I have to add this line to disable io_uring or file copy to samba fails.
config samba
option disable_async_io 'yes'
Add AD-DC and Windows ACL supports please. smbd -b | grep HAVE_LIBACL returns nothing.
While we're making requests, Samba 4.14.x is still the package version, we missed 4.15.x, and now 4.16.1 is out. Could it be upgraded to that for the upcomng 22.03 release?
OpenWrt SNAPSHOT r19482 built by me, smbd v4.14.12. Client is Windows 7.
[global]
security = user
passdb backend = smbpasswd
null passwords = yes
# map to guest = Bad Password
# map to guest = never
# guest account = nobody
# guest ok = yes
ntlm auth = ntlmv2-only
invalid users = root
netbios name = GRAPHRT
interfaces = br-lan lan4
bind interfaces only = yes
server string = Samba
unix charset = UTF-8
workgroup = WORKGROUP
######### Dynamic written config options #########
[temp]
path = /mnt/temp
create mask = 0666
directory mask = 0777
read only = no
guest ok = yes
[Work]
path = /mnt/work
valid users = SambaUser
create mask = 0666
directory mask = 0777
read only = no
guest ok = noI have a weird problem with user accounts. Passwords don't work. I always get 0xc000006d STATUS_LOGON_FAILURE when I try to connect. I can see this in Wireshark / tcpdump.
I tried:
-
deleting and re-adding user in smbpasswd and /etc/passwd
Didn't work. -
add a new user with a very simple password "1234" and add the new logon credentials in Windows - Control Panel - Credential Manager
Didn't work. I can see the new user trying to logon in Wireshark, but gets STATUS_LOGON_FAILURE as response. -
enabling guest account and "map to guest = Bad Password"
Works! I can connect, browse dirs, read/write files, according to guest permissions. -
set "null passwords = yes" and using empty password for the account in smbpasswd and Windows
Works! I can connect, browse dirs, read/write files, according to user's permissions.
I don't know what else to try. Is there any method to check if smbpasswd generates the correct password hash?
Thank you!
I did more tests.
samba logs show this:
[2022/05/12 18:30:16.283474, 2] check_ntlm_password: Authentication for user [SambaUser] -> [SambaUser] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1I can connect using the same account and password from a Gentoo linux client (mount.cifs, kernel v5.15) and also from a Windows XP client. Windows 7 still doesn't work. I'm sure that the password is correct.
Is there somebody who can replace @Andy2244 in maintaining this package? Version 4.14.14 has been released with security patches a few weeks ago. The openwrt-package is at 4.14.12.
Would do it myself, but i think i am just at the beginning of understanding how the development process for openwrt/packages works at github.
1 Like
While we're at it, if someone is a bit more ambitious, there have been 3 major version releases since 4.14... 4.17 is out 
Love having Samba in OpenWrt, share 2TB drive on my network for Kodi etc. Get 100 MB/s read-write on my WRT32X, hope support will continue.
Just made a pull request on master to update samba to v4.14.14
1 Like
Thanks!
Is it difficult to update the package to 4.15 or higher as @phinn mentioned? 4.14 is EOL since last month, so no further security updates for this version.
1 Like
No idea, I haven`t tried.
Might look into it when I get some time.
1 Like
Had a look at upgrading samba to v4.15.10 but there is a gnutls dependency not found error while building that I don't know how to solve unfortunately, had a crack but no luck.
Maybe someone else with more experience could chime in as I'm a noob when it comes to OpenWRT packages.
This page has a dependency list, not sure if it's complete though:
https://www.linuxfromscratch.org/blfs/view/svn/basicnet/samba.html
https://wiki.samba.org/index.php/Samba_Features_added/changed
Managed to compile Samba 5.15.10 for arm_cortex-a15+neon-vfpv4_musl OpenWrt package available here.
Compile Tested on x86_64 for arm_cortex-a15+neon-vfpv4_musl , I haven't tested or run tested the functionalities, feel free to open pull request based on mine.
Ping @Gingernut .
1 Like
What was needed to fix the gnutls error?
