[Samba] Low performance when using "server signing" = "mandatory"

Adam Błaszczykowski adam.blaszczykowski at gmail.com
Tue Oct 24 09:56:02 UTC 2023

I agree with you that using the latest version of Samba with the SMB2 or
SMB3 protocol should protect the server against MITM attacks. I will
confirm this information on security forums.
Thank you very much for your help.

Best regards.
Adam Blaszczykowski

pon., 23 paź 2023 o 12:30 Rowland Penny via samba <samba at lists.samba.org>

> On Mon, 23 Oct 2023 12:02:20 +0200
> Adam Błaszczykowski via samba <samba at lists.samba.org> wrote:
> > Ok thank you.
> > So, Is my file server with Samba 4.17.12 vulnerable to CVE-2016-2114
> > if it is not a DC server?
> >
> > To be clear, I don't use any Active Directory domain controller in my
> > network.
> Lets see if I can paraphrase the documentation for CVE-2016-2014
> (which is very old now).
> There was a bug before 4.4.0 that allowed SMBv1 clients to be possibly
> vulnerable to M-I-M attacks, this was fixed, but 'server signing'
> (according to the CVE) is set to 'off' for performance reasons.
> If you examine 'man smb.conf', you find this, under 'server signing':
> For the SMB2 protocol, by design, signing cannot be disabled.
> Samba, by default, now uses SMBv2, so you do not, in my opinion, have
> anything to worry about, unless you have turned SMBv1 on again.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list