Samba 4.11 Removes SMB1 File-Sharing Protocol Version By Default (theregister.co.uk) 40
Samba says version 4.11.0 will switch off previously on-by-default support for the aging and easily subverted SMB1 protocol. Slashdot reader Jeremy Allison - Sam shares a report from The Register detailing the new changes: The open-source SMB toolkit's developers say the Samba 4.11 build, currently in preview, will by default set SMB2_02 as the earliest supported version of the Windows file-sharing protocol. Admins will still have the option to allow SMB1 on their servers if they so choose, but support will be turned off by default. The move by Samba to drop SMB1 can be seen as long overdue, given that Microsoft has been moving to get rid of the file-server protocol version from its operating systems for several years now, even before it was revealed to be one of the NSA's favorite weak points to exploit. You can read the 4.11 release notes here.
Disabling in Default Config != Remove!!!! (Score:2, Informative)
Samba is simply doing the safe and rational thing and ensuring SMB1 protocol is not available for attacks against a higher revision and otherwise secure SMB network if at all possible. The encryption in SMB1 has been broken for years, and even SMB2 I believe has issues of its own. I am not sure about the older protocols and if they have been removed, deprecated, or left out entirely, but this is nothing to complain about so long as regression testing and support for the feature is kept, even if only used by
Re: (Score:3)
In the vast majority of installs I've seen, SMB is not encrypted, and is not supposed to be -- it's there for file sharing between employees/family members/multiple personal machines in a local network. No Windows-using companies I've seen trust it enough for remote access to sensitive data.
Thus, SMB1 is not an issue, as long as servers nor clients can't be DOSed.
Re: (Score:2)
Thus, SMB1 is not an issue, as long as servers nor clients can't be DOSed.
I also have just family members in my house so none of my computer accounts are password protected. It's not like someone from the internet would try something nefarious.
https://blog.malwarebytes.com/... [malwarebytes.com]
The first paragraph basically says it all:
"Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate through an organization’s network. Windows SMB is a protocol used by PCs for file and printer sharing, as well
Re: (Score:3)
> Neither protocol offers any meaningful security as far as I'm aware.
This isn't true. SMB3.11 implements transport level encryption with man-in-the-middle negotiation protection.
It's so secure that Microsoft allows direct access via SMB3.11 into the Azure cloud.
Re: (Score:3)
This is good to know. I keep my porn^H^H^H^Hhigh quality jpeg art on a samba share. I would like to be able to send that out over the internet so I could access it remote sties. Would be a lot better than when I go through customs where they inspect my tablet, and me trying to explain what the woman and the donkey, err. I mean what the man and the hat means.
better error messages? (Score:2)
Re:better error messages? (Score:5, Funny)
I think expecting the Samba team to do something about your face is a little much.
Re: better error messages? (Score:2)
Actually we're pretty friendly to new contributors, although the bar is higher now then it used to be years ago to get code accepted. If you want to help please.submit patches to our gitlab repo. If they pass the CI tests.ill be happy to evaluate and give feedback on them.
Cheers,
Jeremy Allison,
Samba Team.
Re: (Score:1)
I was honestly going to give the "Patches gratefully accepted" type thing at the end of my above comment, in context to same. FWIW. Haven't been personally involved in any open source projects for a while for multiple reasons, alas.
Re: (Score:2)
Given that they are dropping SMB1 by default instead of fixing the reason why it's being dropped, probably not.
They are fixing SMB1. The fix was called SMB2. You don't seem to understand that SMB1 is inherently insecure and unfixable in any way that would retain compatibility with SMB1. The user friendly solution is to rev up the protocol number, migrate to the new protocol and after a considered time drop support for the previous one.
They are doing the theoretically and practically least obtrusive thing along with the rest of the industry, save for MS who didn't even bother publishing the fact that a Windows update
Re: (Score:2)
Samba gives STATUS_BAD_NETWORK_NAME
Yes, SMB gives gives networks a bad name.
Re: (Score:3)
It's not really XP - it's home theatre apps, Android file managers - anybody who wanted to roll their own SMB stack, basically.
I lost VLC on a Fire Stick to FreeNAS when its default changed to v2. I turned v1 back on because I wouldn't ever use SMB for anything sensitive.
Re: (Score:3)
You don't need to fork the code - at least not yet. The SMB1 server is still built in, it's just no longer available by default.
In time I really want to start removing that code however, as it really complicates the underlying NTFS emulation layer inside the smbd server code.
We can be a lot cleaner and nicer as a server if we can ditch the horrid old SMB1 emulation layer.
Re: (Score:2)
I suppose one could maintain a fork that retains SMB1
Or just add "min protocol = SMB1" to the configuration. We shouldn't be insecure by default just because someone wants to support a well and truly depreciated network protocol.
Re: (Score:2)
Too much random crap uses it. Apparently various "smart" devices with a bit too cheap SMB implementations.
Windows XP (Score:2)
Say goodbye to Windows XP and Server 2003.
P.S. SMB1 support is still there but you have to enable it manually.
Re: (Score:2)
Say goodbye to Windows XP and Server 2003.
Wait, are they still here?
I thought they left..
Why won't they leave???
Re: (Score:2)
> Say goodbye to Windows XP and Server 2003
â"If anyone is still running these systems in 2019 outside of a VM (especially in âoeproductionâ) - they pretty much deserve whatever they might catch. Running a 16 year old Windows-based OS for your server is basically lazy+insane, and a forced upgrade would benefit the ecosystem in general.