[Samba] Allow only one computer SMB v1

Andrew Bartlett abartlet at samba.org
Tue Jun 29 20:53:50 UTC 2021 

On Tue, 2021-06-29 at 16:37 -0400, Nick Couchman via samba wrote:
> On Tue, Jun 29, 2021 at 4:30 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On Tue, 2021-06-29 at 16:18 -0400, Nick Couchman wrote:
> > > 
> > > If I understand the question correctly, I believe Stephen is
> > > asking
> > > if you could limit support for SMBv1 to a single client, allowing
> > > only that client to talk to the Samba server with SMBv1, while
> > > forcing all other computers to talk with SMBv2/3, etc.
> > > 
> > > My thought is you could possibly do this using the include
> > > directive
> > > in the smb.conf file to include a per-machine configuration file,
> > > perhaps based on IP address. Something like this:
> > > 
> > > include = /etc/samba/clients/%I.conf
> > > 
> > > You could then have a configuration file specifically for that
> > > machine that would lower the SMB protocol level down to 1, and
> > > all
> > > other machines could use the default.
> > > 
> > > I might be off on that, it isn't something I've tried, but
> > > Samba's
> > > support for configuration includes and variable substitutions
> > > gives
> > > you some very flexible, very powerful options.
> > > 
> > 
> > Yes, but if all the other computers were using SMBv2 (at a minimum)
> > how
> > could they 'talk' to the computer that only used SMBv1 and how
> > could it
> > 'talk' to them ?
> > 
> > 
> Right, but, as I understand it from the original question, the
> computer
> that needs to speak SMBv1 is a network scanning device. So, if the
> Samba
> server has a share on it, say it's called "Scans", and the network
> scanning
> device can talk to the Samba server (only) via SMBv1 in order to drop
> scanned documents into the Scans share, then all of the other
> computers on
> the network can talk to the Samba server using SMBv2+ and the users
> can
> pick up their scans from the Scans share on that same server.
> 
> The network scanning device need not be able to talk to any other
> computer
> on the network in order to facilitate this kind of workflow, and it
> maintains a higher level of security for most of the devices talking
> to the
> Samba server.

The same applies to devices that can't do NTLMv2, and they should be
restricted in the same way.

I would love a "safer configuration for downlevel devices" page in the
wiki with this kind of thing in it, this is only going to be a more
common question "going forward".

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list