ezhik Posted May 30, 2017 Share Posted May 30, 2017 5 minutes ago, wgstarks said: What about on the server (unRAID) side? Any changes I need to make there? You can apply the following: Minimum: min protocol = SMB2 Optimal: guest ok = no null passwords = no lanman auth = no restrict anonymous = 2 encrypt passwords = yes server signing = mandatory ntlm auth = no 1 Quote Link to comment
zoggy Posted May 30, 2017 Share Posted May 30, 2017 16 hours ago, ezhik said: Good call. So I checked it out and LibreELEC 8.x uses SAMBA 3.6.25 (yes outdated), which is limited to SMB2 on a max protocol level. So all you need to do is define min and max to be the same version - smb2 Can you give it a shot? You'd have to create it in the user's .smb/smb.conf file. For example if your user is kodi it would be in: /home/kodi/.smb/smb.conf [global] client min protocol = SMB2 client max protocol = SMB2 PS. I tested it on a full blown linux distro -> ubuntu 16.04 with actual kodi (from the official xbmc repo). Cheers. http://forum.kodi.tv/showthread.php?tid=314350&pid=2590709#pid2590709 See PR:12110. NT1 is the Samba default client max protocol. There is nothing you can configure in your server that will change default Kodi NT1 behaviour. You only need to add "client max protocol = SMB3" in the smb.conf used by Kodi and Samba will begin negotiating connections starting with SMB3 instead of NT1. However you need at least Samba 4.1.0 on the client in order for SMB2/SMB3 protocols to be supported. Setting "client min protocol" is known to cause compatibility issues so don't specify it. Also, Kodi is the client not the server so there's no point specifying server settings in the client smb.conf. pretty much only LE9 w/ Kodi 18a1 are able to do this.. everyone else has to wait for the PR and an updated release. Quote Link to comment
ezhik Posted May 30, 2017 Share Posted May 30, 2017 (edited) 3 hours ago, zoggy said: http://forum.kodi.tv/showthread.php?tid=314350&pid=2590709#pid2590709 See PR:12110. NT1 is the Samba default client max protocol. There is nothing you can configure in your server that will change default Kodi NT1 behaviour. You only need to add "client max protocol = SMB3" in the smb.conf used by Kodi and Samba will begin negotiating connections starting with SMB3 instead of NT1. However you need at least Samba 4.1.0 on the client in order for SMB2/SMB3 protocols to be supported. Setting "client min protocol" is known to cause compatibility issues so don't specify it. Also, Kodi is the client not the server so there's no point specifying server settings in the client smb.conf. pretty much only LE9 w/ Kodi 18a1 are able to do this.. everyone else has to wait for the PR and an updated release. According to the samba documentation, smb2 is supported by the version LE8 is shipped with which is SAMBA 3.6.25. So defining min and max to be the same protocol on the client side should work. in your ~/.smb/smb.conf: [global] client min protocol = SMB2 client max protocol = SMB2 Edited May 30, 2017 by ezhik Quote Link to comment
wgstarks Posted May 31, 2017 Share Posted May 31, 2017 22 hours ago, ezhik said: Good call. So I checked it out and LibreELEC 8.x uses SAMBA 3.6.25 (yes outdated), which is limited to SMB2 on a max protocol level. So all you need to do is define min and max to be the same version - smb2 Can you give it a shot? You'd have to create it in the user's .smb/smb.conf file. For example if your user is kodi it would be in: /home/kodi/.smb/smb.conf [global] client min protocol = SMB2 client max protocol = SMB2 PS. I tested it on a full blown linux distro -> ubuntu 16.04 with actual kodi (from the official xbmc repo). Cheers. Did a little testing as requested. Basically just testing to see if my Chromebox running LE8 could connect to the server. This does work when set on the client- [global] client min protocol = SMB2 client max protocol = SMB2 Full smb.conf settings- [global] preferred master = no local master = no domain master = no client lanman auth = yes lanman auth = yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 lock directory = /storage/.smb/ name resolve order = bcast host #ezhik changes start [global] client min protocol = SMB2 client max protocol = SMB2 #ezhik changes end This breaks connectivity when set on the server- [global] min protocol = SMB2 Had to delete it to be able to connect. Quote Link to comment
