smbclient --max-protocol=NT1: why it requres setting MIN protocol too?

Rowland Penny rpenny at
Tue Oct 25 20:52:50 UTC 2022

On 25/10/2022 21:34, Jeremy Allison wrote:
> On Tue, Oct 25, 2022 at 07:07:36PM +0100, Rowland Penny via 
> samba-technical wrote:
>> On 25/10/2022 19:00, Michael Tokarev wrote:
>>> 25.10.2022 20:57, Rowland Penny via samba-technical wrote
>>> ..
>>>> I am just trying to understand this, from what I thought I knew. SMB 
>>>> is a negotiating protocol, so shouldn't smbclient negotiate the best 
>>>> version of SMB to use ? i.e. You shouldn't have to tell it what 
>>>> version to use.
>>> Well, it does the right thing. NT1 or CORE are insecure protocols,
>>> this is why they've been disabled. A bad m-i-m can force a negotiation
>>> to be agreed upon an insecure protocol. So you have to explicitly
>>> tell smbclient to use known-bad one.
>>> /mjt
>> While you are technically correct, surely SMBv1 should only be used by 
>> smbclient if the server is set up to use SMBv1 and will only be used 
>> if none of the SMBv3 or SMBv2 versions are available on the server.
>> Or am I misunderstanding something ?
> SMB1 is only now used from our client if you deliberately specify it
> in smb.conf or on the command line. Michael (correctly) complains
> that if you set -mNT1 (meaning max client protocol is NT-SMB1 - i.e.
> use SMB1) that it won't connect if you have "min client protocol"
> set to be SMB2-only (as min-protocol is now less than max).
> Michael suggested that if you explicitly set "max client protocol" lower
> than "min client protocol" on the command line, that "min client
> protocol" is then explicitly set to the same as "max client protocol"
> rather than failing the connection, which makes sense to me.

Ah, that is what I misunderstood, by default smbclient has SMBv1 turned 
off, but it only has a max protocol switch (which by definition sets the 
maximum protocol to use and this defaults to SMBv3), when it probably 
should have been a min protocol switch i.e. turn SMBv1 back on again.

The problem with all this is, the user has to know that the server only 
uses SMBv1 before using smbclient and this isn't always possible to know.


More information about the samba-technical mailing list