Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow a SMB configuration to avoid SMB1 connections #243

Open
jnagler opened this issue Jan 17, 2024 · 0 comments
Open

Allow a SMB configuration to avoid SMB1 connections #243

jnagler opened this issue Jan 17, 2024 · 0 comments
Labels
0. Needs triage enhancement New feature or request

Comments

@jnagler
Copy link

jnagler commented Jan 17, 2024
edited

Is your feature request related to a problem? Please describe.
The issue/problem and its analysis was the following: I am authenticating against a Samba server (run by Synology DSM) via SMB which I had updated (from 6.2 to 7.2) and for which I now have switched off SMB1. On this server I have a log notification running to report more than a certain number of SMB actions a second to determine any brute force login attempts or excessive file changes (like by a ransomware). This notification was now bothering me about many unsuccessful SMB1 requests and I wanted to get rid of them. The reason for the SMB1 connects is this app using smbclient -L and I mimicked the command to see whats happening:

# smbclient -L //127.0.0.1/dummy -U jni // the password I provided on the console
...
        Sharename       Type      Comment
        ---------       ----      -------
        home       Disk
        ...
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
cli_cm_open returned NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

Further on I found on https://wiki.ubuntuusers.de/Samba_Client_smbclient/ that from Samba 4.7.0 / Bionic Beaver smbclient tries to do the connection with SMB3 and shares will be shown (successful command execution) but if the server is not supporting SMB1 the workgroup browsing is no more possible. I searched for a way to avoid smbclient doing the SMB1 reconnect. Unfortunately there does not seem to be another way than using -L to check the login without establishing an interactive client connection. And there is no parameter to say the server listing should skip the workgroup listing.

Describe the solution you'd like
But I found that one can pass --option='client min protocol=SMB2' to smbclient and this then results in no reconnect with SMB1 attempt and a SMB1 disabled -- no workgroup available output with the exit code 0. If this could somehow be added to SMB.php as an option that would be great. For now I will keep it as a local patch.

Describe alternatives you've considered
The client min protocol option could also be set-up in the Samba server configuration but on the one hand on a Synology DSM it's not so easy to get this permanent and may be overruled by an update. On the other hand others may still rely on smbclient reconnecting with SMB1. If anybody knows a different method instead of smbclient -L to check the credentials that would also be a good change as actually asking for the /dummy share and getting the full list of shares of the server is not needed at all.

Additional context
See my currently only hard coded change nextcloud-user_external-no-SMB1-reconnect.patch . This may become an option, e.g., a 2nd parameter in the config which will overrule the const SMBCLIENT.
@jnagler jnagler added 0. Needs triage enhancement New feature or request labels Jan 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jnagler