Linux Supported samba protocol versions?
#1
Rainbow 
So I was reading el reg and hit the article about the cyber attacks this week targeting the UK and others (lots of others). I'm not scare mongering and I'm not impacted (firewall ports closed!) but as a casual IT bod I decided to take a look at my samba server (linux) and inspect whether it is susceptible to the malware romping around. Turns out all my clients (linux and android) are negotiating to use the NT1 protocol version (SMBv1) which has this threat vector against it so I decided to go about disabling NT1/SMBv1 and forcing my clients to up-their-game.

So re-configuring my linux samba server wasn't a big deal, it now only supports server and client protocols from SMBv2 and upwards and my linux clients can successfully connect to the samba shares using v3 (cos thats what I've told them to use), bare in mind this is all OS config and I haven't touched Kodi yet.

However Kodi 17.1 on my Ubuntu 17.04 won't have it, non-debug log outs show these lines every-time I attempt to open my share...

Code:
12:46:44.922 T:140409701695680   ERROR: SMBDirectory->GetDirectory: Unable to open directory : 'smb://USERNAME:[email protected]/share'
                                            unix_err:'6e' error : 'Connection timed out'

I've searched for whether there are any advanced settings applicable to my sources.xml that I can use to force a specific client SMB version but I can't locate anything and regressing my server config gets Kodi working and using the NT1/SMBv1.

So my question is whether there is a way to ask Kodi to use a different samba client version or not?
Reply
#2
no, only smb1.

I suggest using OS native mounts instead of kodi's built-in smb support.
Reply
#3
Thank you for the confirmation @wsnipex.

Not sure native OS mounts will work for me as my Kodi install is on an Nvidia Shield and I believe this would mean Kodi only gets read only access. Either way its my problem to solve if its even a problem, thanks for your efforts.

K
Reply
#4
right, there are no native mounts on android. I assumed you run kodi on linux, since you posted in the linux sub forum Smile

Consider using NFS.
Reply
#5
+1 for NFS but know that you should limit yourself to NFSv3 since kodi needs libnfs to work and that currently does not support NFSv4.
Need help programming a Streamzap remote?
Reply
#6
Ha yes right to make that assumption my test case was using pure linux but I've a shield for the living room space which is the old ball.

Thanks both for the NFS recommendation and appreciate the early heads up @graysky on NFSv3. I have time to kill so NFS will be tomorrows victim!
Reply
#7
Try adding the following to $HOME/.smb/smb.conf (not sure where this file well be on Android):
Code:
client max protocol = SMB3
and restart Kodi. This will instruct libsmbclient to negotiate a protocol higher than NT1 (which is basically SMB1) when connecting to your server.

It seems that the default libsmbclient configuration used by Kodi will limit/restrict any negotiated connection to NT1 even when the Samba server supports more recent, secure and performant versions of the SMB protocol. And when NT1/SMB1 is disabled on the server (which is highly recommended, for obvious reasons), Kodi won't be able to connect to the server at all.

On your server you should be able to see the types of connection your Samba clients are establishing by running "sudo smbstatus -b".

Edit: "smbstatus -b" output on an Ubuntu 16.04 server:
Code:
[email protected]:~$ sudo smbstatus -b

Samba version 4.3.11-Ubuntu
PID     Username      Group         Machine            Protocol Version
------------------------------------------------------------------------------
1801      neil          neil          192.168.0.6  (ipv4:192.168.0.6:52229) SMB2_10
2751      neil          neil          192.168.0.12 (ipv4:192.168.0.12:55642) Unknown (0x0311)
2714      neil          neil          192.168.0.12 (ipv4:192.168.0.12:55590) Unknown (0x0311)
192.16.0.6 is a Windows 7 PC, with SMB2_10 connection

192.168.0.12 is a LibreELEC 9 test build with Kodi 18a1 and "client max protocol = SMB3" - established connection is SMB3_11.

(The "Unknown (0x0311)" protocol is fixed in Samba 4.4.0)
Texture Cache Maintenance Utility: Preload your texture cache for optimal UI performance. Remotely manage media libraries. Purge unused artwork to free up space. Find missing media. Configurable QA check to highlight metadata issues. Aid in diagnosis of library and cache related problems.
Reply
#8
Thanks @Milhouse, so I've mounted my Shields internal storage on my ubuntu server and searched for a smb.conf...

