Smb.conf Default Configuration with samba-support

Hello Garuda Team,

So I was looking into the actual smb.conf that's first supplied and thanks to reminding discussions from elsewhere, realized and remembered something, something most notibly about the old SMBv1/CIFS protocols, and then I went to update mine to insure sanity was there, then I found this line:

client min protocol = NT1

Which, while the server protocol remains default at SMB2, it's allowing the client to connect at SMB1/CIFS, the protocol that's long since been replaced since 2006 with Windows Vista and SMB 2.0. I cannot think of any reason why this should be enabled, by default, to that insecure protocol version, at least by default.

I've since corrected my own configuration to a more modern and secure configuration using the following:

client min protocol = SMB3
server min protocol = SMB3
smb encrypt = required

I'm not suggesting this be the absolute standard, but it would cover anyone using Windows Vista (2006) and up and be a more secure baseline. Curious what others thing about this.

As I continue to look through this, I might be finding other ideas or concerns as part of this conversation, but wanted to start this topic.

3 Likes

My opinion: Burn SMBv1 to the ground with all the fire available. It's dead now, it was dead 15 years ago, and all for good reason. There should be ZERO attempt to maintain backwards compatibility with things like this, ESPECIALLY by default. It's beyond bad practice and crossing into dangerous territory.

2 Likes

Well it was due to a bug in samba package it required to lower the version to make it work

1 Like

Hmmm... This is not a bug though. The one that made such a report would need to be properly educated to understand, NT1 is insecure and their own responsibility to enable if they absolutely must have it, type thing. That's my thought process on this. Making this a global default is far worse, IMHO.

1 Like

Well make mr then

1 Like

I'm planning to.. I'm just trying to determine what should be the defaults? SMB2 as default, or pushing for higher standards, by default, like SMB3?

1 Like

Aren't there some NAS devices that don't support smbv3?

Unless there are active security issues with smbv2, it is probably a better choice for a default minimum.

3 Likes

That's a great question. This could be a possibility, and a reason to maintain at least SMB2 compatibility, whilst still keeping a conscious security decision to allow less if it's required by specific users.

2 Likes

I believe we’ve also had cases in the past where old NAS devices required v. 1.

Yep. This is going to happen. But too, with the recent changes to how smb.conf is managed, it will no longer clobber the changes forcing it, but will provide a .pacsave on changes instead, the proper way. SO people that consciously change this to their needs will not be having to fix it manually every time this gets changed. :slight_smile:

I'll take your word for it, as I gave up on Samba ages ago and far prefer to use NFS. :wink:

4 Likes

Good point. However, v1 is so fundamentally insecure that it shouldn’t be allowed by default. I believe it is disabled by default upstream as well.

4 Likes

Yes, upstream, Samba has disabled SMB1/NT1 by default, so which is why that smb.conf would have to be manually enabling it like it is in this. So, I will put in a MR later today about this. :slight_smile: At least reverting to the defaults SMB2.

4 Likes