3 Replies Latest reply on May 1, 2018 11:17 AM by ijnorm

    LEM Backup fails - SMBv1


      We recently tried configuring the backup functionality in a newly installed instance of LEM but couldn't get it to connect to the target network share, If you're have a similar problem, perhaps after disabling SMBv1 in the wake of Wannacry this is for you.


      The following messages were displayed when we tried to run the backup:


      protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE

      Share credentials validated.


      Backup configured to run daily.


      Would you like to run the backup now? <y/N> y

      Running backup, please wait...

      20170718: Checking for other running processes


      2017/07/18 14:52:34: Checking archive schedule with daily...


      2017/07/18 14:52:34: Not checking schedule, assuming on-demand archive.


      2017/07/18 14:52:34: unmounting old shares, in case any stale shares exist.

      umount: /tmp/smb: not mounted


      2017/07/18 14:52:34: mounting share //share/share with user USER on domain DOMAIN to mount point /tmp/smb

      Trying ntlmsspi

      Mount failed for //share/share as user USER ntlmsspi

      Trying ntlmssp

      Mount failed for //share/share as user USER ntlmssp

      Trying ntlmv2

      Mount failed for //share/share as user USER ntlmv2

      Trying ntlm2

      Mount failed for //share/share as user USER ntlm2

      Trying ntlm

      Mount failed for //share/share as user USER ntlm

      Trying insecure communication

      Mount failed for //share/share as user USER insecure communication

      2017/07/18 14:52:35: Beginning dump of alertdb to /tmp/smb/SolarWindsLEMAlertDBArchive

      2017/07/18 14:52:35: First I will do a touch test of SolarWindsLEMAlertDBArchive.test to see if I can create a file

      2017/07/18 14:52:35: Starting archive to SolarWindsLEMAlertDBArchive


      2017/07/18 14:52:46: done with archive. Result (if any): Success


      2017/07/18 14:52:46: Cleaning Up.

      umount: /tmp/smb: not mounted


      2017/07/18 14:52:46: done!


      We raised a case with Solarwinds support and the cause of the failure is that LEM can only use SMBv1 for backup, it doesn't support SMBv2 or 3. As we've disabled SMBv1 due to it's known security vulnerabilities we can't backup our LEM. SW support advise that a fix will be included in the next major release (possibly 6.4) but cannot give even an estimate as to timescales for a release date so we are unable to backup our LEM for the time being unless we choose to compromise security on our file storage system and the word on that is "no".


      Given that SMBv1 has been known to be vulnerable for several years you might have thought LEM would by now support something more secure. Apparently not.

        • Re: LEM Backup fails - SMBv1

          Any updates from SolarWinds on this? I'm running into the same issues. Seeing as how there is no 6.4 yet I'm assuming this is still an issue which does surprise me seeing as how this is an SIEM product and SMBv1 is a huge security vulnerability.

            • Re: LEM Backup fails - SMBv1

              We are actively working on improved SMB support which includes SMB versions 2, 3 and 3.02. Unfortunately I can't provide an updated timeline at present, but I'll be sure to keep this forum updated as soon as I can. Apologies for the inconvenience caused by this issue - I understand it's frustrating.  

            • Re: LEM Backup fails - SMBv1

              We've encountered this problem too. We had to configure a GPO delta for our File Server allowing SMB v1 only on that server and have locked down access to the LEM share via share permissions. The rest of the domain remains SMBv2 only. I guess we could write some firewall rules to lock down the SMBv1 access to only our LEM appliances but haven't done so yet. On the jobs to do list.