Project

General

Profile

Bug #40716

Disable SMB1 by default

Added by John Hixson over 1 year ago. Updated over 1 year ago.

Status:
Done
Priority:
No priority
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
Severity:
Medium
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

To this day FreeNAS 11.1 U5 still allows SMB1 by default.

Because of the change to the UI, removing the Min/Max SMB version options, SMB1 is most likely enabled on the majority of FreeNAS systems out there.

Before the change, I had set a min of SMB2 and a max of SMB3, which is a sane default in this day and age.
After the change, it reverted my settings back to the FreeNAS defaults, which seems to be a min of SMB1 and a max of SMB3. I fixed that with an aux param of "min protocol = SMB2"

I propose that the setting be upgraded for security reasons to include "min protocol = SMB2" as a default.
If someone has to support legacy clients, they can set "min protocol = NT1" in aux params themselves, at least until samba removes SMB1 support, which they may eventually do.

Supporting archaic versions of Windows and samba is something FreeNAS, at least by default, should no longer do.


Related issues

Copied from FreeNAS - Bug #34762: Disable SMB1 by defaultDone

Associated revisions

Revision 731bc541 (diff)
Added by John Hixson over 1 year ago

Turn off SMB1 Ticket: #34762 (cherry picked from commit 23ef1d2fe8c733b74c98a26eb39f1a2c5d48b205) (11.1-stable) Ticket: #40716

Revision f1231523 (diff)
Added by John Hixson over 1 year ago

Disable UNIX extensions when SMB >= 2 Ticket: #34762 (cherry picked from commit 42f764b2f485efa104faf8a75aecbc182b280323) (11.1-stable) Ticket: #40716

History

#1 Updated by John Hixson over 1 year ago

  • Copied from Bug #34762: Disable SMB1 by default added

#2 Updated by John Hixson over 1 year ago

#3 Updated by Dru Lavigne over 1 year ago

  • Status changed from Unscreened to In Progress
  • Needs QA changed from No to Yes
  • Needs Merging changed from No to Yes

#4 Updated by Dru Lavigne over 1 year ago

  • Status changed from In Progress to Ready for Testing
  • Needs Merging changed from Yes to No

#5 Updated by Bonnie Follweiler over 1 year ago

23920

Yest Passed in FreeNAS-11.1-U6-INTERNAL1

#6 Updated by Dru Lavigne over 1 year ago

  • Status changed from Passed Testing to Done

#8 Updated by Roland A over 1 year ago

  • Seen in changed from 11.1-U5 to 11.1-U6

This seems to have worked well, yesterday I upgraded to 11.1-U6 and one of my use cases does not work anymore (Android App "SyncMe Wireless" tells me "unsupported negotiate dialect").

I wanted to troubleshoot this issue to see whether it still uses SMB1 to send files to a SMB share, so I tried the workaround proposed by John and added "server min protocol = SMB1" as an aux param.

This however results in a duplicate min param and SMB is not starting anymore:

# grep min smb4.conf
server min protocol = SMB2
server min protocol = SMB1
#

Is there any other workaround to re-enable SMB1?
I understand that replying here on a closed Bug is probably not the best approach, but it seemed to be the best first try.

#9 Updated by Sergey Pisarev over 1 year ago

The value of the parameter "min protocol", to support legacy clients, must be "NT1"
server min protocol = NT1

#10 Updated by John Hixson over 1 year ago

Roland A wrote:

This seems to have worked well, yesterday I upgraded to 11.1-U6 and one of my use cases does not work anymore (Android App "SyncMe Wireless" tells me "unsupported negotiate dialect").

I wanted to troubleshoot this issue to see whether it still uses SMB1 to send files to a SMB share, so I tried the workaround proposed by John and added "server min protocol = SMB1" as an aux param.

This however results in a duplicate min param and SMB is not starting anymore:

# grep min smb4.conf
server min protocol = SMB2
server min protocol = SMB1
#

Is there any other workaround to re-enable SMB1?
I understand that replying here on a closed Bug is probably not the best approach, but it seemed to be the best first try.

I don't recommend setting this in aux parameters. I'd be really surprised if your android app doesn't support SMB2. However, if you must support SMB1, you can do this from the command line:

sysctl freenas.services.smb.config.server_min_protocol=NT1

Restart SMB after doing this. If it works for you, you can set this permanently in the UI in the tunables section.

#11 Updated by Roland A over 1 year ago

John Hixson wrote:

Restart SMB after doing this. If it works for you, you can set this permanently in the UI in the tunables section.

I can confirm that the workaround works for me. Setting this tunable via sysctl and restarting the SMB service changed the config accordingly:

# grep proto smb4.conf
server min protocol = NT1
server max protocol = SMB3
#

Also after setting the tunable manually, it persists after a reboot.

Thanks for your help. (PS: Yes indeed, this Android App seems to be limited to SMB1 according to the dev. He does not plan to update the app for whatever reasons: https://plus.google.com/104929593084095169065/posts/aXDaeoRcdNC )

#12 Updated by Cpu Roast over 1 year ago

  • Description updated (diff)

#13 Updated by Justin Clift over 1 year ago

Ugh. Changing supported protocol versions in a minor update release? And no "Big Red Warning" in the release notes so people have a heads up.

:( :( :(

People, changes to supported protocols are fine in major updates, or at least with due warning.

For people with headless systems though, this change is not great. <-- understatement

:(

#14 Updated by Florian Sesser over 1 year ago

What Justin said. This is a breaking change. Shouldn't be in a minor update. This cost me almost half a day until I figured out what was going on.

#15 Updated by Justin Clift over 1 year ago

As a data point, it turns out info is published about update stuff in a weird "library" subsection area of the iX Blog:

https://www.ixsystems.com/blog/library/freenas-11-1-u6/

Not that you'd find it from the main Blog page, but that's a different issue that probably needs work. ;)

Personally, I reckon the info would optimally be best placed on the "Upgrade Available!" type of screen in the FreeNAS dialog itself. Not sure if anyone's created a ticket for that yet.

Also available in: Atom PDF