To prevent the WannaCry malware from infecting our Windows 10 clients, we removed the support for SMB1 protocol via the “Turn Windows features on or off”. But that prevented them from accessing the Samba share running Oracle Linux 6. Instead, they get these messages:
You can't connect to the file share because it's not secure.
This share requires the obsolete SMB1 protocol, which is
unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on
resolving this issue, see:
https://go.microsoft.com/fwlink/?linkid=852747
Solution:
The version of Samba on Oracle Linux 6 (OEL 6) and RHEL 6 is 3.6x, which does support SMB2. The problem is that the cifs.ko kernel that comes with older OEL 6.x (and RHEL 6) only supports SMB1. cifs.ko kernel on Linux Kernel 3.8.13 or higher does support SMB2 which is what we have on our OEL 6.7 Linux box. If you do not have at least 3.8.13, you would need to upgrade your kernel to Oracle’s UEK R3 for OEL 6 before you can access the share with SMB2 protocol from a Windows 10 client.
[root@oralinux001 ~]# uname -a
Linux oralinux001 3.8.13-118.19.2.el6uek.x86_64 #2 SMP Fri Jun 30 10:43:34 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@oralinux001 ~]# cat /etc/oracle-release
Oracle Linux Server release 6.7
[root@oralinux001 ~]# rpm -qa|grep samba
samba-winbind-clients-3.6.23-20.0.1.el6.x86_64
samba-3.6.23-20.0.1.el6.x86_64
samba4-libs-4.0.0-66.el6_6.rc4.x86_64
samba-winbind-3.6.23-20.0.1.el6.x86_64
samba-common-3.6.23-20.0.1.el6.x86_64
Assuming we have at least Linux Kernel version 3.8.13 and samba 3.6, we can enable SMB2 on samba server by adding the following lines in /etc/samba/smb.conf under the [global] section:
[global]
client max protocol = smb2
max protocol = smb2
And make the following changes under the “Standalone Server Options” section in /etc/samba/smb.conf.
Note: If there is a “security = SHARE” line, change the word SHARE to user. If the line isn’t there, then just add the entire line below. The “SHARE” option is deprecated and will prevent Windows 10 client from accessing the share via SMB2 protocol.
security = user
Restart the smb service for the changes to take effect.
# service smb restart
You should now be able to map the samba share from a Windows 10 client. Here are things to check if you still can’t access share after enabling SMB2.
i. Open up "Turn Windows features on or off", verify that "SMB Direct" is enabled. If not, enable it.
ii. Verify your firewall is not preventing access to the samba share
iii. Make sure Windows 10 client is rebooted any time you enable or disabled a Windows feature for samba.