SAMBA, CIFS, message signing, confusionMount Remote CIFS/SMB Share as a Folder not a Drive LetterCan't create or follow symlinks from linux client with a cifs mounted Windows Server 2008 R2 shareFTP from mounted CIFS - Download never ends (continues after 100%)Linux samba server: cifs_mount failed w/return code = -12Mounting encrypted Samba share (linux server/client)cifs shared mount on linux doesn't read folderSamba/CIFS Ubuntu 14.04 mount error(112)mount.cifs: mount error(112): Host is downCentOS 7 Using samba to connect to a windows share at bootAccess Windows 10 Samba Share from Linux commandline with minimal SMB2
What shortcut does ⌦ symbol in Camunda macOS app indicate and how to invoke it?
In native German words, is Q always followed by U, as in English?
Wilcoxon signed rank test – critical value for n>50
How to determine what is the correct level of detail when modelling?
Does anycast addressing add additional latency in any way?
How do I spend money in Sweden and Denmark?
If protons are the only stable baryons, why do they decay into neutrons in positron emission?
Was touching your nose a greeting in second millenium Mesopotamia?
Anagram Within an Anagram!
Generate and graph the Recamán Sequence
does a number that contains all primes less than it exist?
Professor Roman gives unusual math quiz ahead of
Do sudoku answers always have a single minimal clue set?
MH370 blackbox - is it still possible to retrieve data from it?
How to modify the uneven space between separate loop cuts, while they are already cut?
Why does this function call behave sensibly after calling it through a typecasted function pointer?
Why is Madam Hooch not a professor?
How can I create ribbons like these in Microsoft word 2010?
How was film developed in the late 1920s?
What is the olden name for sideburns?
What does 2>&1 | tee mean?
Could Sauron have read Tom Bombadil's mind if Tom had held the Palantir?
Zombie diet, why humans?
Procedurally generate regions on island
SAMBA, CIFS, message signing, confusion
Mount Remote CIFS/SMB Share as a Folder not a Drive LetterCan't create or follow symlinks from linux client with a cifs mounted Windows Server 2008 R2 shareFTP from mounted CIFS - Download never ends (continues after 100%)Linux samba server: cifs_mount failed w/return code = -12Mounting encrypted Samba share (linux server/client)cifs shared mount on linux doesn't read folderSamba/CIFS Ubuntu 14.04 mount error(112)mount.cifs: mount error(112): Host is downCentOS 7 Using samba to connect to a windows share at bootAccess Windows 10 Samba Share from Linux commandline with minimal SMB2
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I've been going down a rabbit hole with SAMBA and CIFS.
We have a server that was pentested, and we were pulled up for "SMB server signing not enforced"
Fine, I thought, I'll just turn server signing on. Then I came up against the different dialects of SMB, and their relationship to CIFS, and why you should never use CIFS.
https://blog.varonis.com/the-difference-between-cifs-and-smb/
http://blog.fosketts.net/2012/02/16/cifs-smb/
But, in my configuration, (SMB server is RHEL 6.7 with samba-3.6.23-30, SMB client is RHEL6.7 with cifs-utils-4.8.1-20), the client uses mount.cifs to mount the share in fstab.
What gives? This seems to be the way to mount a samba share on RHEL, but CIFS is supposed to be a dirty word! mount.smbfs is buggy and deprecated.
Also, how do I know which dialect my samba server is speaking? Apparently samba since 3.6 supports SMB2, but how do I enable it (I've tried max protocol = SMB2 in the [global] section of smb.conf), and make sure it's actually doing it?
How do I enable message signing, and crucially, check that it is actually doing it?
The pentester used nmap to discover message signing was disabled, but I don't have that available. Any way with standard linux tools?
samba server-message-block cifs
add a comment |
I've been going down a rabbit hole with SAMBA and CIFS.
We have a server that was pentested, and we were pulled up for "SMB server signing not enforced"
Fine, I thought, I'll just turn server signing on. Then I came up against the different dialects of SMB, and their relationship to CIFS, and why you should never use CIFS.
https://blog.varonis.com/the-difference-between-cifs-and-smb/
http://blog.fosketts.net/2012/02/16/cifs-smb/
But, in my configuration, (SMB server is RHEL 6.7 with samba-3.6.23-30, SMB client is RHEL6.7 with cifs-utils-4.8.1-20), the client uses mount.cifs to mount the share in fstab.
What gives? This seems to be the way to mount a samba share on RHEL, but CIFS is supposed to be a dirty word! mount.smbfs is buggy and deprecated.
Also, how do I know which dialect my samba server is speaking? Apparently samba since 3.6 supports SMB2, but how do I enable it (I've tried max protocol = SMB2 in the [global] section of smb.conf), and make sure it's actually doing it?
How do I enable message signing, and crucially, check that it is actually doing it?
The pentester used nmap to discover message signing was disabled, but I don't have that available. Any way with standard linux tools?
samba server-message-block cifs
you can easily just install nmap, its free.
– mzhaase
Sep 16 '16 at 10:50
I know, but I am working in a very locked down environment where installing anything requires multiple hoops to be jumped through, totalling weeks of time usually
– gtmcclinton
Sep 16 '16 at 11:01
Do you have tcpdump?
