SMB why was Min/Max removed from smb services?

Snow · Feb 2, 2019

Are we trying to make it harder to configure SMB? FN as it sits is hard enough for newcomers to configure why are we making it harder? I do not know why this was removed from Smb's Config setting in FN. I understand you can add a tunable or a Aux to config, not sure why we are heading backwards not forwards ?

m0nkey_ · Feb 3, 2019

SMB2 became the default in FreeNAS because of security reasons, as a result the option to adjust the minimum protocol was removed.

https://redmine.ixsystems.com/issues/40716

seanm · Feb 3, 2019

That seems strange. What if you want SMB3 to be your minimum supported version?

Snow · Feb 3, 2019

Also If you have devices that need SMB1 or other versions it just seems like it was some thing that was used.

seanm · Feb 4, 2019

I'm happy they removed SMB1 from the UI, it's been inadvisable for years:

https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices

If people are relying on something so ancient, they can use an ancient FreeNAS too.

Snow · Feb 4, 2019

Yeah problem is if you have a devices that use it then you need it. Not like your going go out and buy all new device. On the home side its not that big of a deal but when you start to talk Business size. That can become Counterproductive. Thats backwards thinking thats like removing support for blue tooth Because you got the next latest greatest thing. Yes I will Agree it is ancient but removing a highly used option for backwards compaitbilty is just silly. Also I do not think they removed it, just removed the option from the ui.

Sent from Galaxy S9 Plus

seanm · Feb 4, 2019

Yeah, I understand that. Removing it from the UI only is a good compromise. It prevents people from accidentally enabling an insecure and ancient protocol, while still allowing an advanced technique to enable it for those that need it.

SMB2 was added in Vista in 2006. People that need to support 13 year old clients can also choose to stay on old versions of FreeNAS.

Remember, it's not just because SMB1 is merely old, but it's because it's insecure.

anodos · Feb 4, 2019

We're adding a checkbox under Services->SMB "enable SMB1 support" to make this easier. I don't think there's typically much reason to lower the max protocol (since clients will auto-negotiate what they need). Otherwise you can add auxiliary parameters to fine-tune as needed.

seanm · Feb 4, 2019

anodos, how about increasing the min protocol though? ex: I want to disable SMB1 and SMB2 and allow only SMB3.

anodos · Feb 4, 2019

seanm said:
anodos, how about increasing the min protocol though? ex: I want to disable SMB1 and SMB2 and allow only SMB3.

Set the auxiliary parameter "server min protocol = SMB3_00" under services->smb

seanm · Feb 4, 2019

anodos said:
Set the auxiliary parameter "server min protocol = SMB3_00" under services->smb

Sorry, I meant in the GUI.

One day SMB2 will be like SMB1 today: defeated, insecure, and obsolete. How will we disable it then (in the GUI)?

Even today, all my users are running either Win 10, macOS 10.13+, or Ubuntu 18.04+. It'd be nice to reduce my attack surface (and testing burden) by supporting only the newest protocol.

Having a 'minimum protocol version' popup menu sounds good to me, especially as it was apparently there before.

Snow · Feb 4, 2019

anodos said:
We're adding a checkbox under Services->SMB "enable SMB1 support" to make this easier. I don't think there's typically much reason to lower the max protocol (since clients will auto-negotiate what they need). Otherwise you can add auxiliary parameters to fine-tune as needed.

Oh good to know. Maybe a good idea to add a SMB3+ button for peolpe that like to only have SMB3/4. But that kinda sounds like the Min/Max thing again lol. Anodos a Question for you. You may or may not know it is off topic but in advanced tunables can you only use bits for seting like max.arc and kmem setings or can you use 70000M Or 30G ?

anodos · Feb 4, 2019

seanm said:
Sorry, I meant in the GUI.

One day SMB2 will be like SMB1 today: defeated, insecure, and obsolete. How will we disable it then (in the GUI)?

That is a UI option. There is an advanced field "auxiliary parameter". There are about 470 configurable parameters in samba, we have to be selective about what options we present. I don't anticipate the same sorts of problems with SMB2 that there have been with SMB1. There is no SMB4.

seanm · Feb 4, 2019

Ah, my bad, when I see things like "server min protocol = SMB3_00", I think CLI, not GUI.

Snow · Feb 4, 2019

I was taking about the future in regards to SMB4

Important Announcement for the TrueNAS Community.

SMB why was Min/Max removed from smb services?

Snow

Patron

m0nkey_

MVP

seanm

Guru

Snow

Patron

seanm

Guru

Snow

Patron

seanm

Guru

anodos

Sambassador

seanm

Guru

anodos

Sambassador

seanm

Guru

Snow

Patron

anodos

Sambassador

seanm

Guru

Snow

Patron

Similar threads