ezhik Posted May 31, 2017 Share Posted May 31, 2017 34 minutes ago, wgstarks said: Did a little testing as requested. Basically just testing to see if my Chromebox running LE8 could connect to the server. This does work when set on the client- [global] client min protocol = SMB2 client max protocol = SMB2 Full smb.conf settings- [global] preferred master = no local master = no domain master = no client lanman auth = yes lanman auth = yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 lock directory = /storage/.smb/ name resolve order = bcast host #ezhik changes start [global] client min protocol = SMB2 client max protocol = SMB2 #ezhik changes end This breaks connectivity when set on the server- [global] min protocol = SMB2 Had to delete it to be able to connect. I think I see where the problem is. In your ~/.smb/smb.conf keep only and remove the rest: [global] client min protocol = SMB2 client max protocol = SMB2 (Obviously make a backup of the smb.conf to smb.conf.bak) Quote Link to comment
wgstarks Posted May 31, 2017 Share Posted May 31, 2017 2 minutes ago, ezhik said: I think I see where the problem is. In your ~/.smb/smb.conf keep only and remove the rest: [global] client min protocol = SMB2 client max protocol = SMB2 (Obviously make a backup of the smb.conf to smb.conf.bak) Not sure what you're wanting to accomplish? Those two settings are already working. Quote Link to comment
ezhik Posted May 31, 2017 Share Posted May 31, 2017 (edited) If you set on the server: settings -> smb -> Samba extra configuration: min protocol = SMB2 --- Click Apply. Try to open a share with LE8. ssh to your unraid host and run "smbstatus". You should get a response like: Samba version 4.5.10 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 12019 kodi users 10.10.172.5 (ipv4:10.10.172.5:40130) SMB3_00 - HMAC-SHA256 Except in your case it would be SMB2_00 Edited May 31, 2017 by ezhik Quote Link to comment
wgstarks Posted May 31, 2017 Share Posted May 31, 2017 10 minutes ago, ezhik said: ssh to your unraid host and run "smbstatus". root@Brunnhilde:~# smbstatus Samba version 4.5.10 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- No locked files Don't think that worked. Client smb.conf- #[global] # preferred master = no # local master = no # domain master = no # client lanman auth = yes # lanman auth = yes # socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 # lock directory = /storage/.smb/ # name resolve order = bcast host #ezhik changes start [global] client min protocol = SMB2 client max protocol = SMB2 #ezhik changes end Server smb.conf- #smb local master configuration [global] domain master = yes preferred master = yes os level = 255 #smb local master configuration end #exclude_Apple_DS_files_start veto files = /._*/.DS_Store/ #exclude_Apple_DS_files_end #vfs_recycle_start #Recycle bin configuration [global] syslog only = No log level = 0 vfs:0 #vfs_recycle_end #ezhik changes start [global] min protocol = SMB2 #ezhik changes end Quote Link to comment
ezhik Posted May 31, 2017 Share Posted May 31, 2017 21 minutes ago, wgstarks said: root@Brunnhilde:~# smbstatus Samba version 4.5.10 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- No locked files Don't think that worked. Client smb.conf- #[global] # preferred master = no # local master = no # domain master = no # client lanman auth = yes # lanman auth = yes # socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 # lock directory = /storage/.smb/ # name resolve order = bcast host #ezhik changes start [global] client min protocol = SMB2 client max protocol = SMB2 #ezhik changes end Server smb.conf- #smb local master configuration [global] domain master = yes preferred master = yes os level = 255 #smb local master configuration end #exclude_Apple_DS_files_start veto files = /._*/.DS_Store/ #exclude_Apple_DS_files_end #vfs_recycle_start #Recycle bin configuration [global] syslog only = No log level = 0 vfs:0 #vfs_recycle_end #ezhik changes start [global] min protocol = SMB2 #ezhik changes end Too may [global] definitions, try to consolidate it into one: #smb local master configuration [global] domain master = yes preferred master = yes os level = 255 #smb local master configuration end #exclude_Apple_DS_files_start veto files = /._*/.DS_Store/ #exclude_Apple_DS_files_end #vfs_recycle_start #Recycle bin configuration syslog only = No log level = 0 vfs:0 #vfs_recycle_end #ezhik changes start min protocol = SMB2 #ezhik changes end Quote Link to comment
ezhik Posted May 31, 2017 Share Posted May 31, 2017 (edited) smbstatus will only display open streams. Try to access a share with LE8 after applying the changes. Edited May 31, 2017 by ezhik Quote Link to comment
