Disabling SMB1 by default

Tom Talpey ttalpey at microsoft.com
Tue Jun 20 22:24:24 UTC 2017


> -----Original Message-----
> From: samba-technical [mailto:samba-technical-bounces at lists.samba.org] On
> Behalf Of Tom Talpey via samba-technical
> Sent: Tuesday, June 20, 2017 1:04 PM
> To: David Mulder <dmulder at suse.com>
> Cc: samba-technical at lists.samba.org
> Subject: RE: Disabling SMB1 by default
> 
> > -----Original Message-----
> > From: David Mulder [mailto:dmulder at suse.com]
> > Sent: Tuesday, June 20, 2017 11:40 AM
> > To: Tom Talpey <ttalpey at microsoft.com>
> > Subject: Re: Disabling SMB1 by default
> >
> >
> > > Correct, but I strongly suggest addressing shortcomings in the clients you
> > mention.
> > > "Most"? Can you elaborate?
> > >
> > > Tom.
> > >
> > I believe that's from comments from the SMB team at Microsoft. I don't
> 
> Well, that would include me! But I am sure Ned Pyle has more data on this. We
> are all meeting here in Redmond this week at the interop event, Jeremy and
> Steve
> are here. Let's try to bring this up for discussion.
> 
> > remember exactly who I spoke with, but it was about a year ago when I
> > was implementing an SMB2 client for Dell. They mentioned one reason for
> > pre-auth integrity checks was because secure negotiate was implemented
> > wrong by many vendors. I wasn't given any examples.
> 
> There are less than a handful of SMB3 clients, and while there are many SMB3
> servers, I'm not aware of any with deficient secure negotiate capability. I'd
> suggest
> if this is important to folks, that fresh data be gathered.

I spoke to some folks here. There are no known incorrect client implementations
of FSCTL_VALIDATE_NEGOTIATE_INFO. However, it is possible for a *client* to
construct an FSCTL_VALIDATE_NEGOTIATE_INFO which might succeed when it
should fail, or vice-versa. Emphasis on the word *client*. A correct client, including
a Samba client, can and should expect it to work.

That said, the preauth integrity in SMB 3.1.1 has additional protections, and
two systems that both support 3.1.1 should definitely negotiate and use it
preferentially.

Tom.


More information about the samba-technical mailing list