Bug 44643 - Allow configuration of SMB "min protocol" via UCR
Allow configuration of SMB "min protocol" via UCR
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Felix Botner
Arvid Requate
Depends on: 44591 44644
Blocks: 44646
  Show dependency treegraph
Reported: 2017-05-22 12:52 CEST by Felix Botner
Modified: 2017-06-15 17:58 CEST (History)
10 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017051321000422, 2017051721000059
Bug group (optional): External feedback, Security
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2017-05-22 12:52:58 CEST
+++ This bug was initially created as a clone of Bug #44591 +++

In consideration of WannaCry(pt)/EternalBlue and MS17-010/CVE-2017-0145, there's an urge to disable SMBv1.

MS17-010: https://technet.microsoft.com/en-US/library/security/ms17-010.aspx
CVE-2017-0145: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145
Technet on WannaCry(pt): https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Samba does not seem to be vulnerable to CVE-2017-0145. However, we should make it easy to disable SMBv1. AFAIK this can be achieved by setting:

min protocol = SMB2
Comment 1 Felix Botner univentionstaff 2017-05-22 13:16:18 CEST
added samba/min/protocol univention-samba4 r79487
Comment 2 Felix Botner univentionstaff 2017-05-22 14:55:43 CEST
added samba/client/max/protocol and samba/client/min/protocol

univention-samba4.yaml r79507
univention-samba4 r79506
Comment 3 Arvid Requate univentionstaff 2017-05-22 20:37:32 CEST
Ok works. I added a warning note to the advisory that raising samba/min/protocol also requires raising samba/client/max/protocol (default: NT1):

ucr set samba/min/protocol=smb2 samba/client/max/protocol=smb2
Comment 4 Mathieu Simon 2017-05-22 21:29:44 CEST
Hi Felix and Arvid

Thank you for the integration.

In addition I've re-read in smb.conf(5) that usually one should not need to raise the "client min protocol" version: "Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol."

This seems to be followed by at least 2 NAS appliance systems which I have cross-checked: Qnap's current QTS 4.3 (using Samba 4.4.9 on the particular model) and FreeNAS 9.10.2-U3 (Samba 4.5.5). 

Both management UIs offer an option to raise the minimal protocol version but samba-tool testparm -v eventually reveals they "only" raise the server min version.
Comment 5 Janek Walkenhorst univentionstaff 2017-06-15 17:58:18 CEST