disable smb1 by default

Bug #1697817 reported by Seth Arnold on 2017-06-14
This bug affects 5 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)

Bug Description


Ned Pyle from the SMB team at Microsoft would very much like us to disable SMBv1 in Samba by default:


It'd be nice to make this change early enough that 18.04 LTS does not ship with SMB1 support enabled by default.


Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
tags: added: samba
Andreas Hasenack (ahasenack) wrote :

List of protocols from the smb.conf(5) manpage. Looks like "NT1" is SMB1:

       client max protocol (G)

           The value of the parameter (a string) is the highest protocol level that will be supported by the client.

           Possible values are :

           · CORE: Earliest version. No concept of user names.

           · COREPLUS: Slight improvements on CORE for efficiency.

           · LANMAN1: First modern version of the protocol. Long filename support.

           · LANMAN2: Updates to Lanman1 protocol.

           · NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.

           · SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.

               · SMB2_02: The earliest SMB2 version.

               · SMB2_10: Windows 7 SMB2 version.

               · SMB2_22: Early Windows 8 SMB2 version.

               · SMB2_24: Windows 8 beta SMB2 version.

           By default SMB2 selects the SMB2_10 variant.

       · SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub protocols available.

           · SMB3_00: Windows 8 SMB3 version. (mostly the same as SMB2_24)

           · SMB3_02: Windows 8.1 SMB3 version.

           · SMB3_10: early Windows 10 technical preview SMB3 version.

           · SMB3_11: Windows 10 technical preview SMB3 version (maybe final).

Changed in samba (Ubuntu):
status: Confirmed → Triaged
tags: added: server-next
Andreas Hasenack (ahasenack) wrote :

This will require some discussion and thought about the implications. I created a trello card in the ubuntu server board trying to scope these out: https://trello.com/c/P73Okl8z

Might need a spec of its own.

Tyler Hicks (tyhicks) wrote :

I think this is the option that you want to use to restrict the server to a minimum protocol version:


To fix this bug, the value would need to be "SMB2".

Morbius1 (morbius1) wrote :

Just a side note folks but there's two SMBv1's involved here and both are mentioned in this bug report.

There's the server part ( server min protocol ).

But there is also a samba client part ( client min / max protocol ) and that's where the fun starts.

Nautilus uses gvfs which uses libsmblient to "discover" samba servers on the network. The client max protocol is net to NT1 ( SMB1 ) for a reason. Set "client max protocol = SMB3" or "client min protocol = SMB2" and that discovery is broken. You can still access a host by name but you have to know it's name.

You can verify that yourselves by using the command smbtree. Run it and you will get a list of your hosts and their shares. Change the client min or max values to something other than NT1 and smbtree results in nothing.

Am 19.06.2017 um 15:47 schrieb Andreas Hasenack:
> https://lists.ubuntu.com/archives/ubuntu-
> devel/2017-June/039820.html

You should use "SMB2_02" instead of "SMB2" to also include
that. "SMB2" is an alias for "SMB2_10".

Also remember that old linux clients may also have problems
connecting to an SMB2 only server.


Andreas Hasenack (ahasenack) wrote :

We are closely watching upstream as they move away from SMB1 by default.

tags: removed: server-next
Changed in samba (Ubuntu):
importance: Undecided → Wishlist
Julian Alarcon (alarconj) wrote :


Adding information to this bug, latest kernel release, 4.13, disabled by default SMBv1:

This is related to SAMBA but still there is work needed
The change in question is simply changing the default cifs behavior:
instead of defaulting to SMB 1.0 (which you really should not use:
just google for "stop using SMB1" or similar), the default cifs mount
now defaults to a rather more modern SMB 3.0.

Now, because you shouldn't have been using SMB1 anyway, this shouldn't
affect anybody. But guess what? It almost certainly does affect some
people, because they blithely continued using SMB1 without really
thinking about it.

And you certainly _can_ continue to use SMB1, but due to the default
change, now you need to be *aware* of it. You may need to add an
explicit "vers=1.0" to your mount options in /etc/fstab or similar if
you *really* want SMB1.

But if the new default of 3.0 doesn't work (because you still use a
pterodactyl as a windshield wiper), before you go all the way back to
the bad old days and use that "vers=1.0", you might want to try
"vers=2.1". Because let's face it, SMB1 is just bad, bad, bad.

Julian Alarcon (alarconj) wrote :

Adding more info, next future SAMBA version 4.7 will increase the SMB "client max protocol" to SMB3_11 to be able to connect to servers with SMB1 disabled, "client min protocol" is still SMB1.


The default for "client max protocol" has changed to "SMB3_11",
which means that smbclient (and related commands) will work against
servers without SMB1 support.

It's possible to use the '-m/--max-protocol' option to overwrite
the "client max protocol" option temporary.

Note that the '-e/--encrypt' option also works with most SMB3 servers
(e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
are not required for encryption.

The change to SMB3_11 as default also means smbclient no longer
negotiates SMB1 unix extensions by default, when talking to a Samba server with
"unix extensions = yes". As a result some commands are not available, e.g.
posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami,
getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1.

Note the default ("CORE") for "client min protocol" hasn't changed,
so it's still possible to connect to SMB1-only servers by default.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers