Forums

Good morning,

Due to the latest security news I have disabled SMB 1 on my NAS. Now my boxes can't reach the NAS through CIFS anymore. I have (temporary) enabled SMB1 again, but would it be possible to disable SMB1 and still let them connect (using SMB2)? If so how can I arrange this?

You need to specify the version in the mount options, did you that?

user=username,pass=password,vers=2.1

If that doesn't work, it might be the old version in OpenPLi 4 doesn't support it yet. I've tested the current develop version, and that works fine with SMB version 2.1, so the problem will be addressed soon.

And most NAS systems support NFS, so you could switch to that. It will be faster than CIFS as well.

I am sure the NAS supports NFS (Synology DS212+ with the DSM firmware released yesterday), but If I select this the option for username and a password disappears in menu->instellingen->systeem->mountbeheer->mountpoints beheer (as there is in CIFS). So changing this from CIFS to NFS means I can no longer reach the destination as it doesn't have credentials to access the NAS (I have a seperate user on the NAS for the Mutants, so they can't reach any other directories then movie directories).

To the best of my knowledge that one is solved in yesterdays update DSM 6.1.1-15101 Update 4 (CVE-2017-7494).

https://www.synology...easeNote/FS3017

I have installed that version indeed, but would like to switch of SMB 1 all together on my NAS (it is currently only needed for my OpenPLi STB, as all my computers run new operating systems which all can use SMB 2 or higher). If I can make my mounts work without SMB 1 it is best to switch SMB 1 off so this is a protocol (and therefore a security risk) less. So either I have to get NFS working, or delay switching off SMB 1 when OpenPLi 5 is released (which I have done now for the time being).

I assume you tried to add "vers=2.1" to the mount options on the box? Otherwise the box will try SMB1, and fail.

My Synology has SMB1 disabled (minumum protocol SMB2), but I don't have an OpenPLi 4 handy to test at the moment.

I will wait for 5, it has worked for years like this and as 5 is almost out I will test it immediately with that one.

Ps. Could it be an idea in OpenPLi 5 to be able to set the to use SMB version in menu->instellingen->systeem->Netwerk->mountbeheer->mountpoints beheer or just in network settings? This way more users can find it and switch to the newer (more secure) version. Might even be better to make SMB2 the default (as I think almost all user based hardware used now does support it).

If changing to default is preferred (in light of the security volnurabilities lately in 1) and you would like to do it also in 4 let me know, then I will test

Ps. If I need to test it, I assume I have to adjust /etc/enigma2/automounts.xml

What should te value than be in <options>rw</options>, should it be replaced by <options>rw,vers=2.1</options>?

Correct.

If you edit the xml directly, make sure you stop enigma first using "init 4".

I have made the change and it works perfectly on OpenPLi 4.

What about my idea to be able to set the version in configuration (so more people can find it) and even change the default to SMB2.1 (as almost all hardware now being used can use at least 2 but 3 is also out already).

Even Microsoft asks everyone to stop using it https://blogs.techne...top-using-smb1/

Ps. One last question, my NAS also supports SMB3. What version is running on OpenPLi4 (and 5)? I read that samba 3 is included in Sambo 4.0.0 and later, so if PLi has version 4 or later I will test vers=3.02 also (https://wiki.samba.o...php/Samba3/SMB2 and https://wiki.samba.o...inuxCIFSKernel)

OpenEmbedded uses the cifs kernel driver, which is not related to Samba.

Just try, you will know soon enough if it works or not. Adding it as a default in the config of the automounter should be possible. Adding it as default in the driver is above my paygrade, but perhaps it is already patched in OpenEmbedded.

Something else. I have the harddisk (\\192.168.1.201\Harddisk) mounted in Windows 10 explorer.

In Windows 10 you can disable SMB1.0 (see screenprint), but when I do this the mount isn't available anymore. I have enabled the option again and now the mount does work again. So it seems the box can only be mounted using SMB1. Is there a possibility to use SMB2 here also (or is this possible in the coming OpenPLi 5)?

Next version will use samba 4.4.5 (at the moment), the current OpenPLi uses an outdated version of Samba 3.

I have been playing around a little with the settings. To my NAS vers=3.02 does work (unfortunately vers=3.11 or vers=3.1.1 doesn't, but I think it is not yet supported in the current samba version although the release notes state it does from version 4.3 onwards https://www.samba.or...mba-4.3.0.html)

However if I try to use vers=2.0 or higher from the one HD2400 to the other it doesn't work. Both run RC6 with kernel 4.10.12 so I would expect them to also be able to communicate with the newer versions. Any idea why it doesn't?

I assume that would depend on the CIFS kernel drivers used, i.e. on the kernel version. 

The mount between my 2 HD2400's does work. But when I would like a newer SMB version (2 or 3) using vers=xxx it doesn't work. So only SMB1 can be used (while 2 and 3 have performance improvements).

As I run Linux kernel 4.10.12 and RC6 has Samba 4.4.5 (or maybe higher) I would expect to be able to use a higher SMB version on the mount between the 2 recievers.

I also have a NAS and the mount to the NAS works using SMB 2 or 3. So it seems that the Samba server in OpenPLi doesn't accept SMB2/3 connections (by default)

That's sounds strange here (Synology DS215+) I can set SMB range and it is set between smb1 (I use it internally so don't use a VPN) and smb3 and everything works fine?

@Dream1975 why did you added the installation of NFS server to the Wiki Mountmanager page?  To the best of my knowledge that one isn't needed as the nfs-utils provides a daemon for kernel nfs server and related tools, as NFS is in the kernel, as it is a file system (that was developed before the time of userspace file systems), but maybe @WanWizard can shed a light on it , I might be wrong

My Synology is set to use minimum SMB 2, but my mounts now work to my NAS with vers=3.02 so 3 is used

@Dream1975 why did you added the installation of NFS server to the Wiki Mountmanager page?  

As I want to stop all SMB1 traffic on my network (that's also why I don't allow it on my NAS anymore) I have now setup a NFS share between the 2 HD2400 boxes (as SMB vers=2/3 doesn't work). This was the last step to abandon SMB1 (I deinstalled it everywhere possible).

When configuring the NFS share it didn't work so I looked at the forum archive and found this and indeed after installing the NFSserver plugin it worked right away. So I added it to the wiki to prevent others needing to troubleshoot (the plugin might itself not be needed, but even so it did install the necessary dependencies for NFS support, therefore it doesn't hurt to mention it to get it working instead of getting frustrated it doesn't work)