13

For security reasons, I'd like to disable the SMB1 protocol in samba. Is it possible? I'm running Ubuntu 14.04 LTS.

Avio
  • 2,986

5 Answers5

9

My testing with Nessus has indicated SMBv1 is only disabled when setting

min protocol = SMB2

in the [global] section of smb.conf . Core, LANMAN2 and NT1 were all still flagged as being vulnerable.

Christian M.
  • 106
  • 1
    Thanks, this helped. Just a note for others: the configuration file smb.conf is in /etc/samba/ on Ubuntu 12. – ConvexMartian Feb 10 '17 at 18:04
  • 4
    For future readers: This works for servers, as min protocol "is a synonym for server min protocol" (https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#SERVERMINPROTOCOL). There is also client min protocol, which helps clients avoid SMB1 if the servers still support it. – Jan D May 30 '17 at 12:31
  • 1
    Don't forget to restart the service afterward:

    CentOS 7/RHEL 7/Fedora Linux: $ sudo systemctl restart smb.service

    Debian 8.x/Ubuntu 16.04 LTS Linux: $ sudo systemctl restart smbd.service

     – Jack Wire Jan 22 '18 at 08:31
  • I got the error Ignoring invalid value 'SMB2' for parameter 'min protocol'. I'm using Samba 3.4.9 – josircg Jun 14 '18 at 23:46
  • 1
    @josircg SMB2 was first supported in 3.6.0 – kbulgrien Aug 31 '18 at 20:08
6

I had to add this for it to work in my old ubuntu 12-server; with either of min/max-combination SMBv1 is enabled but with both it works fine. 

[global]
min protocol = SMB2                                                                                 
max protocol = SMB2                                                                                 
client min protocol = SMB2
client max protocol = SMB2
muru
  • 197,895
  • 55
  • 485
  • 740
P1ersson
  • 61
  • 1
    This Worked with "CentOS 6" windows no longer comes up with. "You can't connect to the file share because it's not secure." – Neil Mar 27 '18 at 06:26
  • This also worked when trying to mount from OSX High Sierra. Just using min protocol wouldn't allow me to connect. – user545424 Apr 10 '18 at 17:51
2

While I'm not sure where SMB1 fits in (My guess is CORE), here is the order of protocols from "man smb.conf"

   max protocol (G)
       The value of the parameter (a string) is the highest protocol level that will be supported by the server.
       Possible values are :
       ·   CORE: Earliest version. No concept of user names.
       ·   COREPLUS: Slight improvements on CORE for efficiency.
       ·   LANMAN1: First
            modern version of the protocol. Long filename support.
       ·   LANMAN2: Updates to Lanman1 protocol.
       ·   NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
       ·   SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and newer.

   min protocol (G)
       The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer to the max
       protocol parameter for a list of valid protocol names and a brief description of each. You may also wish to refer to the C
       source code in source/smbd/negprot.c for a listing of known protocol dialects supported by clients.
       If you are viewing this parameter as a security measure, you should also refer to the lanman auth parameter. Otherwise, you
       should never need to change this parameter.
       Default: min protocol = CORE
       Example: min protocol = NT1
Clark Mercer
  • 21
1

I think that I managed to disable SMB1 protocol with these two lines in the [global] section:

min protocol = LANMAN2
max protocol = SMB3

I'm still not completely sure about the order of protocols in Samba, but I'm quite confident that LANMAN2 is after SMB1.

Avio
  • 2,986
1

I think what you are looking for in the smb.conf file is:

### 
server min protocol = SMB2_10
client min protocol = SMB2
client max protocol = SMB3
Bad Bad Pants
  • 11
  • 1