wgstarks Posted May 31, 2017 Share Posted May 31, 2017 10 minutes ago, ezhik said: Too may [global] definitions, try to consolidate it into one: #smb local master configuration [global] domain master = yes preferred master = yes os level = 255 #smb local master configuration end #exclude_Apple_DS_files_start veto files = /._*/.DS_Store/ #exclude_Apple_DS_files_end #vfs_recycle_start #Recycle bin configuration syslog only = No log level = 0 vfs:0 #vfs_recycle_end #ezhik changes start min protocol = SMB2 #ezhik changes end Didn't make any difference. Failed to connect to server after the reboot. Quote Link to comment
limetech Posted May 31, 2017 Share Posted May 31, 2017 Guys, please correct me if wrong... why are you doing any of this? the "wannacry" vulnerability affects Windows only, and Microsoft has released a patch quite a while ago now. If all your Win machines are up-to-date, why do you need to disable SMBv1 protocol at all? 2 Quote Link to comment
wgstarks Posted May 31, 2017 Share Posted May 31, 2017 10 hours ago, limetech said: Guys, please correct me if wrong... why are you doing any of this? the "wannacry" vulnerability affects Windows only, and M$ has released a patch quite a while ago now. If all your Win machines are up-to-date, why do you need to disable SMBv1 protocol at all? Actually, I live in a Windows Free Exclusion Zone. Not really worried about wannacry. Just doing some compatibility testing with the changes proposed by @ezhik. Looks like there are probably many systems that would be negatively effected by disabling SMBv1. Quote Link to comment
CHBMB Posted May 31, 2017 Share Posted May 31, 2017 Guys, please correct me if wrong... why are you doing any of this? the "wannacry" vulnerability affects Windows only, and Microsoft has released a patch quite a while ago now. If all your Win machines are up-to-date, why do you need to disable SMBv1 protocol at all?I was wondering this as well, but figured I'd missed something as I haven't really been following the wannacry stuff.Sent from my LG-H815 using Tapatalk Quote Link to comment
limetech Posted May 31, 2017 Share Posted May 31, 2017 On 5/29/2017 at 7:21 PM, ezhik said: You can apply the following: Minimum: min protocol = SMB2 Optimal: guest ok = no null passwords = no lanman auth = no restrict anonymous = 2 encrypt passwords = yes server signing = mandatory ntlm auth = no I want to caution anyone reading this topic that changes on the unRAID side for the "WannaCry" malware are not necessary and adding random stuff in "Samba extra configuration", could break unRAID SMB share services. 1 Quote Link to comment
ezhik Posted June 1, 2017 Share Posted June 1, 2017 7 hours ago, limetech said: I want to caution anyone reading this topic that changes on the unRAID side for the "WannaCry" malware are not necessary and adding random stuff in "Samba extra configuration", could break unRAID SMB share services. I wouldn't call this random stuff, I would however say that a bit more security should be enforced. Quote Link to comment
limetech Posted June 1, 2017 Share Posted June 1, 2017 50 minutes ago, ezhik said: I wouldn't call this random stuff, I would however say that a bit more security should be enforced. If you feel that current smb settings should include something different, please open a Feature Request or Defect Report. 1 Quote Link to comment
ezhik Posted June 1, 2017 Share Posted June 1, 2017 21 hours ago, limetech said: If you feel that current smb settings should include something different, please open a Feature Request or Defect Report. Will do over the weekend. I can get you a full nessus assessment as well. Quote Link to comment
limetech Posted June 1, 2017 Share Posted June 1, 2017 15 minutes ago, ezhik said: I can get you a full nessus assessment as well. Absolutely. If you see anything really egregious please send me a direct email: [email protected] Quote Link to comment
NAS Posted June 2, 2017 Share Posted June 2, 2017 FWIW the default inclusion of pre SMBv2 "anything" is going to fail nessus and pci, that is a given. Quote Link to comment
