Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751587AbdIBF6b (ORCPT ); Sat, 2 Sep 2017 01:58:31 -0400 Received: from hr2.samba.org ([144.76.82.148]:52584 "EHLO hr2.samba.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750980AbdIBF6a (ORCPT ); Sat, 2 Sep 2017 01:58:30 -0400 X-Greylist: delayed 2123 seconds by postgrey-1.27 at vger.kernel.org; Sat, 02 Sep 2017 01:58:30 EDT Message-ID: <1504329770.3249.61.camel@samba.org> Subject: Re: RFC: Revert move default dialect from CIFS to to SMB3 From: Andrew Bartlett To: Linus Torvalds , Steve French Cc: "L. A. Walsh" , Thorsten Leemhuis , Linux Kernel Mailing List , "linux-cifs@vger.kernel.org" , Pavel Shilovsky Date: Sat, 02 Sep 2017 17:22:50 +1200 In-Reply-To: References: <1504213298-27431-1-git-send-email-linux@leemhuis.info> <59A9A59E.6040205@tlinx.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2572 Lines: 74 On Fri, 2017-09-01 at 20:56 -0700, Linus Torvalds wrote: > On Fri, Sep 1, 2017 at 7:16 PM, Steve French wrote: > > > > The default was SMB1 (CIFS) and was recently changed to SMB3. > > The dialect still can be overridden by specifying "vers=1.0" or "vers=2.1" > > etc. on mount. > > > > We just put together a patch to better explain the default changes > > (with additional warning messages) as suggested. > > > > SMB3 is significantly better than SMB2.1 (supporting encrypted shares > > and sessions for example, and requiring support for "secure negotiate") > > and some servers require SMB3 minimum as a result, > > The default shouldn't be about "best and most secure", but "most > convenient, while still not actively *IN*secure" > > So "some servers require 3.0" may be true, but if it's also the case > that "most servers still don't do 3.0 at all", then it's a "some" vs > "most". > > Which is the most common one? That should be the default. > > I realize that eventually we'll have auto-negotiation, but that's > clearly not for 4.13. So in the meantime the only issue is what the > right default should be without auto-negotiation. > > So it should be about what the failure rate is. If trying for smb3 has > a high failure rate because people simply don't have that yet, then > making that the default was clearly the wrong choice. > > Because being "better" is immaterial if it doesn't work. My quick research shows: SMB 2.1 but not SMB3 is on: Windows 7 Windows 8 Windows 2008 Windows 2012 Samba 3.6 and earlier (SMB1 only by default) SMB3 is on: Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Samba 4.0 and above (released 2012) I'm not sure exactly which Mac versions. Some breakage will be old (and quite recent) NAS and routers that use SMB1 and often very old Samba, but most of those only do SMB1. In terms of 'actively *IN*secure', it really depends what you mean by that. That is, like all big changes, the movement against SMB1 has had multiple motivations: - a desire no longer to expose really old code in Windows (recently exploited) - a desire to retire an old and complex protocol - SMB3 having proper secure negotiation (I'll leave it to Steve to explain the difference between SMB2 and 3 in that respect, I'm not so current on the details). I hope this help, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba