Disabling SMB1 by default
Andrew Bartlett
abartlet at samba.org
Wed Jun 21 03:37:31 UTC 2017
On Tue, 2017-06-20 at 09:01 -0300, Andreas Hasenack wrote:
> On Mon, Jun 19, 2017 at 8:14 PM, Jeremy Allison <jra at samba.org>
> wrote:
> > On Tue, Jun 20, 2017 at 10:20:07AM +1200, Andrew Bartlett via
> > samba-technical wrote:
> > > On Mon, 2017-06-19 at 15:39 +0200, Stefan Metzmacher via samba-
> > > technical wrote:
> > > > Hi Andreas,
> > > >
> > > > > we recently had a bug filed against Ubuntu [1] requesting
> > that we disable
> > > > > the SMB1 protocol by default. That is part of a larger
> > campaign [2] to get
> > > > > rid of SMB1 entirely.
> > > > >
> > > > > Has there been any discussion among Samba developers to
> > change the default
> > > > > client and server min protocol level to SMB2? Would you
> > consider making
> > > > > such a change?
> > > >
> > > > We're recently discussed changing 'client max protocol = SMB3'
> > so
> > > > that smbclient and other utilities work against servers
> > > > with disabled SMB1 by default.
> > > >
> > > > We hope to get this into 4.7, but there's only about 3 weeks
> > > > left to make this change (until 4.7.0rc1 is branched from
> > master),
> > > > so it's not sure if such a change will make it into 4.7.0
> > (released
> > > > in September).
> > >
> > > I had the dates as giving us 2 weeks. Yes, there isn't much
> > time.
> >
> > Yeah, that's too short a time to do anything really. IMHO we
> > just need to help people on the list to turn what they can
> > off themselves for now, and work on how to do the migration
> > properly over the next year or so.
> >
>
>
> What is the big issue with allowing the client to try SMB3 first?
> Won't it fallback to SMB2, then NT1, and so on?
The issue so far has been that we don't know if they wanted unix
extensions, and can't tell on the SMB3 connection if they may have been
available on SMB1.
However, given that CAP_UNIX is listed in the SMB1 negprot, could we
try an SMB1 negprot, and only cap the negotiation to NT1 if CAP_UNIX is
returned?
That would 'fix' the connections to lot of servers. We would then set
a new 'client max protocol = auto' to cover this case, perhaps
enforcing some kind of session integrity via other means, like SMB
signing to make the downgrade less interesting to an attacker?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list