Disabling SMB1 by default
ttalpey at microsoft.com
Wed Jun 21 15:28:14 UTC 2017
> -----Original Message-----
> From: samba-technical [mailto:samba-technical-bounces at lists.samba.org] On
> Behalf Of Moritz Bechler via samba-technical
> Sent: Wednesday, June 21, 2017 12:35 AM
> To: David Mulder <dmulder at suse.com>
> Cc: samba-technical at lists.samba.org
> Subject: Re: Disabling SMB1 by default
> > Can we do a multi-protocol negotiate and just specify supported dialects
> > of "2.002" and "2.???"? Then we wouldn't get a reset from servers that
> > don't support SMB2, while still enforcing SMB2+.
> According to the specs that should be perfectly legal and fully covered
> by mandatory behaviors
Legal, I guess, but nobody else does this and therefore it's basically untested.
It seems a fragile approach to me. At a minimum you should test with any and
all SMB servers out there.
> - An SMB2+ capable server must check for a SMB_COM_NEGOTIATE, 2.02
> servers must use SMB2 if the 2.002 dialect is present, 2.1+ servers must
> use SMB2 if the 2.??? dialect is present -> every SMB2 capable server
> must pick SMB2.
> - An non-SMB2 capable server must check the list of dialects, if none
> matches must set DialectIndex to 0xFFFF and use core protocol -> even if
> this is not properly implemented we should get a SMB1 negotiate response.
You'll get a response but it will be immediately followed by an abortive close
of the connection. As such, it's not guaranteed you'll see the reply.
I've suggested this before, but I think it's time for the Samba client to split into
an SMB1-only flavor (cifs.ko) and create a new smb3.ko to navigate the future.
More information about the samba-technical