Microsoft has been asking the world to stop using the legacy SMBv1 since 2014. US-CERT also issued a security bulletin advising to disable SMBv1 and move to SMB 2.x or preferably SMB 3.x. The following documents explain why SMB1 is deprecated.
Since Windows10 and Samba 4.11.0 on Linux, SMB1 has been disabled by default.
-
For Windows
- Press
⊞ Win + X
, left-click onWindows PowerShell (Admin)
- Type the following command:
Set-SmbServerConfiguration -EnableSMB1Protocol $false Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
- Restart the computer.
- Press
-
For Linux
- Open the samba configuration file by
vi /etc/samba/smb.conf
- Add to the
[global]
section of the configuration file:[global] # Define the min protocol supported by this server. server min protocol = SMB2
sudo service smbd restart
after storing the modification.
- Open the samba configuration file by
-
Additional references
For Linux: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
According to the Mircosoft technical documentation, the “secure Negotiate” relies on the correct signing of responses by all SMB 2/3 servers. This means the exchange can only occur under a user security context that is neither anonymous nor guest.
Therefore, anonymous or guest sessions can not use the secure negotiation. Keep in mind that if you enable null or guest sessions to access your shares, you leave the door open for this potential attack.
-
For Windows
- Open the
Search
box of your Windows 10/11 computer - Type
control panel
in the Search box - Press the
Enter
key to open the Control Panel window - Access
Network and Internet
category - Access the
Network and Sharing Center
- Click on the
Change advanced sharing settings
option available on the left section - Expand the
All Networks
section - Scroll down to the bottom part
- Select
Turn off password protected sharing
option - Press the
Save changes
button.
- Open the
-
For Linux
- Open the samba configuration file by
vi /etc/samba/smb.conf
- Add to the
[global]
section of the configuration file:[global] # Restriction of anonymous login restrict anonymous = 2
sudo service smbd restart
after storing the modification.
- Open the samba configuration file by
-
For Windows
-
The credential to login to the SMB server by default Microsoft account is in the format below:
- Username: The email address of your Microsoft account. e.g.
xxxx@outlook.com
- Password: The password of your Microsoft account.
- Username: The email address of your Microsoft account. e.g.
-
To create a local account with password:
- Select
Start
>Settings
>Accounts
and then selectFamily & other users
. (In some versions of Windows you'll seeOther users
.) - Next to
Add other user
, selectAdd account
. (In Windows 10 you may seeAdd someone else to this PC
.) - Select
I don't have this person's sign-in information
, and on the next page, selectAdd a user without a Microsoft account
. - Enter a user name, password, or password hint(or choose security questions) and then select
Next
.
- Select
-
For Linux
sudo useradd $username # smbpasswd requires existed user. sudo smbpasswd -a $username # replace $username to the name you want to create. [sudo] password for $username: # Type here to set the password
STATUS_ACCESS_DENIED
indicates that the client did not have the required permission needed for the operation.
- Be sure that you have logged in as neither anonymous nor guest. The most recommended way is to disable anonymous login and create an account with password.
- For Linux users, be sure that your SMB account has the right permission to access the folder/file.
# ./unreadable.mp4 is the path of the file which you want to access but failed. > ls -l ./unreadable.mp4 ---------- 1 owner group 4050430 Mar 21 09:01 ./unreadable.mp4 # add read permission for all users to this file > sudo chmod +r ./unreadable.mp4 > ls -l ./unreadable.mp4 # check file permission again -r--r--r-- 1 owner group 4050430 Mar 21 09:01 ./unreadable.mp4
- If none of the above works, please attempt to drop the server minimum protocol to SMB2 instead of SMB3.
- Open the samba configuration file by
vi /etc/samba/smb.conf
- Add to the
[global]
section of the configuration file:[global] # Define the min protocol supported by this server. # WARN: If you are expecting to use any of SMB3 protocol, set min protocol to SMB3_00 INSTEAD OF SMB3. server min protocol = SMB2 # OR server min protocol = SMB3_00
sudo service smbd restart
after storing the modification.
- Open the samba configuration file by
STATUS_REQUEST_NOT_ACCEPTED
indicates that no more connections can be made to the remote server at this time because there are already as many connections as the server can accept.
-
For Windows
- Right-click on the folder you want to share or has shared.
- Select
Properties
>Sharing
>Advanced Sharing
- Set
Limit the number of simultaneous users
To 20~32 (20 is the max number on Windows)
-
For Linux
- Open the samba configuration file by
vi /etc/samba/smb.conf
- Add to the
[global]
section of the configuration file:[global] # Number of maximum simultaneous connections to this share. # default is 0, meaning no limit on the number of simultaneous connections. max connections = 32
sudo service smbd restart
after storing the modification.
- Open the samba configuration file by
ECONNREFUSED(111)
indicates that client is connecting to the wrong IP/Port, or is being blocked by a firewall/router.
-
For Windows
-
For Linux
- Open the samba configuration file by
vi /etc/samba/smb.conf
- Add to the
[global]
section of the configuration file:[global] smb ports = 445, 139
sudo service smbd restart
after storing the modification.
- Open the samba configuration file by