Discussion:
Removal or updating of "mount_smbfs" from FreeBSD operating system
Gerard Seibert
2018-11-26 17:19:26 UTC
Permalink
TO WHOM IT MAY CONCERN

The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
2014. There is virtually no use for it anymore.

The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
in making it useless with newer versions of Microsoft’s operating systems, as
well as other OS’s that have depreciated the use of SMBv1.

I would like to suggest that FreeBSD do one of the following:

1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
or 13. It is perhaps too late to get into FreeBSD 12.

2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
better idea if someone had the time to do it.

Thank you for taking the time to read this suggestion.
--
Gerard E. Seibert
Miroslav Lachman
2018-11-26 17:57:32 UTC
Permalink
Post by Gerard Seibert
TO WHOM IT MAY CONCERN
The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
2014. There is virtually no use for it anymore.
The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
in making it useless with newer versions of Microsoft’s operating systems, as
well as other OS’s that have depreciated the use of SMBv1.
1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
or 13. It is perhaps too late to get into FreeBSD 12.
2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
better idea if someone had the time to do it.
Thank you for taking the time to read this suggestion.
Is there any working (production ready) alternative in ports tree?
We are in heterogenous environment and some of our servers have more
than 10 SMB shares mounted by mount_smbfs.

Kind regards
Miroslav Lachman
Baptiste Daroussin
2018-11-26 18:10:46 UTC
Permalink
Post by Miroslav Lachman
Post by Gerard Seibert
TO WHOM IT MAY CONCERN
The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
2014. There is virtually no use for it anymore.
The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
in making it useless with newer versions of Microsoft’s operating systems, as
well as other OS’s that have depreciated the use of SMBv1.
1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
or 13. It is perhaps too late to get into FreeBSD 12.
2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
better idea if someone had the time to do it.
Thank you for taking the time to read this suggestion.
Is there any working (production ready) alternative in ports tree?
We are in heterogenous environment and some of our servers have more than 10
SMB shares mounted by mount_smbfs.
There are some fuse based alternative yes: fusefs-smbnetfs

Best regards,
Bapt
Yuri Pankov
2018-11-26 18:09:57 UTC
Permalink
Post by Gerard Seibert
TO WHOM IT MAY CONCERN
The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
2014. There is virtually no use for it anymore.
The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
in making it useless with newer versions of Microsoft’s operating systems, as
well as other OS’s that have depreciated the use of SMBv1.
1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
or 13. It is perhaps too late to get into FreeBSD 12.
I don't think this is reasonable, more so in a hurry, as this is a
client, and doesn't impose any security issues.
Post by Gerard Seibert
2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
better idea if someone had the time to do it.
There's an entry in https://wiki.freebsd.org/DevSummit/201810:

----------------------------------------------------------------------
updated mount SMBFS smbv3 support (iXsystems)
----------------------------------------------------------------------

I wonder if we could get a bit more information on this -- is this just
a plan, or is it being actively worked on/ready for integration?
Kris Moore
2018-11-26 18:58:12 UTC
Permalink
Post by Yuri Pankov
Post by Gerard Seibert
TO WHOM IT MAY CONCERN
The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
2014. There is virtually no use for it anymore.
The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
in making it useless with newer versions of Microsoft’s operating systems, as
well as other OS’s that have depreciated the use of SMBv1.
1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
or 13. It is perhaps too late to get into FreeBSD 12.
I don't think this is reasonable, more so in a hurry, as this is a
client, and doesn't impose any security issues.
Post by Gerard Seibert
2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
better idea if someone had the time to do it.
----------------------------------------------------------------------
updated mount SMBFS smbv3 support (iXsystems)
----------------------------------------------------------------------
I wonder if we could get a bit more information on this -- is this just
a plan, or is it being actively worked on/ready for integration?
We were discussing it at the time, but as of now it's not actively being
worked on from the iX side.
--
Kris Moore
Vice President of Engineering
iXsystems, Inc
Ph: (408) 943-4100
Ph: (408) 943-4101
The Groundbreaking TrueNAS M-Series -
Enterprise Storage & Servers Driven By Open Source
Edward Napierala
2018-11-27 15:58:36 UTC
Permalink
Post by Gerard Seibert
TO WHOM IT MAY CONCERN
The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
2014. There is virtually no use for it anymore.
The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
in making it useless with newer versions of Microsoft’s operating systems, as
well as other OS’s that have depreciated the use of SMBv1.
1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
or 13. It is perhaps too late to get into FreeBSD 12.
2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
better idea if someone had the time to do it.
FWIW, I believe SMBv3 is just a set of (largely optional) extensions to SMBv2,
not an entirely different protocol, like SMBv1 is. Which means, any version
that supports v3 is likely to also handle v2.

