB/sysvol connections do not work if SMBv1 is disabled
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.9.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-11-05 21:16 UTC by Tim Beale
Modified: 2019-02-05 14:07 UTC (History)
1 user (show)

See Also:

Backport of GPO fixes for 4.10 (25.48 KB, text/plain)
2019-01-24 20:44 UTC, Tim Beale
jra: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Beale 2018-11-05 21:16:56 UTC
Basically a continuation of Bug 13621.

The 'samba-tool domain backup online|rename' commands don't work against a server with SMBv1 disabled. Note that disabling SMBv1 on the server is recommended practice. The problem occurs backing up the sysvol files. (A temporary work-around is to use the 'offline' backup option instead).

This seems to be a more generic problem that the smb.SMB() python APIs don't support SMBv2 connections to the server. This problem may also affect some of the GPO commands.

The failure looks something like:

smbXcli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it.
ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.')
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain_backup.py", line 241, in run
    smb_conn = smb.SMB(server, "sysvol", lp=lp, creds=creds)

On Samba v4.9.2 onwards, you should hopefully see the error message:
No compatible protocol selected by server
Comment 1 Tim Beale 2019-01-24 20:44:51 UTC
Created attachment 14799 [details]
Backport of GPO fixes for 4.10

This backports the last set of GPO changes that didn't quite make it into master before 4.10 branched.
CI pass: https://gitlab.com/catalyst-samba/samba/pipelines/44567512

Note that the fix for this bug will *not* be backported to 4.9. The changes are simply too large to justify doing this. As the 'samba-tool domain backup online' command can be run on any client, this should mean you can still backup a 4.9 DC by using a v4.10 version of samba-tool (installed on another client).
Comment 2 Tim Beale 2019-01-24 20:48:27 UTC
Comment on attachment 14799 [details]
Backport of GPO fixes for 4.10

Hi Jeremy, have you got time to review this attachment? It's the last set of GPO changes you pushed to master. Take note of the top patch, which updates the 4.10 WHATSNEW (and so isn't in master). I pre-emptively added your review tag so I didn't have to re-spin the attachment, but let me know if it needs any changes. Thanks!
Comment 3 Jeremy Allison 2019-01-25 00:54:18 UTC
Comment on attachment 14799 [details]
Backport of GPO fixes for 4.10

Comment 4 Jeremy Allison 2019-01-25 00:54:45 UTC
Re-assigning to Karolin for inclusion in 4.10.rcNext.
Comment 5 Karolin Seeger 2019-01-31 09:56:16 UTC
(In reply to Jeremy Allison from comment #4)
Pushed to autobuild-v4-10-test.
Comment 6 Karolin Seeger 2019-02-05 14:07:05 UTC
Pushed to v4-10-test.
Closing out bug report.