smbclient --max-protocol=NT1: why it requres setting MIN protocol too?

Rowland Penny rpenny at
Tue Oct 25 18:07:36 UTC 2022

On 25/10/2022 19:00, Michael Tokarev wrote:
> 25.10.2022 20:57, Rowland Penny via samba-technical wrote
> ..
>> I am just trying to understand this, from what I thought I knew. SMB 
>> is a negotiating protocol, so shouldn't smbclient negotiate the best 
>> version of SMB to use ? i.e. You shouldn't have to tell it what 
>> version to use.
> Well, it does the right thing. NT1 or CORE are insecure protocols,
> this is why they've been disabled. A bad m-i-m can force a negotiation
> to be agreed upon an insecure protocol. So you have to explicitly
> tell smbclient to use known-bad one.
> /mjt

While you are technically correct, surely SMBv1 should only be used by 
smbclient if the server is set up to use SMBv1 and will only be used if 
none of the SMBv3 or SMBv2 versions are available on the server.

Or am I misunderstanding something ?


More information about the samba-technical mailing list