[Samba] Problems with OS X 10.11.5

Jeremy Allison jra at samba.org
Wed Jun 1 19:55:51 UTC 2016

On Wed, Jun 01, 2016 at 07:44:26PM +0000, Seth Goldin wrote:
> I disabled client signing from the client side, via OS X's global nsmb.conf
> file: https://discussions.apple.com/message/30282470#30282470
> The performance was back to over 600 MB/s, as compared to 60 MB/s with
> signing.
> It just seems a bit weird to me that Apple, in response to the Badlock bug,
> would have changed the OS X client default to something with such drastic
> performance implications, without much notice. My contact at Apple said
> that the engineers were able to replicate the slow performance on OS X
> Server as well, so even if they didn't test it with Samba on Linux or
> FreeBSD servers, they might have just been too hasty in their response to
> Badlock. I wonder if they had only tested OS X clients with Windows Server.
> I wonder what that performance looks like, but I don't have access to
> Windows Server.

My guess is the Apple security Team gave the client devs no choice.

Badlock was a protocol level bug (although the problem protocol
was DCE-RPC, not SMB) and enabling SMB-signing fixes the problem
with DCE-RPC tunnelled inside SMB[123] packets.

Otherwise Apple would have had to do what Samba did, which was
to fix the DCE-stack to refuse non-signed/sealed connections
on security-sensitive pipes. Insisting on SMB signing is a
simpler and quicker fix, especially if their server only accepts
DCE-RPC tunnelled inside SMB[123] packets.

More information about the samba mailing list