ezhik Posted May 24, 2017 Share Posted May 24, 2017 Try this: ezhik@z97x:~$ cat .smb/smb.conf [global] client min protocol = SMB2 client max protocol = SMB3 client lanman auth = no client plaintext auth = no client NTLMv2 auth = yes Quote Link to comment
zoggy Posted May 24, 2017 Share Posted May 24, 2017 (edited) had to revert these changes, it broke kodi-headless on updating library... 21:13:10.967 T:47482913441536 WARNING: VideoInfoScanner: Error 0 occurred while retrievinginformation for smb://husky/TV/TV/Prison Break/. # docker exec -it kodi-headless bash :~/.smb# cat smb.conf [global] preferred master = no local master = no domain master = no client lanman auth = yes lanman auth = yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 lock directory = /config/.smb/ name resolve order = bcast host Edited May 24, 2017 by zoggy Quote Link to comment
ezhik Posted May 24, 2017 Share Posted May 24, 2017 (edited) Mine is working just fine with these: ~/.smb/smb.conf [global] client min protocol = SMB2 client max protocol = SMB3 client lanman auth = no client plaintext auth = no client NTLMv2 auth = yes #-- I am running Ubuntu 16.04, what are you running? I have these packages installed: - cifs-utils - samba-common - samba-libs Edited May 24, 2017 by ezhik Quote Link to comment
NAS Posted May 24, 2017 Share Posted May 24, 2017 If you are testing with Kodi the specific version you are using on which platform is important as for instance there is a lot of work happening right now in LibreELEC land for this and as usual none at all in OpenELEC. As I understand it almost every Kodi instance out there in the wild is currently limited to SMBv1 using native app shares i.e. sources.xml. This is a Kodi limit not an OS one. Milhouse LibreELEC builds however as usual are ahead of the curve. Quote Link to comment
MrLeek Posted May 25, 2017 Share Posted May 25, 2017 A slightly alarmist headline, but seems relevant to current discussions? https://arstechnica.co.uk/security/2017/05/a-wormable-code-execution-bug-has-lurked-in-samba-for-7-years-patch-now/ 1 Quote Link to comment
ezhik Posted May 25, 2017 Share Posted May 25, 2017 I'd create a separate thread for this one MrLeek. Topic: CVE-2017-7494 (https://www.samba.org/samba/security/CVE-2017-7494.html) Quote Link to comment
ezhik Posted May 25, 2017 Share Posted May 25, 2017 A workaround for the CVE is to add: nt pipe support = no Quote Link to comment
ezhik Posted May 25, 2017 Share Posted May 25, 2017 I created a thread for this @MrLeek - Quote Link to comment
MrLeek Posted May 25, 2017 Share Posted May 25, 2017 1 hour ago, ezhik said: I created a thread for this @MrLeek - Thanks ezhik - I only had chance to skim the CVE so appreciate you creating the separate thread. Quote Link to comment
limetech Posted May 27, 2017 Share Posted May 27, 2017 (edited) The "WannaCry" malware does not affect linux-based systems, such as unRAID OS, unless you are running Wine: https://www.suse.com/communities/blog/no-tearswannacry-linux-unless-wine/ Certainly unRAID OS never has and never will include Wine and AFAIK there is no unRAID OS plugin that does so. Hence I don't see any added "safety" in disabling SMBv1, though one could certainly do so using "Settings/SMB/Samba extra configuration" by putting this line in there: min protocol = SMB2 BTW, to see the entire active set of Samba settings, from console/telnet/ssh type this command: testparm -sv | less Edited May 28, 2017 by limetech use correct config setting to define min protocol Quote Link to comment
zoggy Posted May 27, 2017 Share Posted May 27, 2017 when you modify the smb extra config and hit apply, does it restart samba? Quote Link to comment
ezhik Posted May 28, 2017 Share Posted May 28, 2017 3 hours ago, limetech said: The "WannaCry" malware does not affect linux-based systems, such as unRAID OS, unless you are running Wine: https://www.suse.com/communities/blog/no-tearswannacry-linux-unless-wine/ Certainly unRAID OS never has and never will include Wine and AFAIK there is no unRAID OS plugin that does so. Hence I don't see any added "safety" in disabling SMBv1, though one could certainly do so using "Settings/SMB/Samba extra configuration" by putting this line in there: client min protocol = SMB2 BTW, to see the entire active set of Samba settings, from console/telnet/ssh type this command: testparm -sv | less My apologies, but I am going to have to correct you there. -- client min protocol = SMB2 -- This would be the client side enforcing min smb2, if you define client min protocol = smb2, then you need to also define client max protocol = smb3. For the server side to enforce a minimum of smb2 it would be: -- min protocol = SMB2 -- Cheers. 1 Quote Link to comment
limetech Posted May 28, 2017 Share Posted May 28, 2017 4 hours ago, zoggy said: when you modify the smb extra config and hit apply, does it restart samba? Yes. Quote Link to comment
limetech Posted May 28, 2017 Share Posted May 28, 2017 2 hours ago, ezhik said: My apologies, but I am going to have to correct you there. Right you are, thanks. Corrected my post. Quote Link to comment
zoggy Posted May 29, 2017 Share Posted May 29, 2017 min protocol = SMB2 word of caution to those, setting a min protocol like this causes kodi to stop working due to it negotiating at NT1. Quote Link to comment
limetech Posted May 29, 2017 Share Posted May 29, 2017 3 minutes ago, zoggy said: word of caution to those, setting a min protocol like this causes kodi to stop working due to it negotiating at NT1. Right but there's no need to do this. Quote Link to comment
ezhik Posted May 29, 2017 Share Posted May 29, 2017 4 hours ago, zoggy said: min protocol = SMB2 word of caution to those, setting a min protocol like this causes kodi to stop working due to it negotiating at NT1. That's actually not true. You need to define min + max, then it will work just fine. I've personally tested this. You need two lines in there for it to work properly. cat .smb/smb.conf [global] client min protocol = SMB2 client max protocol = SMB3 Preferrably: cat .smb/smb.conf [global] client min protocol = SMB2 client max protocol = SMB3 client lanman auth = no client plaintext auth = no client NTLMv2 auth = yes Quote Link to comment
wgstarks Posted May 30, 2017 Share Posted May 30, 2017 54 minutes ago, ezhik said: That's actually not true. You need to define min + max, then it will work just fine. I've personally tested this. That's a very broad statement. Which versions and systems have you tested it on? I couldn't get it to work on my LE machine, but it was still running one of the LE7 builds at the time. Quote Link to comment
ezhik Posted May 30, 2017 Share Posted May 30, 2017 14 minutes ago, wgstarks said: That's a very broad statement. Which versions and systems have you tested it on? I couldn't get it to work on my LE machine, but it was still running one of the LE7 builds at the time. LE7? Quote Link to comment
wgstarks Posted May 30, 2017 Share Posted May 30, 2017 Just now, ezhik said: LE7? LibreElec 7.?.? One of the kodi 16 builds. Can't remember the exact version and I've updated to 8.0.3 (latest stable kodi release) now. I don't have much knowledge of samba and a lot of what I read is over my head, but it looks to me like many of the current kodi builds (not nightlies or PR's) don't include support for SMB2 or SMB3 yet. That's why I was asking which builds you've been testing on. 1 Quote Link to comment
BRiT Posted May 30, 2017 Share Posted May 30, 2017 12 minutes ago, ezhik said: LE7? I think it's LibreELEC 7 - https://libreelec.tv/ 1 Quote Link to comment
ezhik Posted May 30, 2017 Share Posted May 30, 2017 Good call. So I checked it out and LibreELEC 8.x uses SAMBA 3.6.25 (yes outdated), which is limited to SMB2 on a max protocol level. So all you need to do is define min and max to be the same version - smb2 Can you give it a shot? You'd have to create it in the user's .smb/smb.conf file. For example if your user is kodi it would be in: /home/kodi/.smb/smb.conf [global] client min protocol = SMB2 client max protocol = SMB2 PS. I tested it on a full blown linux distro -> ubuntu 16.04 with actual kodi (from the official xbmc repo). Cheers. Quote Link to comment
ezhik Posted May 30, 2017 Share Posted May 30, 2017 By the way, references:https://libreelec.tv/2017/05/libreelec-krypton-v8-0-2-mr/ SAMBA Samba announced CVE-2017-7494 as we were about to release 8.0.2 and due to the serious vulnerability rating we postponed release to investigate. LibreELEC uses Samba 3.6.25 which is in the range of affected versions, but after Samba source code review (thanks @seo) we believe we are not vulnerable as we compile Samba without printer support, and this disables the vulnerable code path. We also attempted and failed to exploit our Samba version with the available metasploit module. Our confidence level on this is 99%. If you care about the missing 1% please disable the Samba service and keep reading. -- And: https://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#SMB2_support Cheers. Quote Link to comment
wgstarks Posted May 30, 2017 Share Posted May 30, 2017 31 minutes ago, ezhik said: Good call. So I checked it out and LibreELEC 8.x uses SAMBA 3.6.25 (yes outdated), which is limited to SMB2 on a max protocol level. So all you need to do is define min and max to be the same version - smb2 Can you give it a shot? You'd have to create it in the user's .smb/smb.conf file. For example if your user is kodi it would be in: /home/kodi/.smb/smb.conf [global] client min protocol = SMB2 client max protocol = SMB2 PS. I tested it on a full blown linux distro -> ubuntu 16.04 with actual kodi (from the official xbmc repo). Cheers. What about on the server (unRAID) side? Any changes I need to make there? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.