smbclient --max-protocol=NT1: why it requres setting MIN protocol too?

Jeremy Allison jra at
Tue Oct 25 20:34:15 UTC 2022

On Tue, Oct 25, 2022 at 07:07:36PM +0100, Rowland Penny via samba-technical wrote:
>On 25/10/2022 19:00, Michael Tokarev wrote:
>>25.10.2022 20:57, Rowland Penny via samba-technical wrote
>>>I am just trying to understand this, from what I thought I knew. 
>>>SMB is a negotiating protocol, so shouldn't smbclient negotiate 
>>>the best version of SMB to use ? i.e. You shouldn't have to tell 
>>>it what version to use.
>>Well, it does the right thing. NT1 or CORE are insecure protocols,
>>this is why they've been disabled. A bad m-i-m can force a negotiation
>>to be agreed upon an insecure protocol. So you have to explicitly
>>tell smbclient to use known-bad one.
>While you are technically correct, surely SMBv1 should only be used by 
>smbclient if the server is set up to use SMBv1 and will only be used 
>if none of the SMBv3 or SMBv2 versions are available on the server.
>Or am I misunderstanding something ?

SMB1 is only now used from our client if you deliberately specify it
in smb.conf or on the command line. Michael (correctly) complains
that if you set -mNT1 (meaning max client protocol is NT-SMB1 - i.e.
use SMB1) that it won't connect if you have "min client protocol"
set to be SMB2-only (as min-protocol is now less than max).

Michael suggested that if you explicitly set "max client protocol" lower
than "min client protocol" on the command line, that "min client
protocol" is then explicitly set to the same as "max client protocol"
rather than failing the connection, which makes sense to me.

More information about the samba-technical mailing list