[PATCH] change client max protocol default to PROTOCOL_LATEST

Alexander Bokovoy ab at samba.org
Fri May 26 09:14:25 UTC 2017 

Hi,

I'd like to start discussion to change 'client max protocol' default to
always be PROTOCOL_LATEST instead of PROTOCOL_NT1. While there are known
issues with this change for functionality only available over SMB1
protocol version, we see increasing amount of deployments where Samba
clients cannot in default configuration to connect to servers with
disabled SMB1 protocol.

Amount of systems with SMB1 support switched off is growing, especially
after Microsoft Security Bulletin MS17-010 release (WannaCry). Many
organizations did opt to disable SMB1 completely.

At this point, I can think of two fall offs from this change:

  - MS-RAP/MS-BRWS protocols will not work as they require SMB1
  - POSIX extensions would not work as they require SMB1

I'd like to see these two addressed in future, if possible. The former
one probably would require an alternative approach so that GNOME and KDE
UIs could still be able to display available shares and servers (Active
Directory did disable browsing already so this is not a new issue). The
latter one is in works as discussed during SambaXP.


-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 038fec6f3bc61b4a27e494e83bf7587824281cd9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab at samba.org>
Date: Fri, 26 May 2017 11:52:07 +0300
Subject: [PATCH] Change client max protocol to point to the latest supported
 SMB version

With Microsoft Security Bulletin MS17-010 release many organizations
also disabled support for SMB1 protocol on server side. This leads to
the point that default Samba configuration does not allow smbclient and
software using libsmbclient to communicate with servers where SMB1
protocol support is disabled.

Option 'client max protocol' is set to 'default' which means
PROTOCOL_NT1.

This commit changes 'client max protocol' default setting to
PROTOCOL_LATEST. At this time it corresponds to PROTOCOL_SMB3_11.

Limitations due to this change right now:

  - inability to use MS-RAP functions as they only operate on SMB1
    connections;

  - lack of POSIX extensions as they also only available on SMB1
    connections

Signed-off-by: Alexander Bokovoy <ab at samba.org>
---
 docs-xml/smbdotconf/protocol/clientmaxprotocol.xml | 4 +++-
 lib/param/loadparm.c                               | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
index 0131331..9f98333 100644
--- a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
+++ b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
@@ -79,7 +79,9 @@
     negotiation phase in the SMB protocol takes care of choosing 
     the appropriate protocol.</para>
 
-    <para>The value <constant>default</constant> refers to <constant>NT1</constant>.</para>
+    <para>The value <constant>default</constant> refers to always latest
+    supported protocol version, this time it is
+    <constant>SMB3_11</constant>.</para>
 
     <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
     <smbconfoption name="client ipc max protocol"/> option.</para>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 860f3e2..68620a8 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3399,7 +3399,7 @@ int lpcfg_client_max_protocol(struct loadparm_context *lp_ctx)
 {
 	int client_max_protocol = lpcfg__client_max_protocol(lp_ctx);
 	if (client_max_protocol == PROTOCOL_DEFAULT) {
-		return PROTOCOL_NT1;
+		return PROTOCOL_LATEST;
 	}
 	return client_max_protocol;
 }
-- 
2.9.3

More information about the samba-technical mailing list