Disabling SMB1 by default
Stefan Metzmacher
metze at samba.org
Tue Jun 20 18:48:06 UTC 2017
Am 20.06.2017 um 14:01 schrieb Andreas Hasenack:
> On Mon, Jun 19, 2017 at 8:14 PM, Jeremy Allison <jra at samba.org> wrote:
>
>> On Tue, Jun 20, 2017 at 10:20:07AM +1200, Andrew Bartlett via
>> samba-technical wrote:
>>> On Mon, 2017-06-19 at 15:39 +0200, Stefan Metzmacher via samba-
>>> technical wrote:
>>>> Hi Andreas,
>>>>
>>>>> we recently had a bug filed against Ubuntu [1] requesting that we
>> disable
>>>>> the SMB1 protocol by default. That is part of a larger campaign [2]
>> to get
>>>>> rid of SMB1 entirely.
>>>>>
>>>>> Has there been any discussion among Samba developers to change the
>> default
>>>>> client and server min protocol level to SMB2? Would you consider
>> making
>>>>> such a change?
>>>>
>>>> We're recently discussed changing 'client max protocol = SMB3' so
>>>> that smbclient and other utilities work against servers
>>>> with disabled SMB1 by default.
>>>>
>>>> We hope to get this into 4.7, but there's only about 3 weeks
>>>> left to make this change (until 4.7.0rc1 is branched from master),
>>>> so it's not sure if such a change will make it into 4.7.0 (released
>>>> in September).
>>>
>>> I had the dates as giving us 2 weeks. Yes, there isn't much time.
>>
>> Yeah, that's too short a time to do anything really. IMHO we
>> just need to help people on the list to turn what they can
>> off themselves for now, and work on how to do the migration
>> properly over the next year or so.
>>
>
>
> What is the big issue with allowing the client to try SMB3 first? Won't it
> fallback to SMB2, then NT1, and so on?
We just don't have all code ready for it.
But I've started to work on passing 'make test' with the changed
default, it's not 100% there yet, but it's close.
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-libsmb-ok
I'll post the patches once they pass an autobuild.
> Won't many server admins have disabled SMB1 in their windows servers after
> the wannacry attack?
Yes, the thing is that we need to be sure that the SMB2 code it actually
working and don't introduce regressions which would let applications
fail which would work fine using SMB1.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170620/20790c1c/signature.sig>
More information about the samba-technical
mailing list