@Gingernut
There is new variable named "gnutls_version_str" in "wscript_configure_system_gnutls" file, it invoking pkgconfig on hostpkg finding for gnutls which is of course not available, I have just replaced the variable with current gnutls snapshot version which is version 3.7.7 , some mod that I have done to the Makefile :
$(SED) 's/gnutls_version_str.*/gnutls_version_str = "3.7.7"/g' $(HOST_BUILD_DIR)/wscript_configure_system_gnutls
$(SED) 's/(gnutls_version > .*/(parse_version(gnutls_version) > parse_version("3.6.10")):/g' $(HOST_BUILD_DIR)/wscript_configure_system_gnutls
$(SED) 's/(gnutls_version < .*/(parse_version(gnutls_version) < parse_version("3.5.2")):/g' $(HOST_BUILD_DIR)/wscript_configure_system_gnutls
Note :
In "wscript_configure_system_gnutls" file
This line is automatically being replaced by SED rule 's/(gnutls_version > .*/(parse_version(gnutls_version) > parse_version("3.6.10")):/g'
if (gnutls_version > parse_version('3.6.14')):
by
if (parse_version(gnutls_version) > parse_version("3.6.10")):
Since I am not well verse in SED, I think we need to have 2 sed rules for that. I was trying to find the correct one but cannot found it. For now at-least all is compile-able, not sure if it's proper or functional yet.
Incase you haven't know, you can use comparison software for differentiate between 2 folders/files like beyond compare.
1 Like
@echelon @Gingernut
For some help i always checked the gentoo/alpine packages for changes and extra patches:
Otherwise check the Samba build docu here:
https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba
https://wiki.samba.org/index.php/Waf#Using_the_configure_wrappers
One of the many hurdles building samba4 is waf and that it either expects a full and correctly configured target arch VM (QEMU) to run some WAF test calls during compile or you need to supply a waf answer file per target arch, but than you still need to somehow "guess" the answers per arch or need to run the qemu based waf variant at least once.
My old personal repo has the waf-qemu based changes here: https://github.com/Andy2244/openwrt-extra/blob/master/samba4/Makefile
So config samba4 with the special CONFIG_SAMBA4_WAF_CROSS_EXECUTE and it will run waf with qemu and generate the answer files, than you can copy those from the build out dir.
$(CP) $(PKG_BUILD_DIR)/cross-answers-$(CROSS-ANSWER-OUT).txt $(1)/etc/samba
Ofc you need to run this for every target arch at least once, which i did via my docker based script: https://github.com/Andy2244/openwrt-package-builder
Unfortunately the package-builder is probably broken now, since i never updated it for the new windows wsl stuff.
Good luck!
3 Likes
I made a patch based on the changes you suggested but it still errors out for me.
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -11,10 +11,10 @@ gnutls_required_version = gnutls_min_req
conf.CHECK_CFG(package='gnutls',
args=('"gnutls >= %s" --cflags --libs' % gnutls_required_version),
msg='Checking for GnuTLS >= %s' % gnutls_required_version,
- mandatory=True)
+ mandatory=False)
-gnutls_version_str = conf.cmd_and_log(conf.env.PKGCONFIG + ['--modversion', 'gnutls']).strip()
-gnutls_version = parse_version(gnutls_version_str)
+gnutls_version_str = "3.7.7"
+gnutls_version = gnutls_min_required_version
# Define gnutls as a system library
conf.SET_TARGET_TYPE('gnutls', 'SYSLIB')
@@ -37,10 +37,10 @@ conf.CHECK_FUNCS_IN('gnutls_set_default_
if (gnutls_version > parse_version('3.6.10')):
if conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls'):
conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM', 1)
- if (gnutls_version > parse_version('3.6.14')):
+ if (parse_version(gnutls_version) > parse_version("3.6.10")):
conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM', 1)
-if (gnutls_version < parse_version('3.5.2')):
+if (parse_version(gnutls_version) < parse_version("3.5.2")):
conf.DEFINE('HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG', 1)
# Check if gnutls has fips mode support
Maybe I've done something wrong.
It should be something like these :
- if (gnutls_version > parse_version('3.6.10')):
+ if (parse_version(gnutls_version) > parse_version('3.6.10')):
if conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls'):
conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM', 1)
- if (gnutls_version > parse_version('3.6.14')):
+ if (parse_version(gnutls_version) > parse_version("3.6.14")):
In general replace the "gnutls_version" with "parse_version(gnutls_version)". In original Makefile this replacement only happened for HOST_BUILD, that's why Makefile is using SED currently other than patch file which is happened globally also for PKG_BUILD, as In PKG_BUILD we will be having gnutls available for us, so we cannot use patch file for "gnutls_version" & "gnutls_version_str".
2 Likes
Thanks for the explanation.
Maybe you could make a PR request to update to 4.15.10?
Not well verse also in git or github hehe, hmm, have you tested the built?, is it working correctly?. Need to make sure first.