Have you ever been in the situation to have a very old machine and you wanted it to talk to your modern day fileserver in a secure manner? I know the following presented solution not ideal but better than nothing. Remember that we’re dealing with legacy hardware here that some cheapskate machine shop owner is too thrifty to replace, or with our own personal part time joy of dealing with retro hardware, so this is by far not a secure solution. It is about to come one step closer to “as good as it gets”.
In case you might find almost the same text on github: I posted that there 🙂
Lets go for it! Meet the concept of SMB-Proxy 🙂
Having several Windows for Workstations 3.11 computers in the basement and also several customers running old cnc routers/mills/lathes what have you with old style operating systems, I figured it was time for a somewhat safer solution that just to enable SMBv1 on the Windows fileservers directly.
The idea is very simple: We put something inbetween the old clients and the modern fileserver and make sure, there is no other way for anything in that network with the old clients to leave that network. The only thing possible to do in that network, will be to connect to that SMB Proxy.
Step 1: Get managed switches and replace unmanaged switches.
Step 2: Create a new VLAN for the old clients and make a new subnet for them on your firewall in case you want to route some traffic to somewhere else, which I definitely do not recommend for production machines, other than the case that you might want to have some fun with an Internet Archive Proxy or visiting some BBS.
Step 3: Create a new virtual machine with your favorite flavour of linux (in my case debian) on your server that has one network interface in the subnet of your fileserver and one network interface in the subnet of your old clients.
Step 4: Install Samba 🙂
Step 5: Create a new folder in your filesystem where you want to mount the SMB Share that you want to be proxied, lets say it is called “Software”.
Step 6: Create a file in the /root directory, maybe call it software-share-credentials, that has the credentials to your modern day share in it. They should be in the format:
whereas after the = you have obviously your real credentials.
Step 7: Mount your modern fileserver share to software with fstab like so:
//fileserver.nerdsh.org/Documents/Software /mnt/FileserverProxy cifs user,uid=1000,gid=1000,vers=3.11,credentials=/root/FileserverCredentials,auto 0 0
Step 8: Create a user on your Linux machine that matches the user on your old client. It is important, that this user has a password no longer than 8 letters, best compatibility is given with an all lowercase username with an all lowercase 8 letter password.
Step 9: Make your samba config! I suggest in your smb.conf to be something like this:
bind interfaces only = yes
# this is the interface in the vlan of the old clients! do not bind this SMB daemon to any other network!!! It is dangerous and very insecure!
interfaces = enp0s5
min protocol = CORE
netbios name = smbproxy
lanman auth = yes
client plaintext auth = yes
client lanman auth = yes
ntlm auth = yes
map to guest = bad user
workgroup = WORKGROUP
unix extensions = no
allow insecure wide links = yes
include = /etc/samba/share1.conf
include = /etc/samba/share2.conf
And in the config files for the shares you want to create which would for example be share1.conf
comment = Share1
path = ThisIsThePathToTheMountPointYouCreatedEarlier!
guest ok = yes
public = yes
browseable = yes
writeable = yes
force user = audiocrush #(YourLinuxUserThatHasPermissionsOnTheMountFolder!!!)
force group = audiocrush #(YourLinuxUserThatHasPermissionsOnTheMountFolder!!!)
create mask = 0775
directory mask = 0775
follow symlinks = yes
wide links = yes
case sensitive = no
default case = upper
preserve case = no
short preserve case = no
Step 10: Reboot the whole thing and enjoy!
The “Oh I forgot” section:
Some WfW3.11 machines gave me still some problems.
I was able to overcome them by installing admincfg from WfW3.11 setup disk No. 8 like so:
expand A:\admincfg.ex_ C:\windows\admincfg.exe
Open File Explorer
Find admincfg.exe and start it.
Click on Passwords
Disable Password Cacheing (this is apparently needed when accessing shares with user level security and samba has dropped share level security support already if I got that correctly)
Reboot the machine.
I looked ages for that information and I never want to forget that stuff:
SMB.conf possible values for “min protocol” and “max protocol”:
Possible values are :
- CORE: Earliest version. No concept of user names.
- COREPLUS: Slight improvements on CORE for efficiency.
- LANMAN1: First modern version of the protocol. Long filename support.
- LANMAN2: Updates to Lanman1 protocol.
- NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
- SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.
- SMB2_02: The earliest SMB2 version.
- SMB2_10: Windows 7 SMB2 version.
- SMB2_22: Early Windows 8 SMB2 version.
- SMB2_24: Windows 8 beta SMB2 version.
By default SMB2 selects the SMB2_10 variant.
- SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub protocols available.
- SMB3_00: Windows 8 SMB3 version. (mostly the same as SMB2_24)
- SMB3_02: Windows 8.1 SMB3 version.
- SMB3_10: early Windows 10 technical preview SMB3 version.
- SMB3_11: Windows 10 technical preview SMB3 version (maybe final).
By default SMB3 selects the SMB3_11 variant.
(Thank you Jeff Schaller on Reddit)