Code:
sudo find /mnt/shield/ -name smb.conf
/mnt/shield/Android/data/org.xbmc.kodi/files/.kodi/.smb/smb.conf
/mnt/shield/Android/data/org.xbmc.kodi/files/.smb/smb.conf

I've modified both files but still Kodi on my Shield connects using NT1/SMBv1. Being honest I was sceptical as aren't these files for configuring Kodi's inbuilt samba server rather than how Kodi connects as a samba client?

For completeness my ubuntu samba server configuration now has the following lines included as well as the modifications to the shields smb.conf files.

Code:
server min protocol = SMB2
client min protocol = SMB2
client max protocol = SMB3

I'm currently building a newly cloned master branch of LibreElec to replicate your test but is it possible your scenario was more akin to native OS mounts with LE's underlying linux kernel?

Happy to try any further recommendations?
Reply
#9
Had to ditch building LE master as they still don't carry drivers for virtual graphics adaptors as I would need to run it in KVM/qemu to test so switched to just running a kodi nightly on my ubuntu server. Still no luck, even Kodi 18-Alpha1 doesn't seem to want to connect with anything other than NT1. So I'm surmising that @wsnipex's first response is my answer i.e. Kodi's inbuilt samba client can't support anything other than NT1/SMBv1 and so to improve this it needs the native OS to take on managing mounts.

https://s29.postimg.org/vglja25zb/Selection_003.png

EDIT:

Ignore that guff above and see the next post.
Reply
#10
Okay so I'm talking crap, just realised Kodi shares via UPNP not samba which made me re-evaluate.

Running kodi 17.1 in ubuntu, edited the /home/$USER/.smb/smb.conf and added in the line advised by @Milhouse and sure enough there's a SMBv3.11 connection woop woop!

Cannot get the same working from the Shield however...still working this through via debug logs but nothing obvious just yet.
Reply
#11
Can't get Kodi on my android (shield) to budge off NT1 but linux builds work a charm.

My assumptions are that libsmbclient is being used same as linux builds and the envhome variable maps to the shields external storage location which is /Android/data/org.xbmc.kodi/files/ and so modifying the .smb/smb.conf file here does make changes to kodi's access of my samba shares e.g. adding 'client ntlmv2 auth = no' will stop kodi being able to access my shares, however every other attempt I've made to request SMBv2 or SMBv3 has failed.

I realise NFS is a clear solution I'd just prefer to rule out user error first in my attempts to get samba talking to Kodi on SMBv2/3.
Reply
#12
kodi on linux uses a much newer samba version, which is why you get SMB3 support. The version we use for android doesn't support it.
And before you ask: samba >= 4.1 which first introduced smb2/3 client support also changed to a new build system, which makes it almost impossible to cross compile for all our platforms.

We are looking into some hacks to maybe get it working or switching to another library.
Reply
#13
(2017-05-15, 15:18)KillerKelvUK Wrote: Had to ditch building LE master as they still don't carry drivers for virtual graphics adaptors as I would need to run it in KVM/qemu to test so switched to just running a kodi nightly on my ubuntu server.

OT, but the LE 8.0.1 Generic (x86_64) release includes vmware/qemu support. Try a build from my test builds thread and if you have a problem post details in my thread.

Note that LE8.0.1 is built with Samba 3.6.25 so doesn't include client support for SMB2/SMB3 - you'll need a recent LE9 test build for that (currently Samba 4.6.3).
Texture Cache Maintenance Utility: Preload your texture cache for optimal UI performance. Remotely manage media libraries. Purge unused artwork to free up space. Find missing media. Configurable QA check to highlight metadata issues. Aid in diagnosis of library and cache related problems.
Reply
#14
Thanks again @wsnipex.

@Milhouse, can LE in KVM/qemu render the GUI? The threads I was reading said that virtual support was only for command line and in my testing the guest boot output shows it failed to start xorg and asked if I was using a supported GPU?
Reply
#15
(2017-05-16, 10:58)KillerKelvUK Wrote: @Milhouse, can LE in KVM/qemu render the GUI? The threads I was reading said that virtual support was only for command line and in my testing the guest boot output shows it failed to start xorg and asked if I was using a supported GPU?

I thought it did, I've pinged the LE team in the hope someone more familiar with that aspect can respond (or ask on the LE forum, or in the test thread, as it's OT for this thread which is quite important IMHO).
Texture Cache Maintenance Utility: Preload your texture cache for optimal UI performance. Remotely manage media libraries. Purge unused artwork to free up space. Find missing media. Configurable QA check to highlight metadata issues. Aid in diagnosis of library and cache related problems.
Reply
 
Thread Rating:
  • 0 Vote(s) - 0 Average



Logout Mark Read Team Forum Stats Members Help
Supported samba protocol versions?00