Years late to the SMB1-killing party, Samba finally dumps the unsafe file-sharing protocol version by default

Samba says its next release will switch off previously on-by-default support for the aging and easily subverted SMB1 protocol. It can be reenabled for those truly desperate to use the godforsaken deprecated protocol version.

The open-source SMB toolkit's developers say the Samba 4.11 build, currently in preview, will by default set SMB2_02 as the earliest supported version of the Windows file-sharing protocol.

"This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default)," the 4.11 release notes read.

"It also means client tools like smbclient and others, as well as applications making use of libsmbclient are no longer able to connect to servers without SMB2 or SMB3 support (by default)."

Admins will still have the option to allow SMB1 on their servers if they so choose, but support will be turned off by default.

The move by Samba to drop SMB1 can be seen as long overdue, given that Microsoft has been moving to get rid of the file-server protocol version from its operating systems for several years now, even before it was revealed to be one of the NSA's favorite weak points to exploit.

Since the Windows 10 1709 build back in 2017, both the desktop and server versions of Windows dropped support for SMB1, and as far back as 2016 Microsoft was urging admins to drop the protocol version altogether.

"The original SMB1 protocol is nearly 30 years old , and like much of the software made in the 80’s, it was designed for a world that no longer exists," Microsoft's Ned Pyle said at the time.

"A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed through modern eyes."

While the Samba team notes Microsoft's efforts to kill off SMB1, including the loss of support in Windows, the developers also note that there may still be limited cases where the protocol version is necessary, and admins who still need SMB1 are encouraged to send in their feedback.

"It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2, and LANMAN1 for client and server, as well as CORE and COREPLUS on the client," the notes point out.

"Note that most command-line tools e.g. smbclient, smbcacls and others also support the --option argument to overwrite smb.conf options,e.g. --option='client min protocol=NT1' might be useful." ®