Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday July 09 2019, @08:19PM   Printer-friendly
from the about-time dept.

Years late to the SMB1-killing party, Samba finally dumps the unsafe file-sharing protocol version by default:

Samba says its next release will switch off previously on-by-default support for the aging and easily subverted SMB1 protocol. It can be reenabled for those truly desperate to use the godforsaken deprecated protocol version.

The open-source SMB toolkit's developers say the Samba 4.11 build, currently in preview, will by default set SMB2_02 as the earliest supported version of the Windows file-sharing protocol.

"This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default)," the 4.11 release notes read.

"It also means client tools like smbclient and others, as well as applications making use of libsmbclient are no longer able to connect to servers without SMB2 or SMB3 support (by default)."

Admins will still have the option to allow SMB1 on their servers if they so choose, but support will be turned off by default.

The move by Samba to drop SMB1 can be seen as long overdue, given that Microsoft has been moving to get rid of the file-server protocol version from its operating systems for several years now, even before it was revealed to be one of the NSA's favorite weak points to exploit.

Do any Soylentils have any systems that will be affected by this? How hard is it for you to upgrade?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by nobu_the_bard on Tuesday July 09 2019, @09:32PM (3 children)

    by nobu_the_bard (6373) on Tuesday July 09 2019, @09:32PM (#865164)

    I have a bunch of ancient multifunction printers that can only use SMB1 for scan-to-folder. It's a serious bother.

    I couldn't get the users to use scan-to-email; it was set up via a SMTP proxy specifically set up to accept these ancient things' mails but send to other mail systems more securely, but the users refused to change their patterns without hand holding and I didn't have the time to retrain everyone at every site.

    A few of the printers got replaced this year though, maybe I get lucky and the rest get replaced too. Perhaps I should borrow my friends' ice axe...

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 5, Interesting) by zocalo on Tuesday July 09 2019, @10:00PM (1 child)

    by zocalo (302) on Tuesday July 09 2019, @10:00PM (#865177)
    You already considered an SMTP proxy, so why not a SMBv1 proxy? Use IPTables to only allow connections between the printers, the proxy, and wherever you have network share(s), which will presumably be accessed over a protocol that's more secure than SMBv1, plus SSH for admin. Drop/log everything else and you're done, unless you want to put the whole lot on its own VLAN as well for good measure. Either map the main network share to the proxy and re-share it with Samba over SMBv1, or copy the files over via other means.

    Personally though, I'd probably have a strange outbreak of printer failures beset the office. So many creative ways to let the magic smoke out...
    --
    UNIX? They're not even circumcised! Savages!
    • (Score: 2) by nobu_the_bard on Wednesday July 10 2019, @12:28PM

      by nobu_the_bard (6373) on Wednesday July 10 2019, @12:28PM (#865354)

      That's an interesting idea, but actually part of the reason to use the SMTP proxy was I already had it from another project (so it was a major time savings).

      Still good thinking, I can't believe that SMB proxy didn't occur to me.

  • (Score: 2) by PartTimeZombie on Tuesday July 09 2019, @11:16PM

    by PartTimeZombie (4827) on Tuesday July 09 2019, @11:16PM (#865199)

    I am lucky enough to have a brutal network security guy who turned off scan to folder for exactly this reason a few months ago.

    No discussion. If you don't like it, take it up with my manager.

    I am pretty sure his manager issued the order.