Univention Bugzilla – Bug 44617
Samba: Want samba/min/protocol
Last modified: 2017-08-10 15:47:59 CEST
There has been a samba/max/protocol option since UCS 3.2 but there is no equivalent minimal version option that can be set as of 4.1-4. Even Microsoft recommends abandoning old SMB1 due to numerous (but not only) security improvements in later protocol versions. (https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/) Not in all environments with i.e. special-purpose printing/scanning appliances it is possibly to enforce a minimal higher than Samba's default LANMAN1. Maybe an updated default should be discussed for new setups, like "SMB2_02" option as future minimal version. SMB2_02 is the oldest SMB2 dialect supported by Samba 4.5/4.6 which, the dialect introduced by Windows Vista more than 10 years ago. A possible fix could be (as verified in 4.1-4, latest errata as of writing): --- a/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc +++ b/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc @@ -26,6 +26,9 @@ if configRegistry.get('samba4/service/smb', 'smbd') in ('smbd', 's3fs'): print '\tstore dos attributes = %s' % configRegistry.get('samba/store_dos_attributes', 'yes') + if configRegistry.get('samba/min/protocol'): + print '\tmax protocol = %s' % configRegistry.get('samba/min/protocol') + if configRegistry.get('samba/max/protocol'): print '\tmax protocol = %s' % configRegistry.get('samba/max/protocol') --- a/univention/registry.info/variables/univention-samba4.cfg +++ b/univention/registry.info/variables/univention-samba4.cfg @@ -330,6 +330,12 @@ Type=bool Categories=service-samba ReadOnly=yes +[samba/min/protocol] +Description[de]=Diese Variable konfiguriert die älteste Protokollversion, welche dieser SMB-Server unterstützt (gültige Werte sind in "man smb.conf" dokumentiert). Ist die Variable nicht gesetzt, so gilt der Standardwert, der in der Manual-Seite zu smb.conf dokumentiert ist. +Description[en]=This variable configures the highest protocol level that will be supported by this SMB server (valid values may be found in "man smb.conf"). If the variable is not set, the default given in the smb.conf manual page applies. +Type=str +Categories=service-samba + Looking forward for feedback and a possibly inclusion in an upcoming version and / or errata.
(In reply to Mathieu Simon from comment #0) > --- a/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc > +++ b/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc > @@ -26,6 +26,9 @@ if configRegistry.get('samba4/service/smb', 'smbd') in > ('smbd', 's3fs'): > > print '\tstore dos attributes = %s' % > configRegistry.get('samba/store_dos_attributes', 'yes') > > + if configRegistry.get('samba/min/protocol'): > + print '\tmax protocol = %s' % > configRegistry.get('samba/min/protocol') > + > if configRegistry.get('samba/max/protocol'): > print '\tmax protocol = %s' % > configRegistry.get('samba/max/protocol') The patch contains a typo → s/max protocol/min protocol/
*** This bug has been marked as a duplicate of bug 44591 ***
Created attachment 8853 [details] Patch 1: Re-cleaned so it can be applied, adds minimal protocol version
Created attachment 8854 [details] Patch 2: Switch to samba/server/max/protocol so client minimal versions can be added Even though the bug has been marked as duplicate, here is a second patch that switches to the syntax of server max/min protocol since min protocol is a synonym anyway according to smb.conf manpage. This allows adding a client minimum/maximum protocol version support if wanted. Best regards Mathieu
<http://errata.software-univention.de/ucs/4.2/19.html>