Get Samba4 working with wsdd2 and SMB2/SMB3

flexmcmurphy · March 1, 2021, 1:05am

Hello,

I recently switched from Windows 7 to Windows 10. Now my OpenWrt Samba share sometimes works and sometimes doesn't. What I mean is... the share appears automatically in Network Neighborhood in Windows 10 file explorer but when I click on it then it won't let me see the files.

I have tried all sort of options of Server/Client min and max protocol in smb.conf. I tried turning SMBv1 and Netbios on and off in Windows but that gives inconsistent results I don't understand.

I installed wsdd2 and turned off Netbios/SMBv1 and it was working earlier but after a reboot it's broken again.
I have set the "Function Discovery Provider Host" and "Function Discovery Resource Publication" services to Automatic (Delayed Start).

Right now it's working again after I re-enabled Netbios and SMBv1. SMB2 and SMB3 are also enabled.

Here is my smb.conf:

[global]
	netbios name = OPENWRT 
	interfaces = br-lan 
	server string = Samba on OpenWRT
	unix charset = UTF-8
	workgroup = WORKGROUP
	bind interfaces only = yes
	deadtime = 15
	enable core files = no
	security = user
	map to guest = Bad User
	passdb backend = smbpasswd
	socket options = IPTOS_LOWDELAY TCP_NODELAY
	load printers = No
	printcap name = /dev/null
	disable spoolss = yes
	printing = bsd
	mdns name = mdns
	veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
	delete veto files = yes

[root]
	path = /
	valid users = root
	create mask = 0644
	directory mask = 0755
	read only = no
	guest ok = no
	guest only = no

[usb]
	path = /mnt/usb
	valid users = root
	create mask = 0644
	directory mask = 0755
	read only = no
	guest ok = no
	guest only = no

This is my /etc/config/samba4

config samba
	option workgroup 'WORKGROUP'
	option charset 'UTF-8'
	option description 'Samba on OpenWRT'
config sambashare
	option path '/'
	option name 'root'
	option users 'root'
	option create_mask '0644'
	option dir_mask '0755'	
	option read_only 'no'
	option guest_ok 'no'
	option guest_only 'no'

config sambashare
	option path '/mnt/usb'
	option name 'usb'
	option users 'root'
	option create_mask '0644'
	option dir_mask '0755'
	option read_only 'no'
	option guest_ok 'no'
	option guest_only 'no'

/etc/config/system

config system
	option hostname 'OpenWrt'
	option timezone 'UTC'
	option ttylogin '0'
	option log_size '64'
	option urandom_seed '0'

config timeserver 'ntp'
	option enabled '1'
	option enable_server '0'
	list server '0.openwrt.pool.ntp.org'
	list server '1.openwrt.pool.ntp.org'
	list server '2.openwrt.pool.ntp.org'
	list server '3.openwrt.pool.ntp.org'

But when I do # Get-SmbConnection from powershell I see..

ServerName ShareName UserName         Credential       Dialect NumOpens
---------- --------- --------         ----------       ------- --------
OPENWRT    root      WIN10-PRO\user WIN10-PRO\user 3.1.1   2
Osmc       4tb1      WIN10-PRO\user WIN10-PRO\user 3.1.1   2

Doesn't that mean it is using SMB3? So turning on SMBv1 should not have made any difference? But SMB2 and SMB3 are also enabled so maybe it was turning on Netbios that made the difference?

From OpenWrt Terminal I see that wsdd2 process is running:

root@OpenWrt:~# ps | grep wsdd
 1721 root       852 S    /usr/bin/wsdd2 -i br-lan -N OPENWRT -G WORKGROUP -b vendor:raspberrypi,model:Raspberry_Pi_4_Model_B_Rev_1.1,sku:4-model-b
 4335 root      1220 S    grep wsdd
root@OpenWrt:~#

I want to get this to work reliably with wsdd2 and SMB2 or SMB3 so I can turn off SMB1/Netbios again. This is working fine with wsdd on other Raspberry Pis in my LAN.

Is there anything wrong with my set up?

Cheers,

Andy2244 · March 1, 2021, 1:30pm

Not that i can see, first check if its just the discovery that's broken or actual access to the share. So if you get the fault try access the share directly via its full FQN via \\ip\sharename.

What i found is that sometimes the windows discovery needs to-be restarted, until all clients show-up. For me this is just a discovery problem, the shares always work via FQN.

I use this script to restart all my active client's. (Replace ??? with username/password)

@echo off
setlocal enabledelayedexpansion

FOR %%G IN (100,101,103) DO (
	ping -n 1 -4 -w 3 192.168.1.%%G
	IF !ERRORLEVEL! EQU 0 (
		PsService64 \\192.168.1.%%G -nobanner -u ??? -p ??? stop FDResPub
		TIMEOUT 2 /NOBREAK
		PsService64 \\192.168.1.%%G -nobanner -u ??? -p ??? stop fdPHost
		TIMEOUT 2 /NOBREAK
		PsService64 \\192.168.1.%%G -nobanner -u ??? -p ??? start FDResPub
		PsService64 \\192.168.1.%%G -nobanner -u ??? -p ??? start fdPHost
	)
)

The PsService64 comes from Systernals tools.

takimata · March 1, 2021, 4:21pm

In addition to @Andy2244's advice, and I mentioned this a few times before: When experimenting with SMB daemon configurations or switching SMB daemons, it is highly advisable to clear Windows' Kerberos cache in between. Not many are aware that Windows keeps a cache of Kerberos credential tickets, and if they mismatch, weird access issues can happen.

I am not saying this is the cause of your problems, but you should definitely rule it out.

On an elevated command prompt on the Windows machine (i.e., open command prompt as administrator), first remove all your currently connected shares
net use * /d
and then remove all cached Kerberos tickets
klist purge
This will force Windows to request new Kerberos tickets when a network share is connected.

flexmcmurphy · March 1, 2021, 11:28pm

Thanks @Andy2244 and @takimata

@Andy2244 I downloaded the SysInternals tools and put PsService64.exe in the same folder as that script running in a batch file. I had to adapt the script to run against one ip at a time because my Samba shares don't all have the same username and passwords.

@echo off
setlocal enabledelayedexpansion

FOR %%G IN (3) DO (
	ping -n 1 -4 -w 3 192.168.1.%%G
	IF !ERRORLEVEL! EQU 0 (
		C:\Users\me\Documents\PsService64.exe \\192.168.1.%%G -nobanner -u osmc -p pwd stop FDResPub
		TIMEOUT 2 /NOBREAK
		C:\Users\me\Documents\PsService64.exe \\192.168.1.%%G -nobanner -u osmc -p pwd stop fdPHost
		TIMEOUT 2 /NOBREAK
		C:\Users\me\Documents\PsService64.exe \\192.168.1.%%G -nobanner -u osmc -p pwd start FDResPub
		C:\Users\me\Documents\PsService64.exe \\192.168.1.%%G -nobanner -u osmc -p pwd start fdPHost
	)
)
cmd /k

When I run it I get this..

Pinging 192.168.1.3 with 32 bytes of data:
Reply from 192.168.1.3: bytes=32 time=17ms TTL=64

Ping statistics for 192.168.1.3:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 17ms, Maximum = 17ms, Average = 17ms
Error querying services on \\192.168.1.3:
This function is not supported on this system.
Error opening FDResPub on \\192.168.1.3:
The specified service does not exist as an installed service.

Waiting for 0 seconds, press CTRL+C to quit ...
Error querying services on \\192.168.1.3:
This function is not supported on this system.
Error opening fdPHost on \\192.168.1.3:
The specified service does not exist as an installed service.

Waiting for 0 seconds, press CTRL+C to quit ...
Error querying services on \\192.168.1.3:
This function is not supported on this system.
Error opening FDResPub on \\192.168.1.3:
The specified service does not exist as an installed service.
Error querying services on \\192.168.1.3:
This function is not supported on this system.
Error opening fdPHost on \\192.168.1.3:
The specified service does not exist as an installed service.
C:\Windows\system32>

Do the SysInternal tools needs to be installed in some special way? Are the Samba shares meant to be on the same machine running this script maybe? I have several Raspberry Pis in my LAN and each is running Samba Server so the shares exist on those machines and I use my Win 10 Laptop to browse those shares.

If I just go in to Win 10 Services and restart the function discovery services from there is that the same thing as your script or does it do something else/better?

Tonight I again tried turning off SMBv1 from Powershell as explained here and disabled Netbios in my Laptops Network adapter.

I'm please to say, thanks to wsdd2 and WS-Discovery my shares are still auto populating in the Network "Neighbourhood" and when I click on them they reveal their files. So far so good! My problem was never that the client shares weren't showing up but that clicking on them would not show the files and it was only a problem for my OpenWrt share.

I also tried net use * /d (said there was nothing to remove) and klist purge which it did. But not sure if I needed those commands. Good for future reference I think.

Cheers,

Andy2244 · March 2, 2021, 9:46am

Yes its the same, just more convenient over network. You also need to enable admin network access on the clients so you are able to issue remote admin commands via:
cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

flexmcmurphy · March 2, 2021, 5:56pm

Good stuff. Well, in my case I don't have any other windows machines on my Lan only Raspberry Pis.

Are there any other commands that would achieve the same concept as restarting Function discovery services in machines that are not Windows?

Like @takimata said:

Remove all currently connected shares
net use * /d
Remove all cached Kerberos tickets
klist purge

Anything else that would be useful in debugging connection issues with wsdd2 and other clients? Restarting the wsdd2 program?
ipconfig/flushdns?

Lastly, is there a Wiki for wsdd2? I'm surprised if no as it's such a useful and important piece of software now that Netbios/SMB1 is on the way out.

Cheers,