03fc35ss
-
Posts
22 -
Joined
-
Last visited
Content Type
Profiles
Forums
Downloads
Store
Gallery
Bug Reports
Documentation
Landing
Posts posted by 03fc35ss
-
-
As expected, some of the syntax changed between versions of Samba (why would they do this for minor versions I have no idea...)
This is the current config I believe works. I'll do more testing at a later time to confirm it's all applied correctly.
server min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = required server signing = mandatory client ipc signing = required client NTLMv2 auth = yes client protection = encrypt client smb encrypt = required server smb encrypt = required smb encrypt = required restrict anonymous = 2 null passwords = No raw NTLMv2 auth = no
-
1
-
-
On 6/20/2023 at 6:22 PM, dopeytree said:
Thanks used this to do the opposite and FORCE client & server signing to disabled.
Seems to have sped up transfers on mac.
The purpose of this thread is to IMPROVE the security configuration. Not reduce it.
Enabling encryption and signing does cause a performance hit.These mitigations/hardening options are meant for networks where there are potentially untrusted clients (corporate networks) not really for home network setups.
On 2/25/2023 at 12:14 AM, ericswpark said:After further testing, here's the config that worked for me:
server min protocol = SMB3_02 client ipc min protocol = SMB3_11
So iOS/iPadOS devices running 16.3.1 seem to only support SMB as it was developed/implemented in Windows 8.1 days. (For reference: `SMB3_02` is Windows 8.1 implementation, while `SMB3_11` is Windows 10 (not 11).)
The `client ipc min protocol` does not matter, so you can leave it on `SMB3_11` and it will not make a difference.
This config works for both the built-in SMB provider in the Files app, and for the FE File Explorer Pro app. I can confirm even the latest stable release of iOS VLC works too on this config, which suggests to me that either the app was finally fixed or that iOS devices just don't support `SMB3_11` as a whole for the server minimum protocol.
SMB3_11 is supported with the beta/Testflight versions of VLC (Currently using 3.4.7 (533)) on iOS. It's a bug I raised with them when I initially wrote this guide. Most 3rd party apps on android and iOS do not have support for a hardened version of SMB. I believe it's an app specific issue and not an OS one.
I'm in the process of building another tower. I see that Samba version is now 4.17.7 so I'll be updating the config options in line with https://www.samba.org/samba/docs/4.17/man-html/smb.conf.5.html as a reference.
-
Note that the next version of Unraid OS (currently 6.10.0-rc2) will be using samba 4.15 or higher as per these release notes:
Once it is out of RC status, I'll update the guide with the 4.15 flags to achieve the same hardening setup as above.
-
1
-
1
-
-
Just a note: In light of the current issues regarding CVE-2021-44142 I would strongly encourage SMB users to disable the 'Enhanced macOS interoperability' setting in the SMB settings page to mitigate the issues until a patch is released:
As always seems to be the case in security, if you don't need a feature, disable it and reduce your attack surface.
-
Hopefully when 6.10 moves into stable it'll also be upgraded to include the patch. The announcement says 4.15.5 has the patch but 6.10.0rc2 is running version 4.15.0.
As I understand it, this specifically affects devices that have enabled the vfs_fruit module. The vfs_fruit module provides enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver. The current workaround is to remove 'fruit' from 'vfs objects' lines in Samba configuration files (e.g., smb.conf).
Specifically for Unraid, It is my understanding that the "Enhanced macOS interoperability" setting in SMB settings as seen here should be disabled:
As this setting is reflected by the offending vfs objects in the smb-shares.conf:
vfs objects = catia fruit streams_xattrI do not believe there is currently any PoC available so I can't test to confirm but I believe disabling the "Enhanced macOS interoperability" setting should mitigate this issue for now.
-
I suspect you are quite right @itimpi thanks for your assistance!
-
I would like to change the array file system that is currently in place from xfs to xfs - encrypted. However, I already have data stored on the array.
The interface warns me that:
Quote"Changing the file system type of a device will permit you to reformat that device using the new file system. Be aware that all existing data on the device will be lost."
I assume that means that I cannot change the file system on the disks without either doing one disk at a time and then rebuilding parity, or re-building the array from scratch (likely a faster option with the amount of data I have).
Is there anything I can do to efficiently migrate the data from an unencrypted file system to an encrypted one?
-
3 hours ago, JorgeB said:
new config wasn't properly done, repeat the procedure.
Okay, so I did the following:
- Set all shares to use only Disks 1-5 (note 6 is not an option)
- Screenshot of drive assignments
- Take array offline
- Tools -> New config
- Preserve current assignments -> All -> Yes I want to do this -> Apply
- Confirmed that drive assignments are still correct
- Confirmed that array devices is no longer listing disk 6 as 'missing'
- Started the array
This appears to have resolved my issue and the offending drive is no longer showing. I think I did not set all shares to use specific disks previously when attempting this.
The array is now re-building parity:
Thank you!
-
15 hours ago, itimpi said:
According to the screenshot the SSD WAS left as assigned so Unraid now thinks it is missing.
Okay. So it sounds like I did the wrong thing then. So how can I remove it from there now?
-
No worries. @User4123123Hope it helps!
Note that the commands will be different for the next release of unraid as it appears there will be a migration to Samba version 4.15.
-
Unfortunately, I attempted this a couple of weeks back so I don't recall the exact process I followed.
I'm pretty sure the disk (Disk 6 as per the above screenshot) was in the state it is now, 'unassigned'.
Any ideas on what I could try next?
-
Hi all,
When building my array, I accidentally included a small 256G SSD as part of the array. Wanting to use it as a cache drive instead, I took the array off-line, unassigned the drive (Disk 6) and assigned the drive to be the cache device. I then went to tools, new config and preserved the current assignments.
I then started the array again and ran a 'check'.
As can be seen below, I am still seeing the missing drive in the array and there appears to be no way that I can find to remove it.
I am still very new to unRAID so any pointers in how to fix this would be much appreciated.
I'm running version 6.9.2.
Thanks!
-
I wrote a quick guide on how to achieve a hardened configuration if anyone is interested:
-
Hey @Frank1940
I got it sorted out in the end after chatting with Tom, there are two issues.
1) The config has to be applied globally (fine with me, but potentially an issue for other users)
2) The version of Samba that Unraid uses is not the latest, and the latest version has significantly different flags for the settings I wanted to apply. Thus those settings broke the config or otherwise didn't apply when I set them.
I wrote up a quick guide on how to best configure the hardening options for SMB (in my opinion):
-
Hi folks, after spending a fair bit of time hardening my SMB configuration I figured I'd write a quick guide on what I consider the best settings for the security of an SMB server running on Unraid 6.9.2.
First, before we get into SMB settings, you may also want to consider hardening the data while it is at rest by specifying an encrypted file-system type for your array (although this isn't a share specific option).
For SMB, first set the SMB settings available:
I've settled on this as the following block is what I consider to be a hardened SMB configuration for a standalone server that is not domain joined or using Kerberos authentication:
server min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = mandatory server signing = mandatory client ipc signing = mandatory client NTLMv2 auth = yes smb encrypt = required restrict anonymous = 2 null passwords = No raw NTLMv2 auth = no
This configuration block is to be entered into the SMB extras configuration section of the SMB settings page.
These settings will break compatibility with legacy clients, but when I say legacy I'm talking like Windows Server 2003/XP. Windows 10+ clients should work without issue as they all support (but are not necessarily configured to REQUIRE) these security features.
These settings force the following security options:
- All communications must occur via SMB v3.1.1
- All communications force the use of signing for communications
- NTLMv2 authentication is required, LanMan authentication is implicitly disabled.
- All communications must be encrypted
- Anonymous access is disabled
- Null session access is disabled
- NTLMSSP is required for all NTLMv2 authentication attempts
In addition, the following security settings are configured for each available share:
Also ensure that you create a non-root user to access the shares with and that all accounts use strong passwords (Ideally 12+ complex characters).
Finally, a couple of things to note:- If you read the release notes for Unraid 6.9.2, you'll see that Unraid uses samba: version 4.12.14. This is extremely important. If you, like me, google SMB configuration settings you'll eventually come across the documentation for the current version of SMB. But! Unraid is not running the latest version, and that's extremely important. The correct documentation to follow is for the 4.12 branch of Samba and the configuration options are significantly different, enough that a valid config for 4.15 will not work for 4.12.
-
With "null passwords = No" you must enable Secure or Private security modes on each exported Unraid share - guest access won't work.
-
There is currently no way to add per-share custom smb.conf settings. So either the server gets hardened or it does not. Do not apply a [share_name] tag as it will not work.
-
It is not possible to specify `client smb3 encryption algorithms` in version 4.12.x of Samba.
-
Kerberos authentication and domain authentication may be preferable in other circumstances, in this instance, additional hardening options may be considered.
-
If you, like me, use VLC media player on mobile devices, you may find that SMBv3 with encryption makes the host inaccessible on IOS devices. The VLC team is aware of this and there is a fix available if you have the bleeding edge/development version of the app, but not if you download the current store version (last I checked, the fix hadn't been released). Should work fine with Android/Windows VLC.
If you have any suggestions for other options that I have not included here or that you think are a mistake. Please let me know and I'd be most happy to look into them and adjust.
Some other quick hardening suggestions for unraid hardening in general. Disable whatever services you don't need.
In my case, that means I:
- Disable NFS
- Disable FTP
- Disable 'Start APC UPS daemon'
- If you enable Syslog, also enable NTP and configure it.
-
Disable Docker
- Quick note on docker, having the services enabled allows for 'ip forwarding' which could, in theory, be used to route traffic via the host to bypass firewall rules (depending on your network toplogy obviously)
Hope that helps someone else out there.
Cheers!
-
8
-
6
-
I have tried a number of configuration options in SMB Extras and have had no luck so far. As far as I can tell unRAID does not respect the configuration included in the Sambe extra configuration field.
Now. If I try to apply the configuration to just a single share (that I've created through the web interface), for example:
#disable SMB1 for security reasons [Share_name] min protocol = SMB2
I am no longer able to access the share at all.
If I try the same thing with a whole new share + configuration and create the share path manually like so:
[New_Share] path = /mnt/user/New_Share comment = browseable = yes # Private writeable = no read list = write list = admin valid users = admin case sensitive = auto preserve case = yes short preserve case = yes server min protocol = SMB3_11 client min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = required client protection = encrypt server signing = mandatory server smb encrypt = required client ipc signing = requiredThe share appears, but is still negotiated via SMB1 and then communicates via SMB2 as before.
I try this config as well:
#disable SMB1 for security reasons [global] # configurable identification netbios name = Server server string = Media server hide dot files = no multicast dns register = No disable netbios = yes security = USER workgroup = WORKGROUP map to guest = Bad User passdb backend = smbpasswd null passwords = Yes idmap config * : backend = tdb idmap config * : range = 3000-7999 map archive = No map hidden = No map system = No map readonly = Yes create mask = 0777 directory mask = 0777 # log stuff only to syslog logging = syslog@0 # we don't do printers show add printer wizard = No disable spoolss = Yes load printers = No printing = bsd printcap name = /dev/null # disable aio by default aio read size = 0 aio write size = 0 # misc. invalid users = root unix extensions = No wide links = Yes use sendfile = Yes # ease upgrades from Samba 3.6 acl allow execute always = Yes # permit NTLMv1 authentication ntlm auth = Yes server min protocol = SMB3_11 client min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = required client protection = encrypt server signing = mandatory server smb encrypt = required client ipc signing = required [Share] path = /mnt/user/Share comment = browseable = yes # Private writeable = no read list = write list = admin valid users = admin case sensitive = auto preserve case = yes short preserve case = yes server min protocol = SMB3_11 client min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = required client protection = encrypt server signing = mandatory server smb encrypt = required client ipc signing = requiredAnd still no luck.
I realise that it's not possible to directly and permanently edit smb.conf or other files in /etc/samba/ but I'm also entirely at a loss on how to configure these options correctly via the web-gui since it doesn't seem to respect the configuration that is stored in /boot/config/smb-extra.conf
I am using this: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html as the guide for setting the options. I'm unsure if unRAID configures this options in a non-standard way or if it doesn't support them for some reason.
Please, if anyone can help me _actually_ harden this configuration or point out somewhere I can learn how to configure this correctly I would be crazy grateful. If no-one is able to help then it seems likely this is a bug and I'll try report it as such.
-
Coming from this thread:
I would really appreciate a simple GUI way to configure additional SAMBA/SMB options for my server.
Specifically I'm interested in changing the following options to improve the security of the server:
server min protocol = SMB3_11
client min protocol = SMB3_11
client ipc min protocol = SMB3_11
null passwords = No
client signing = required
client protection = encrypt
server signing = mandatory
server smb encrypt = required
client ipc signing = required
ntlm auth = ntlmv2-only
null passwords = NoRather than using the SMB extra configuration field which I'm finding confusing and difficult to use. I would rather these options be available under 'SMB Settings' as drop-down options (for example, 'Enable NetBIOS' is currently listed there).
I think that the out of the box defaults should remain as broadly compatible as possible but it should not be a difficult process to enable high security configurations on the server.
Thanks,
-
3
-
-
The confusing part isn't so much the SAMBA configuration itself. I can muddle through that until it sticks. It's that I can't edit the config files directly and that the parameters/format etc that 'SMB Extras' configuration setting wants does not appear to be well documented. I assumed that basic hardening of SMB configurations for unRAID would have already been well documented and that I was just having trouble finding that information.
In a perfect world, users shouldn't need to be setting all these config options manually, they should be readily available dropdown options that should be able to be selected as needed (the same as 'Enable NetBIOS' is currently for example. Edit: I've lodged this as a feature request.
-
So I stopped the array, modifed the config as per the following screenshot and applied it:
Then started the array.
When browsing to \\server\ I can no longer see the share
Additionally, I am still not seeing SMB3 traffic, but rather SMB2 (viewing the traffic in wireshark)
Curiously, if I change the label from [Share] to [global] I can once again see \\server\share\ but alas, that's still being accessed via SMB2 as well
12 minutes ago, trurl said:The OS is in RAM, unpacked fresh from the archives on flash at each boot. Any modifications are not persistent.
Out of interest, can I shut the server down and then modify config from another machine so that it will persist at boot?
-
Thanks Frank1940.
Should I be making changes in the conf files directly or via the web GUI 'Samba Extra Configuration' field?
As the issue appears to only be with the single share I've configured/exposed, does that mean I just need to use this then?
[share_name]
server min protocol = SMB3_11
null passwords = No
client signing = required
client protection = encrypt
server signing = mandatory
server smb encrypt = required
client ipc signing = required
-
Hi,
I've been trying to harden the Samba/SMB configuration of Unraid 6.9.2.
I've attempted to modify the /etc/samba/*conf files directly but that appears to get wiped.
I attempted to add the options I wanted to include:
server min protocol = SMB3_11 null passwords = No client signing = required client protection = encrypt server signing = mandatory server smb encrypt = required client ipc signing = required
Into the 'Samba Extra Configuration' field but this also did not seem to apply.What I want to do is:
- Enable SMB3_11
- Have both encryption and SMB signing as mandatory.- Disable Null sessions
Does anyone have any advice on how I can do this through either the config or the web interface I'd be very grateful.
Thanks!
[Guide] How to harden the security configuration of SMB on an Unraid sever
in General
Posted
The following config is confirmed working with the test devices I have:
server min protocol = SMB3_11 client ipc min protocol = SMB3_11 server signing = mandatory client NTLMv2 auth = yes restrict anonymous = 2 null passwords = no raw NTLMv2 auth = no smb encrypt = required client signing = required client ipc signing = required client smb encrypt = required server smb encrypt = requiredNote that the line in my previous config:
client protection = encryptBreaks auth attempts. So it shouldn't be used.
@dopeytree It Sounds like your issue might be a bug in MacOS Ventura. I don't have a MacOS device running Ventura to test with unfortunately.
I can confirm I can access file shares with the following devices and the below config:
- MacOS Monterey
- Windows 11
- Windows 10
- iOS VLC (using a beta release)
- Android VLC
Also note that the syntax between releases of Samba has changed and 'mandatory' has become ''required" for some settings.