ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0021581ClearOSapp-samba - Windows Networkingpublic2018-09-25 10:012018-10-24 17:58
ReporterNickH 
Assigned Touser2 
PrioritynormalSeveritytweakReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version7.5.0 Updates 
Target VersionFixed in Version7.5.0 Updates 
Summary0021581: Remove SMB1 from the samba configuration
DescriptionSince the release of samba 4.7.1-9.v7, it is no longer necessary to force the SMB1 protocol for Win10 machines to join a domain. This obsoletes the webconfig entry "Windows 10 Domain Logons". This entry sets "server max protocol = NT1" in smb.conf.

Taking it one stage further, NT1 or SMB1 is considered to be a security risk by Microsoft and others (it was leveraged by the WannaCry ransomware). We could disable SMB1 completely by setting "min protocol = SMB2" either forcibly (not sure) or by replacing "Windows 10 Domain Logons" with another item "Enable SMB1", which should be disabled by default on new installations.

The reason you may not be able to disable it globally with an update is that it *may* disable ‘Network Neighborhood’ browsing, although this is now disabled by default in new installations of Win10 1803 update.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2018-09-25 10:01NickHNew Issue
2018-09-25 10:11NickHSeveritytrivial => tweak
2018-09-25 10:11NickHProduct Version => 7.5.0 Updates
2018-09-25 12:00user2Assigned To => user2
2018-09-25 12:00user2Statusnew => confirmed
2018-09-25 15:00NickHNote Added: 0008021
2018-10-23 12:47dloperNote Added: 0008271
2018-10-23 13:16user2Statusconfirmed => resolved
2018-10-23 13:16user2Fixed in Version => 7.5.0 Updates
2018-10-23 13:16user2Resolutionopen => fixed
2018-10-24 17:58user2Statusresolved => closed

Notes
(0008021)
NickH   
2018-09-25 15:00   
Simplified and for ClearOS7 only:
Remove the Webconfig Windows Networking "Windows 10 Domain Logons" menu entry, and, if it exists, remove the "server max protocol = NT1" from smb.conf

Add a Webconfig entry "SMB1 Protocol" which should have Enabled and Disabled values. In existing installations, do nothing in smb.conf and the Webconfig should read Enabled. In new installations in smb.conf set "min protocol = SMB2" which should show as Disabled in the Webconfig.

I would love independent testing that this works but I've tested both parts of it. I have posted to the forum and replied to every Win10 domain ticket we have asking for verification.
(0008271)
dloper   
2018-10-23 12:47   
Could leave it and simply change the text to be:

Enable Legacy SMB1 protocol.

Default set to no. No change if set to SMB1