Monday, 19 June 2017

RFC: disabling the SMB1 protocol in our samba stack (client, server) (#1697817)


we had a bug [1] filed against Ubuntu as part of a larger campaign [2] to disable the old, vulnerable, deprecated SMB1 protocol in the Samba stack.

I asked upstream [3] for their opinion on changing the default protocol level.

In terms of an actual change, it's just a pair of independent configuration settings in smb.conf (if upstream doesn't change the defaults): one for client, one for server. That part is simple. The repercussions need to be thought through, however. We can split them into server and desktop (client):

 * old clients (like windows xp, and windows <= 2003) won't be able to connect to the samba server anymore. This will certainly include some appliances like TVs, old videogame consoles, old music players, media stations, and others

Desktop (client):
 * network browsing will be affected
 * ubuntu won't be able to connect to old Samba/Windows servers that only support SMB1. Again, not only classic servers, but think old home NAS servers

If you want to experiment what your network would look like if this is implemented, these are the changes to /etc/samba/smb.conf:

  client min protocol = SMB2


  server min protocol = SMB2

Change one or both, depending on what you want to test. Maybe as a first step we could change only the server setting, so that Ubuntu, when acting as a client (desktop), can still see and interact with old SMB1 servers.

This email is to get a feel of what people think about this change, and to collect tasks that need to be done to implement this big change. I'm collecting these tasks in a trello card [4] for now, and, moving forward, this will likely become a spec document.