Skip to content

Instantly share code, notes, and snippets.

@Arlen-LT

Arlen-LT/SMB FAQ.md

Last active July 17, 2023 10:54
Show Gist options
  • Save Arlen-LT/72b6abf37b366d050f9f14b0e1d95a2d to your computer and use it in GitHub Desktop.
Save Arlen-LT/72b6abf37b366d050f9f14b0e1d95a2d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
SMB FAQ.md

Q: Should I use SMB1 or SMB2/3?

Microsoft has been asking the world to stop using the legacy SMBv1 since 2014. US-CERT also issued a security bulletin advising to disable SMBv1 and move to SMB 2.x or preferably SMB 3.x. The following documents explain why SMB1 is deprecated.

Since Windows10 and Samba 4.11.0 on Linux, SMB1 has been disabled by default.

Q: How to disable SMB1?

Q: Why should not use anonymous/guest login with SMB2/3?

According to the Mircosoft technical documentation, the “secure Negotiate” relies on the correct signing of responses by all SMB 2/3 servers. This means the exchange can only occur under a user security context that is neither anonymous nor guest.

Therefore, anonymous or guest sessions can not use the secure negotiation. Keep in mind that if you enable null or guest sessions to access your shares, you leave the door open for this potential attack.

Q: How to configure SMB server to disable anonymous login?

  • For Windows

    1. Open the Search box of your Windows 10/11 computer
    2. Type control panel in the Search box
    3. Press the Enter key to open the Control Panel window
    4. Access Network and Internet category
    5. Access the Network and Sharing Center
    6. Click on the Change advanced sharing settings option available on the left section
    7. Expand the All Networks section
    8. Scroll down to the bottom part
    9. Select Turn off password protected sharing option
    10. Press the Save changes button.

  • For Linux

    1. Open the samba configuration file by vi /etc/samba/smb.conf
    2. Add to the [global] section of the configuration file: 
      [global]
# Restriction of anonymous login
    restrict anonymous = 2
    3. sudo service smbd restart after storing the modification.

Q: How to create an account with password?

  • For Windows

  • The credential to login to the SMB server by default Microsoft account is in the format below:

    • Username: The email address of your Microsoft account. e.g. xxxx@outlook.com
    • Password: The password of your Microsoft account.

  • To create a local account with password:

    1. Select Start > Settings > Accounts and then select Family & other users. (In some versions of Windows you'll see Other users.)
    2. Next to Add other user, select Add account. (In Windows 10 you may see Add someone else to this PC.)
    3. Select I don't have this person's sign-in information, and on the next page, select Add a user without a Microsoft account.
    4. Enter a user name, password, or password hint(or choose security questions) and then select Next. image

  • For Linux

    sudo useradd $username # smbpasswd requires existed user.
sudo smbpasswd -a $username # replace $username to the name you want to create.
[sudo] password for $username:  # Type here to set the password

Q: What to do when encountering STATUS_ACCESS_DENIED(0xC0000022)

STATUS_ACCESS_DENIED indicates that the client did not have the required permission needed for the operation.

  1. Be sure that you have logged in as neither anonymous nor guest. The most recommended way is to disable anonymous login and create an account with password.
  2. For Linux users, be sure that your SMB account has the right permission to access the folder/file. 
    # ./unreadable.mp4 is the path of the file which you want to access but failed.
> ls -l ./unreadable.mp4  
---------- 1 owner group 4050430 Mar 21 09:01 ./unreadable.mp4

# add read permission for all users to this file
> sudo chmod +r ./unreadable.mp4 
> ls -l ./unreadable.mp4  # check file permission again
-r--r--r-- 1 owner group 4050430 Mar 21 09:01 ./unreadable.mp4
  3. If none of the above works, please attempt to drop the server minimum protocol to SMB2 instead of SMB3.
    1. Open the samba configuration file by vi /etc/samba/smb.conf
    2. Add to the [global] section of the configuration file: 
      [global]
# Define the min protocol supported by this server.
# WARN: If you are expecting to use any of SMB3 protocol, set min protocol to SMB3_00 INSTEAD OF SMB3.
    server min protocol = SMB2       # OR server min protocol = SMB3_00
    3. sudo service smbd restart after storing the modification.

Q: What to do when encountering STATUS_REQUEST_NOT_ACCEPTED(0xC00000D0)

STATUS_REQUEST_NOT_ACCEPTED indicates that no more connections can be made to the remote server at this time because there are already as many connections as the server can accept.

  • For Windows

    1. Right-click on the folder you want to share or has shared.
    2. Select Properties > Sharing > Advanced Sharing
    3. Set Limit the number of simultaneous users To 20~32 (20 is the max number on Windows)
    image

  • For Linux

    1. Open the samba configuration file by vi /etc/samba/smb.conf
    2. Add to the [global] section of the configuration file: 
      [global]
# Number of maximum simultaneous connections to this share.
# default is 0, meaning no limit on the number of simultaneous connections.
    max connections = 32
    3. sudo service smbd restart after storing the modification.

Q: What to do when encountering SOCKET FAILED WITH ECONNREFUSED(111)

ECONNREFUSED(111) indicates that client is connecting to the wrong IP/Port, or is being blocked by a firewall/router.

  • For Windows

    1. Open the Search box of your Windows 10/11 computer
    2. Type Windows Defender Firewall with Advanced Security in the Search box
    3. Set all profile Firewall state and Inbound connections to recommended or default value image

  • For Linux

    1. Open the samba configuration file by vi /etc/samba/smb.conf
    2. Add to the [global] section of the configuration file: 
      [global]
    smb ports = 445, 139
    3. sudo service smbd restart after storing the modification.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment