[CIFS] Upgrade default dialect to SMB3 from cifs (SMB1) for improved security

Steve French smfrench at gmail.com
Sun Jul 9 00:01:52 UTC 2017

I had missed a review comment from Pavel - now included, and the first
patch updated to include that minor change.




On Sat, Jul 8, 2017 at 5:47 PM, Steve French <smfrench at gmail.com> wrote:
> Due to recent publicity about security vulnerabilities in the
> much older CIFS dialect, these patches move the default dialect to the
> widely accepted (and quite secure) SMB3.0 dialect from the
> old default of the CIFS dialect.
> We do not want to be encouraging use of less secure dialects,
> and both Microsoft and CERT now strongly recommend not using the
> older CIFS dialect (SMB Security Best Practices
> "recommends disabling SMBv1").
> SMB3 is both secure and widely available: in Windows 8 and later,
> Samba and Macs.
> Users can still choose to explicitly mount with the less secure
> dialect (for old servers) by choosing "vers=1.0" on the cifs
> mount e.g. to take advantage of Samba's "CIFS POSIX Extensions"
> The two patches for this are attached and also at:
> https://git.samba.org/?p=sfrench/cifs-2.6.git;a=commit;h=abc018498883b395e34e2ee976bca7cb944f8ecd
> and
> https://git.samba.org/?p=sfrench/cifs-2.6.git;a=commit;h=c9db9d35a8c85a571d1fa8987703aa0f21de5e32--
> Thanks,
> Steve


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-SMB3-Improve-security-move-default-dialect-to-SMB3-f.patch
Type: text/x-patch
Size: 1680 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170708/2bad24ae/0002-SMB3-Improve-security-move-default-dialect-to-SMB3-f.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-SMB3-Remove-ifdef-since-SMB3-and-later-now-STRONGLY-.patch
Type: text/x-patch
Size: 23667 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170708/2bad24ae/0001-SMB3-Remove-ifdef-since-SMB3-and-later-now-STRONGLY-.bin>

More information about the samba-technical mailing list