[Samba] Packet Signing Options and a "PREFER_NO" option.

Andy Liebman andyliebman at aol.com
Sat Feb 25 14:52:11 UTC 2017 

Hello, 


Mac users running OS X 10.12.x report that read and write speeds to SMB-mounted network shares are very poor if packet signing is required (the default on OS X since 10.11.something). Suggestions abound on the Internet that you can restore good throughput by disabling packet signing on the Mac.  You do that by creating or editing the /etc/nsmb.conf file and adding: 


[default]
require_signing=no


Indeed, customers of my company's products have confirmed that disabling packet signing "makes Samba great again". The problem is, disabling packet signing seems to be an all or nothing proposition.  If you disable it on OS X, apparently you can no longer connect to servers that require packet signing including Windows Domain Controllers (I haven't tested this myself, but that's what users report).  I realize that Samba.org has little (or nothing) to do with Apple's SMB implementation. However, assuming there is some discussion about this issue among the community of developers who work on SMB implementations (at Microsoft, Apple, Samba.org, and elsewhere), I just want to voice my opinion that it would be nice to have an option, on both the Server and Client sides, that essentially says:  "Prefer NOT using signing, but support it if either side requires it".  Reading the man pages for smb.conf, I don't get the sense that such an option is possible.  AUTO means that signing isn't required, but it WILL be used if both sides support it.  MANDATORY means it MUST be used or else you won't connect.  DISABLED means it will NEVER be used, even if one side requires it (in which case, I suppose the connection will fail).  What might be helpful is a 4th option "PREFER_NO" -- where both sides CAN support it but won't use it unless one side requires it. 


It seems a similar discussion came up in 2011 in a exchange between Stefan (metze) Metzmacher and Andrew Bartlett  (https://lists.samba.org/archive/samba-technical/2011-October/080119.html).  It looks as if the end result was to not implement what Stefan had suggested. 


Regards, 
Andy Liebman

More information about the samba mailing list