There seems to be existing, working code in Nexenta, which is being
upstreamed to Illumos:

https://www.illumos.org/issues/9735
https://github.com/illumos/illumos-gate/pull/37

Their implementation descends from the one we have in base (and the one
from OSX, which also descends from FreeBSD), so it should be possible to
merge it.
Yuri Pankov
2018-11-27 16:55:54 UTC
Permalink
Post by Edward Napierala
Post by Gerard Seibert
TO WHOM IT MAY CONCERN
The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
2014. There is virtually no use for it anymore.
The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
in making it useless with newer versions of Microsoft’s operating systems, as
well as other OS’s that have depreciated the use of SMBv1.
1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
or 13. It is perhaps too late to get into FreeBSD 12.
2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
better idea if someone had the time to do it.
FWIW, I believe SMBv3 is just a set of (largely optional) extensions to SMBv2,
not an entirely different protocol, like SMBv1 is. Which means, any version
that supports v3 is likely to also handle v2.
There seems to be existing, working code in Nexenta, which is being
https://www.illumos.org/issues/9735
https://github.com/illumos/illumos-gate/pull/37
Their implementation descends from the one we have in base (and the one
from OSX, which also descends from FreeBSD), so it should be possible to
merge it.
Yes, we have it working and tested pretty well. And that's exactly the
reason I was asking if there's work in progress for smb2/3 client or not
before even starting looking into porting the code.

The problem here is that the code has grown library dependencies which
are CDDL-licensed, which aren't easy to break (if at all), so if ported,
it will be covered by WITHOUT_CDDL; hopefully that's acceptable. It's
possible that Nexenta-authored code could be relicensed under BSDL (I'll
have to ask, we already have a precedent with localedef), but sadly that
doesn't cover everything.
Brooks Davis
2018-11-27 17:14:59 UTC
Permalink
Post by Yuri Pankov
Post by Edward Napierala
Post by Gerard Seibert
TO WHOM IT MAY CONCERN
The ???SMBv1??? protocol is a security hazard and was depreciated by Microsoft in
2014. There is virtually no use for it anymore.
The ???mount_smbfs??? utility in FreeBSD only uses that protocol, which results
in making it useless with newer versions of Microsoft???s operating systems, as
well as other OS???s that have depreciated the use of SMBv1.
1) Remove ???mount_smbfs??? from FreeBSD. This would probably be in versions 12.1
or 13. It is perhaps too late to get into FreeBSD 12.
2) Update ???mount_smbfs??? so that it is compatible with versions SMBv3 and
greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
better idea if someone had the time to do it.
FWIW, I believe SMBv3 is just a set of (largely optional) extensions to SMBv2,
not an entirely different protocol, like SMBv1 is. Which means, any version
that supports v3 is likely to also handle v2.
There seems to be existing, working code in Nexenta, which is being
https://www.illumos.org/issues/9735
https://github.com/illumos/illumos-gate/pull/37
Their implementation descends from the one we have in base (and the one
from OSX, which also descends from FreeBSD), so it should be possible to
merge it.
Yes, we have it working and tested pretty well. And that's exactly the
reason I was asking if there's work in progress for smb2/3 client or not
before even starting looking into porting the code.
The problem here is that the code has grown library dependencies which
are CDDL-licensed, which aren't easy to break (if at all), so if ported,
it will be covered by WITHOUT_CDDL; hopefully that's acceptable. It's
possible that Nexenta-authored code could be relicensed under BSDL (I'll
have to ask, we already have a precedent with localedef), but sadly that
doesn't cover everything.
I think making this CDDL is fine. Certaintly better than failing to
support SMBv2/v3.

