One of the routine tasks which I recently carried out on my LAN, was to retire an old computer named ‘Walnut’. A day later I discovered that I could no longer browse my LAN, by way of my SAMBA shares. BTW, all my computers are by now either Debian / Jessie or Debian / Stretch computers. So what gives with the sudden inability to browse my shares via the GUI, which is the ‘Dolphin file browser’?
(Solved as of 03/23/2018 … )
Well in my ‘/etc/samba/smb.conf’ file, I gave the option:
[global] (...) smb encrypt = desired
The purpose of this was, for the Samba Server to query the Client, whether the client supports encryption, and if affirmative, to enforce such encryption.
And, just to be sure that I haven’t made some silly mistake, I can run the following tests:
root@Phoenix:/etc/samba# cat smb.conf | grep "map to guest" map to guest = Bad User root@Phoenix:/etc/samba# cat smb.conf | grep "obey pam" obey pam restrictions = no root@Phoenix:/etc/samba#
But the disposition of the client to offer encryption, needed to be decided on the client machines, by creating a user-space file, i.e. a file in the home folder, which is named ‘~/.smb/smb.conf’, which contains the following lines:
[global] client max protocol = SMB3
This is actually required, in order for the Dolphin / GUI-client even to offer the level of security which I wanted, which is SMB3 security. Without my specifying this, Dolphin would indicate to the Server, that SMB3 is not available, and no encryption would take place. This line of code can also be put into ‘/etc/samba/smb.conf’ , but I chose to put it into my home-folder like that.
(As of 03/22/2018 : )
The problem that ensues, is actually a problem on the part of Dolphin, to be able to browse the Workgroup, or even to display one. The reason fw Dolphin was able to do so in the past, on my LAN, was the fact that ‘Walnut’ was still running – effectively – as WINS-Server, and not supporting SMB3. With ‘Walnut’ gone, so is any WINS-Server, that does not suggest encryption.
The result for me seems to be, that on my Samba Clients, I can specify a share as an ‘smb://Server’ URI, which will prompt me for my KDE Wallet password, but not in the form of an ‘smb://Workgroup’ URI. Unless I’d want to downgrade my security-levels.
In fact, I can give the following command on my client-machines:
Which will tell the client to query the server, using Encryption, and additional command-line parameters can be given, in case the user-name on the server is to differ from the current user-name on the client. And, because encryption uses the password in order to seed a shared secret, the password must next be typed in, in the console-window. And then, I get to see All the shares in text-format.
This is actually a present-day bug, in how Dolphin tries to comply with SMB3-protocol. In order to succeed, Dolphin would need to make an encrypted WINS query, which in turn would require that a user-name and password be made available, when the Workgoup is encountered. But instead, Dolphin only asks for its client-authentication credentials, when the specific Share is encountered, which cannot succeed overall, in this configuration.
In order for encryption to be effective in turn, some piece of information needs to be known to the authorized parties, which is not visible to any potential eavesdropper. That additional piece of information is the password.
(Edit 03/22/2018, 21h35 : )
I’ve just read that under up-to-date Linux versions, on the side of the server, encryption can be merely ‘enabled’ globally, but set to ‘desired’ for a specific share. However, while setting this configuration in ‘/etc/samba/smb.conf’ , I was still not able to get Dolphin to browse the LAN openly.
AFAICT, This seems to be due to the highest version of SMB that Dolphin can support, being 2, even though in my client-side configuration-file, I indicated 3.
Yet, as it stands, ‘smbtree’ now works with the ‘-N’ option again.
I can confirm this thesis instantly, by just doing the following on the client-machine:
$cd ~/.smb $mv smb.conf smb.conf.bak
And, Tada! On the client-machine, Dolphin shows me my entire network of Samba servers/shares again.
(Update 03/23/2018 : )
The only way I was able to solve this problem, was to edit each of the servers’ ‘smb.conf’ files, so that a different server became the ‘master browser’ / ‘WINS Server’ , which I don’t plan to connect to securely. And then, in its configuration file, I set:
server max protocol = NT1