Why is SMB2 still disabled in our client by default?

Andrew Bartlett abartlet at samba.org
Fri Mar 28 14:46:29 MDT 2014

On Fri, 2014-03-28 at 10:27 -0700, Jeremy Allison wrote:
> On Fri, Mar 28, 2014 at 01:36:11PM +0100, Stefan (metze) Metzmacher wrote:
> > Am 04.03.2014 23:59, schrieb Andrew Bartlett:
> > > Just wondering, as it came up during the docs/param work:
> > > 
> > > Why do we only set 'client max protocol = NT1' by default?
> > > 
> > > What is required to move this up to SMB2/3?
> > > 
> > > The reason for my interest is that I still want to find a way to force
> > > winbindd to require SMB signing for all authenticated connections, to
> > > reduce our attack surface for future DCE/RPC bugs, and to validate that
> > > the DC is really the one feeding us users and groups.
> > 
> > Jeremy, are we sure each smbclient command and every libsmbclient
> > function call
> > work with SMB2? If so we could change the default for 4.2 to "SMB3".
> SMB2 doesn't have the UNIX extensions, so several
> smbclient commands will fail without -mSMB1 if we change
> the default. That's not obviously a reason not to do
> this of course.
> I don't think libsmbclient depends on UNIX extensions,
> but it does use them if available to give a better
> UNIX -> UNIX experience.

The lack of UNIX extensions is going to be a tricky thing here, and is
going to either hinder the adoption of SMB2/3 or the unix extensions.
In the meantime, it would be good if we had a way to negotiate SMB2/3
for the RPC client use case, without the other impacts of raising the
global 'client max protocol'. 

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list