Environment:
Linux X86 Server with Debian 9.3
kernel: Debian 4.9.65-3+deb9u1
smbclient: Version 4.5.12-Debian
cifs-utils: 2:6.7-1
Situation:
Backupserver (backuppc) has to backup a Windows 10 Home client.
No domain
Alternative:
Cygwin/Rsync used for other Win7 Clients rejected because of manual work involved.
Prerequisites known already:
DNS entry for Win10Client: done, tested and working
DHCP entry for Win10Client: done, tested and working
SMB1 is unsecure so do not go the "easy way".
The smbclient supports SMB2/3 protocol so i should not have to set the smb1 registry hack to enable SMB1 from e.g.
How to check which SMB Version is enabled on Windows Server 2008 R2
Problems: I cannot mount the administrative or any other share, nor do I see them with smbtree -b -N
What I have tried:
I tried to use the non-administrative share (no
$at the end)I renamed the administrative share from
C$tomC$ormC.Added a test share in documents.
Added a test share in
C:\test
None of those are visible via smbtree.
Directly connecting to the shares (or get a list of shares):
tested:
smbclient -U WIN10Username -L //CLIENT/
protocol negotiation failed: NT_STATUS_CONNECTION_RESET
smbclient -L //CLIENT/
protocol negotiation failed: NT_STATUS_CONNECTION_RESET
How do i get this working with either SMB2 or SMB3 protocol?
The Answer to howto includes multiple parts as the situation might be a bit different depending what you need.
I included everything i found (or believe to have found) via the various searches which helped me fix my direct problem.
The default Debian 9 Stretch Kernel does not support SMB3
Turns out my kernel seems to not support SMB3 directly
https://unix.stackexchange.com/questions/202961/mounting-smb3-share-with-encryption-fails-mount-error13-permission-denied-s/376166
Based on https://lists.debian.org/debian-kernel/2017/04/msg00266.html
qoute:
From my research it is not in the stretch backports either (cifs-utils to support the kernel change from 4.11?)
However i am unsure on the backport part as there are newer kernels but for my case i will not upgrade to the backport kernel for this feature so i stopped here.
smbtree needs more parameter to work with SMB3
It was not immediatly clear to me how to get smbtree working with SMB3, and with the issue i though to found out above i dropped the idea for SMB3 altogether.
https://www.samba.org/samba/docs/current/man-html/smbtree.1.html
smbclient does not use SMB2 or SMB3 per default.
The default version for the smb protocol for smbclient is
SMB1
This is not supported per default in Windows 10.
If you need this for your use case you have to add the corresponding registry key:
HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 (Type DWORD32, value 1 for on, 0 for off)
Powershell Command(s):
Detect:
Enable:
Disable:
This was taken from https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and
You might have to change the file-sharing encryption-level in Windows 10 to get SMB1 working as well:
as i did not test this directly i do not know if it is actually needed :
see for example how to do this from here:
https://www.tenforums.com/tutorials/51024-change-file-sharing-encryption-level-windows-10-a.html
Qoute:
To Change File Sharing Encryption Level in Network and Sharing Center
Open the Control Panel , and click/tap on the Network and Sharing Center icon.
Click/tap on the Change advanced sharing settings link on the left side. (see screenshot below)
Expand the All Networks network profile.
Under File sharing connections, select "Enable file sharing for devices that use 40- or 56-bit encryption"
Working commands
Now to get actualy things working
Non-administrative share:
changing the smbclient command
to
lets you view the shares of that client.
As mountparam for console to actually access it:
or as /etc/fstab entry (no automount on boot!)
Administrative Share
For the administrative share you have to do one additional registry change (if you are not in a domain):
Powershell command:
taken from here :
Unable to mount windows share in ubuntu
basically what it does is disable the UAC for remote share access and maintenance, so be careful about it.
This might help understand the implications better, so be certain if you actually want to do this:
https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/
backuppc Issues:
You will want another account specific for backuppc which has to have read permissions for the share.
backuppcs smbclient default options do not include -m SMB2
The command backuppc uses is:
change that to include -m SMB2
After that i still got NT_STATUS_ACCESS_DENIED:
doing it manually with password added after the -U
works
removing the -N promts me the password with which it works as well.
As i did not want to store it within a configuration file from backuppc i will in the final version use the credential method.
After trying to figure out what the difference between the backuppc command and smbclient command manually was i figured out that the
-Nresults in different behaviour during connection.working solution without -N (with username password or credential file, did not matter. Non-administrativ or administrative share did not change anything either)
Domain=[CLIENTNAME] OS=[] Server=[] ... cut
Non-working Version with
-N:Backuppc Win10 Client working solution
Given all above information i am able to backup the Win10 adminstrative share with following backuppc options:
SmbClientFullCmd:
Hardcoded:
Credfile: