# SMBv1 Woes - FreeBSD



## mathaishermb (Jun 21, 2017)

Hi all,

Long time user of FreeBSD here. I have been happily using the mount_smbfs binary and in my fstab to mount Windows Shares on boot to be used by various network services house on multiple FreeBSD systems. Sadly, it appears these connections all use SMBv1 NT1 security to perform the mount operation. With the new security landscape, post-WannaCry ransomware, in a mixed-mode environment where all the shares live in Windows, that just won't do. This has been discussed many times before in the past and I even lodged a bug report right at about 5 years ago regarding the reliance on NetBIOS to mount SMB shares from FreeBSD. Every other piece of software I have encountered has moved away from this deprecated network protocol to the far more secure versions of SMB to perform Windows share operations. As a stop gap, I have implemented a very rudimentary NFS server advertising shares, but configuring a Kerberos infrastructure and setting new accounts for each and every service (not to mention the new permissions nightmares even with Active Directory) on multiple BSD systems is arduous. Rather, I am wondering why FreeBSD is behind the ball on the development? The other Linux based systems I run required a simple addition of the vers=SMB2 flag to the fstab entry to successfully mount. I understand the code base is very old for the mount_smbfs, but what is the way forward here? NFS is simply a workaround as far as I am concerned and every other *nix style distro seems to play nice. Is there an ETR on this greatly needed and long overdue update to mount newer style SMB shares?

Thanks!


----------



## drhowarddrfine (Jun 21, 2017)

I don't know what I'm talking about but the man page for smb.conf shows you can set the protocol for smb2 and smb3.


----------



## mathaishermb (Jun 21, 2017)

drhowarddrfine said:


> I don't know what I'm talking about but the man page for smb.conf shows you can set the protocol for smb2 and smb3.



Hey there Dr. Howard!

The binary in question is a FreeBSD source compiled binary. Editing the smb.conf file to force SMB2 causes the mount_smbfs command to fail. SAMBA does have a smbclient binary to browse shares like a ftp client using a newer version of SMB, but that doesn't integrate into the fstab AFAIK. That all being said, I have tried the "min protocol" configuration and that seems to have no effect on the mounting.


----------



## mathaishermb (Jun 21, 2017)

Oh, I will add I am on FreeBSD 10.3-STABLE branch. I am looking into how the SAMBA operates when performing SMB share mounts and possibly porting over something that can support mounting later versions of SMB. I will also be looking at the mount.cifs that Linux uses. If anyone has any better ideas?
I will say I have gone down the path of using FUSEFS, but that was a fruitless path. The fstab mount was clunky to say the least and the pathing was crazy because it was meant to browse, not be a permanent mount. Not only that, I had to play with the source code due to the unusual way BSD implemented things with the fuse-netsmbfs port and integration with the fstab.


----------



## mathaishermb (Jun 22, 2017)

Anyone? The linux path didn't go well for obvious reasons of cross-compilation issues. Porting the source code directly was a massive undertaking and considering I am not a programmer, made things insurmountable. I am looking at the Darwin/OS X mount_smbfs code but even that has been deprecated in favor of something else. Don't know what else to do here, as I said, I am not a programmer. As much as I hate it, I might have to move these servers over to CentOS. I cannot turn on SMBv1 for the handful of systems because the OS hasn't updated to work with something that has been out for over 10 years. While NFS might be an easier route in the "now", it is the principle of the matter. Who knows what other common features in the future will just get left behind because they aren't updated for integration. I do get that BSD is community ran and funded. Hell, I donate to FreeBSD whenever I can and always look for bugs and report back when I can. However, I just can't let this go though. SMBv1 has been around since 1990 and SMBv2 came out 11 years ago in 2006. Linux has moved ahead and kept up with their security. It makes me sad that BSD hasn't made any movement to keep up with SMB security versions. I would do something myself if I could, but I simply don't have the knowledge, time, or patience for programming.


----------



## drhowarddrfine (Jun 22, 2017)

You would probably have better luck on the mailing lists with this than here.


----------



## mathaishermb (Jun 22, 2017)

Roger on that! I will post here if I get any meaningful updates there. Thanks!


----------



## mathaishermb (Dec 4, 2017)

Reporting back now roughly 6 months later, no movement. I contacted the mailing list and the answer I received is not good, which is that something is going to have to built. From scratch. I tried my hand at it, but it is just way too complicated for me to tackle with other tasks. I am sad to say, but these systems are slated to go to CentOS minimal builds next major OS upgrade cycle.  I hope something is done in early 2018 to maybe save these systems from getting ported.


----------

