# Samba v3.x availability



## vometia (Feb 10, 2019)

I'm probably on to a bit of a loser here, but I figured I'd ask anyway.  Is there still any sensible means of getting Samba v3.x for FreeBSD?  I know it's ancient but I've periodically tried to get Samba v4.x working over the past couple of years or so and never succeeded.  Now I'm in the process of a server upgrade I'm a bit, erm, disadvantaged in that Samba v3 has been retired.

V4.x is a non-starter: it doesn't really work with ZFS; it doesn't really work with LDAP; it doesn't sit well with my two-level myhost.mydomain DNS; it wants Kerberos which is one of those things I don't "do" because I could never get my head around that either; and it crashes constantly, but in such an undignified manner that I don't even get a core dump out of it (not that I'm in a mood to start wading through all that stuff though).  And I've spent yet more time fighting with something that possibly still won't work unless I ditch ZFS and LDAP and reconfigure my internal DNS and it's not really worth it just for my Windows 10 games machine to be able to access stuff!  And copying my old v3 config and secrets over worked as well as might be expected i.e. no authentication, reams of rather opaque error messages and a crash.

If Samba v3 really is unavailable from any reliable sources, is there an alternative SMB/CIFS server I can use, or a recommended "some other sort of client that doesn't cost actual money" for my W10 box?  The latter may be even more gnarly as I understand that commercial or otherwise, Windows NFS clients are generally not awesome.


----------



## leebrown66 (Feb 10, 2019)

Official Samba sources are available here.  I'm not aware of any alternatives.


----------



## vometia (Feb 10, 2019)

Oh, awesome, thank you!  I've now had a bit of a case of "why didn't I think of that?" but, well, I didn't and evidently needed somebody more in possession of a clue to point it out to me.  I think that should sort out my conundrum and I am most grateful.

Part of me still thinks I should find a way to get v4 working (even if it won't) but that's a project for tomorrow.  For values of "tomorrow".  Right now this rescues me from my "argh, no Windows shares" problem.


----------



## VladiBG (Feb 10, 2019)

This is the absolute minimum howto install samba 48 to work with Windows 10 SMBv3 and AES-128-CMAC on FreeBSD 12.0

`uname -a`
FreeBSD fileserver 12.0-RELEASE-p3 FreeBSD 12.0-RELEASE-p3 GENERIC  amd64
`pkg install samba48`
`ee /usr/local/etc/smb4.conf`

```
[public]
        path = /share/public
        read only = no
        quest ok = no
```
# ^[aa   (escape + aa) for save
`mkdir -p /share/public`
`chmod 770 /share/public/`
# Note that the default passdb backends require the user to already exist in the system password file (usually /etc/passwd) and the user need to be member of the group that has write access to /share/public
`smbpasswd  -a username`
`sysrc samba_server_enable="YES"`
`service samba_server start`

From your Windows10 File Explorer type \\ip_address or \\FreeBSD_hostname

Edit:
the default value of _guest ok is no_ so it can be omitted


----------



## Datapanic (Feb 10, 2019)

I have a couple servers on FreeBSD_12.0-RELEASE running BIND912 OpenLDAP 2.4.47 with rfc2307bis and Samba 4.8.9 with root on ZFS and many Samba Shares on the ZFS partitions.  I don't think I did anything to the LDAP smb4.conf entries when I upgraded from Samba 3 to 4.    Here's my section for LDAP in smb4.conf:


```
passdb backend = ldapsam:"ldap://ldap01.example.com"
ldap admin dn = cn=Manager,dc=example,dc=com
ldap connection timeout = 2
ldap debug level = 0
ldap debug threshold = 10
ldap delete dn = no
ldap deref = auto
ldap follow referral = auto
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap page size = 1024
ldap passwd sync = no
ldap replication sleep = 1000
ldapsam:editposix = no
ldapsam:trusted = no
ldap ssl = start tls
ldap suffix = dc=example,dc=com
ldap timeout = 15
ldap user suffix = ou=People
```

It all works together.

I'm not using Kerberos but I do build my own ports and Samba and OpenLDAP do not have default configuration options.


----------



## vometia (Feb 11, 2019)

Thank you all!  Turns out I really just needed to make a fool of myself in public before suddenly finding the answer.   But I really do appreciate all the suggestions anyway and may go back to them when I decide I should "do it properly"; having said that, if it's working I'll probably just leave it well alone from now on...

The answer was mostly pretty straightforward and based on the suggestion to basically just leave the configuration well alone: simply copying smb.conf to smb4.conf, emptying /var/db/samba4 and copying secrets.tdb to /var/db/samba4/private was nearly all that was needed.  I'm not even sure about that last step, it's possible smbpasswd -W would've done the job anyway.

The only slight confusion was a bout of NT_STATUS_INVALID_SID errors but engaging my brain and checking the logs properly quickly revealed that was due to a different SID registered on the LDAP server since I'm testing Samba v4 on a different box.  Two solutions, either set the netbios name to the same as the Samba 3 server (bad idea as some clients assume it's a valid DNS name too) or duplicate the LDAP entry for the original server under the new server's name, so in my case sambaDomainName=AGA,o=CBHnet,c=GB is a duplicate of sambaDomainName=TEAPOT,o=CBHnet,c=GB just with a different UID number, but with the same SID.

Something tells me that using the same SID is potentially not awesome but given that I can't have two master servers for my domain online at the same time anyway it hopefully doesn't make a lot of difference.

And yeah, also LDAP naming misadventure.  I don't mean using kitchen appliances as inspiration for my computer names but the o=,c= thing which dates back to my original "hurrr, I dunno what I'm doing" years back.  Plus my two-level internal DNS I mentioned, which should probably actually be a branch of one of the public domains I actually own, and also my former initials which I'd love to get rid of but I suspect that is going to guarantee and endless string of problems so I should just leave it alone.

Anyway.  It's now working.  Apparently.  So a tentative "yay".


----------