zoggy Posted June 4, 2017 Share Posted June 4, 2017 (edited) On 5/30/2017 at 8:24 PM, ezhik said: If you set on the server: settings -> smb -> Samba extra configuration: min protocol = SMB2 --- Click Apply. Try to open a share with LE8. ssh to your unraid host and run "smbstatus". You should get a response like: Samba version 4.5.10 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 12019 kodi users 10.10.172.5 (ipv4:10.10.172.5:40130) SMB3_00 - HMAC-SHA256 Except in your case it would be SMB2_00 https://forum.kodi.tv/showthread.php?tid=314350&pid=2586814#pid2586814 kodi on linux uses a much newer samba version, which is why you get SMB3 support. The version we use for android doesn't support it. And before you ask: samba >= 4.1 which first introduced smb2/3 client support also changed to a new build system, which makes it almost impossible to cross compile for all our platforms. then next post: LE8.0.1 is built with Samba 3.6.25 so doesn't include client support for SMB2/SMB3 - you'll need a recent LE9 test build for that (currently Samba 4.6.3). can confirm this by looking at: https://libreelec.tv/2017/05/libreelec-krypton-v8-0-2-mr/ Samba announced CVE-2017-7494 as we were about to release 8.0.2 and due to the serious vulnerability rating we postponed release to investigate. LibreELEC uses Samba 3.6.25 which is in the range of affected versions, but after Samba source code review (thanks @seo) we believe we are not vulnerable as we compile Samba without printer support, and this disables the vulnerable code path. https://wiki.samba.org/index.php/Samba3/SMB2#Introduction SMB 2.1 was introduced with Windows 7/Windows 2008R2. Basic support for SMB 2.1 was added in Samba 4.0.0 SMB 3 (previously known as SMB2.2 dialect) was introduced with Windows 8 and Windows Server 2012. SMB3 dialect defines the following features: Basic support for SMB3 is included in Samba 4.0.0 and later. -- so anyways its being addressed on kodi's end in a future PR, https://github.com/xbmc/xbmc/pull/12110 Edited June 4, 2017 by zoggy Quote Link to comment
ezhik Posted June 4, 2017 Share Posted June 4, 2017 1 hour ago, zoggy said: https://forum.kodi.tv/showthread.php?tid=314350&pid=2586814#pid2586814 kodi on linux uses a much newer samba version, which is why you get SMB3 support. The version we use for android doesn't support it. And before you ask: samba >= 4.1 which first introduced smb2/3 client support also changed to a new build system, which makes it almost impossible to cross compile for all our platforms. then next post: LE8.0.1 is built with Samba 3.6.25 so doesn't include client support for SMB2/SMB3 - you'll need a recent LE9 test build for that (currently Samba 4.6.3). can confirm this by looking at: https://libreelec.tv/2017/05/libreelec-krypton-v8-0-2-mr/ Samba announced CVE-2017-7494 as we were about to release 8.0.2 and due to the serious vulnerability rating we postponed release to investigate. LibreELEC uses Samba 3.6.25 which is in the range of affected versions, but after Samba source code review (thanks @seo) we believe we are not vulnerable as we compile Samba without printer support, and this disables the vulnerable code path. https://wiki.samba.org/index.php/Samba3/SMB2#Introduction SMB 2.1 was introduced with Windows 7/Windows 2008R2. Basic support for SMB 2.1 was added in Samba 4.0.0 SMB 3 (previously known as SMB2.2 dialect) was introduced with Windows 8 and Windows Server 2012. SMB3 dialect defines the following features: Basic support for SMB3 is included in Samba 4.0.0 and later. -- so anyways its being addressed on kodi's end in a future PR, https://github.com/xbmc/xbmc/pull/12110 SMB2 support was introduced in 3.6.0: https://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#SMB2_support Quote Link to comment
NAS Posted June 23, 2017 Share Posted June 23, 2017 I would like to suggest that we make the disabling of what we are calling SMBv1 via the GUI as a checkbox. This way we can inform the users of the downsides, why it should happen and the rarer cases where it shouldnt. We do need to debate what the default should be. At some point SMBv2+ should be the default but I do not think that day has come yet. Regardless this should be a point and click skill-free exercise for users and not a lengthy forum read should they happen upon it. Quote Link to comment
bonienl Posted June 23, 2017 Share Posted June 23, 2017 1 minute ago, NAS said: I would like to suggest that we make the disabling of what we are calling SMBv1 via the GUI as a checkbox. This way we can inform the users of the downsides, why it should happen and the rarer cases where it shouldnt. We do need to debate what the default should be. At some point SMBv2+ should be the default but I do not think that day has come yet. Regardless this should be a point and click skill-free exercise for users and not a lengthy forum read should they happen upon it. I suggest you write a feature request for this, so it won't get lost/burried. Quote Link to comment
NAS Posted June 23, 2017 Share Posted June 23, 2017 Will do once we debate it out here first.... unless I nailed it on first try? Also http://www.theregister.co.uk/2017/06/22/latest_windows_10_build_kills_exploited_smb1/ 2 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.