-- Brooks
Gerard Seibert
2018-11-27 19:14:52 UTC
Permalink
Post by Brooks Davis
Post by Yuri Pankov
Post by Edward Napierala
Post by Gerard Seibert
TO WHOM IT MAY CONCERN
The ???SMBv1??? protocol is a security hazard and was depreciated by
Microsoft in 2014. There is virtually no use for it anymore.
The ???mount_smbfs??? utility in FreeBSD only uses that protocol, which
results in making it useless with newer versions of Microsoft???s
operating systems, as well as other OS???s that have depreciated the
use of SMBv1.
1) Remove ???mount_smbfs??? from FreeBSD. This would probably be in
versions 12.1 or 13. It is perhaps too late to get into FreeBSD 12.
2) Update ???mount_smbfs??? so that it is compatible with versions
SMBv3 and greater. While "SMBv2" is not dead, it is definitely
comatose. This would be a better idea if someone had the time to do
it.
FWIW, I believe SMBv3 is just a set of (largely optional) extensions to
SMBv2, not an entirely different protocol, like SMBv1 is. Which means,
any version that supports v3 is likely to also handle v2.
There seems to be existing, working code in Nexenta, which is being
https://www.illumos.org/issues/9735
https://github.com/illumos/illumos-gate/pull/37
Their implementation descends from the one we have in base (and the one
from OSX, which also descends from FreeBSD), so it should be possible to
merge it.
Yes, we have it working and tested pretty well. And that's exactly the
reason I was asking if there's work in progress for smb2/3 client or not
before even starting looking into porting the code.
The problem here is that the code has grown library dependencies which
are CDDL-licensed, which aren't easy to break (if at all), so if ported,
it will be covered by WITHOUT_CDDL; hopefully that's acceptable. It's
possible that Nexenta-authored code could be relicensed under BSDL (I'll
have to ask, we already have a precedent with localedef), but sadly that
doesn't cover everything.
I think making this CDDL is fine. Certaintly better than failing to
support SMBv2/v3.
-- Brooks
SEE: https://en.wikipedia.org/wiki/Server_Message_Block#SMB_3.1.1

Particularly the section dealing with SMBv3.11. That is now the default in
Win 10. It makes no sense to not support the latest version available. In
fact, it would be counter-productive.

SMB 3.1.1 was introduced with Windows 10 and Windows Server 2016. This
version supports AES 128 GCM encryption in addition to AES 128 CCM encryption
added in SMB3, and implements pre-authentication integrity check using
SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when
connecting to clients using SMB 2.x and higher.
--
Gerard
Andrey V. Elsukov
2018-12-03 08:58:31 UTC
Permalink
Post by Yuri Pankov
Post by Edward Napierala
There seems to be existing, working code in Nexenta, which is being
https://www.illumos.org/issues/9735
https://github.com/illumos/illumos-gate/pull/37
Their implementation descends from the one we have in base (and the one
from OSX, which also descends from FreeBSD), so it should be possible to
merge it.
Yes, we have it working and tested pretty well. And that's exactly the
reason I was asking if there's work in progress for smb2/3 client or not
before even starting looking into porting the code.
The problem here is that the code has grown library dependencies which
are CDDL-licensed, which aren't easy to break (if at all), so if ported,
it will be covered by WITHOUT_CDDL; hopefully that's acceptable. It's
possible that Nexenta-authored code could be relicensed under BSDL (I'll
have to ask, we already have a precedent with localedef), but sadly that
doesn't cover everything.
Apple's implementation is looks like based on the same source as our
one. It looks like dual licensed APSL/BSDL but the size of the SMB/CIFS
code has significantly increased and porting doesn't look like an easy
task. But probably some code can be used...

https://opensource.apple.com/tarballs/smb/
--
WBR, Andrey V. Elsukov
Loading...