– mzhaase
Sep 16 '16 at 11:02
Yes, I have tcpdump. I have discovered that RHEL6 will do SMB2 as a server, but the cifs kernel module does not support SMB2, RHEL7 is needed for mounting SMB2 shares. Would have liked SMB2, but now all I can do is enable signatures. How can I prove they are enabled using tcpdump?
– gtmcclinton
Sep 16 '16 at 13:40
add a comment |
I've been going down a rabbit hole with SAMBA and CIFS.
We have a server that was pentested, and we were pulled up for "SMB server signing not enforced"
Fine, I thought, I'll just turn server signing on. Then I came up against the different dialects of SMB, and their relationship to CIFS, and why you should never use CIFS.
https://blog.varonis.com/the-difference-between-cifs-and-smb/
http://blog.fosketts.net/2012/02/16/cifs-smb/
But, in my configuration, (SMB server is RHEL 6.7 with samba-3.6.23-30, SMB client is RHEL6.7 with cifs-utils-4.8.1-20), the client uses mount.cifs to mount the share in fstab.
What gives? This seems to be the way to mount a samba share on RHEL, but CIFS is supposed to be a dirty word! mount.smbfs is buggy and deprecated.
Also, how do I know which dialect my samba server is speaking? Apparently samba since 3.6 supports SMB2, but how do I enable it (I've tried max protocol = SMB2 in the [global] section of smb.conf), and make sure it's actually doing it?
How do I enable message signing, and crucially, check that it is actually doing it?
The pentester used nmap to discover message signing was disabled, but I don't have that available. Any way with standard linux tools?
samba server-message-block cifs
I've been going down a rabbit hole with SAMBA and CIFS.
We have a server that was pentested, and we were pulled up for "SMB server signing not enforced"
Fine, I thought, I'll just turn server signing on. Then I came up against the different dialects of SMB, and their relationship to CIFS, and why you should never use CIFS.
https://blog.varonis.com/the-difference-between-cifs-and-smb/
http://blog.fosketts.net/2012/02/16/cifs-smb/
But, in my configuration, (SMB server is RHEL 6.7 with samba-3.6.23-30, SMB client is RHEL6.7 with cifs-utils-4.8.1-20), the client uses mount.cifs to mount the share in fstab.
What gives? This seems to be the way to mount a samba share on RHEL, but CIFS is supposed to be a dirty word! mount.smbfs is buggy and deprecated.
Also, how do I know which dialect my samba server is speaking? Apparently samba since 3.6 supports SMB2, but how do I enable it (I've tried max protocol = SMB2 in the [global] section of smb.conf), and make sure it's actually doing it?
How do I enable message signing, and crucially, check that it is actually doing it?
The pentester used nmap to discover message signing was disabled, but I don't have that available. Any way with standard linux tools?
samba server-message-block cifs
samba server-message-block cifs
asked Sep 16 '16 at 9:23
gtmcclintongtmcclinton
311 silver badge5 bronze badges
311 silver badge5 bronze badges
you can easily just install nmap, its free.
– mzhaase
Sep 16 '16 at 10:50
I know, but I am working in a very locked down environment where installing anything requires multiple hoops to be jumped through, totalling weeks of time usually
– gtmcclinton
Sep 16 '16 at 11:01
Do you have tcpdump?
– mzhaase
Sep 16 '16 at 11:02
Yes, I have tcpdump. I have discovered that RHEL6 will do SMB2 as a server, but the cifs kernel module does not support SMB2, RHEL7 is needed for mounting SMB2 shares. Would have liked SMB2, but now all I can do is enable signatures. How can I prove they are enabled using tcpdump?
– gtmcclinton
Sep 16 '16 at 13:40
add a comment |
you can easily just install nmap, its free.
– mzhaase
Sep 16 '16 at 10:50
I know, but I am working in a very locked down environment where installing anything requires multiple hoops to be jumped through, totalling weeks of time usually
– gtmcclinton
Sep 16 '16 at 11:01
Do you have tcpdump?
– mzhaase
Sep 16 '16 at 11:02
Yes, I have tcpdump. I have discovered that RHEL6 will do SMB2 as a server, but the cifs kernel module does not support SMB2, RHEL7 is needed for mounting SMB2 shares. Would have liked SMB2, but now all I can do is enable signatures. How can I prove they are enabled using tcpdump?
– gtmcclinton
Sep 16 '16 at 13:40
you can easily just install nmap, its free.
– mzhaase
Sep 16 '16 at 10:50
you can easily just install nmap, its free.
– mzhaase
Sep 16 '16 at 10:50
I know, but I am working in a very locked down environment where installing anything requires multiple hoops to be jumped through, totalling weeks of time usually
– gtmcclinton
Sep 16 '16 at 11:01
I know, but I am working in a very locked down environment where installing anything requires multiple hoops to be jumped through, totalling weeks of time usually
– gtmcclinton
Sep 16 '16 at 11:01
Do you have tcpdump?
– mzhaase
Sep 16 '16 at 11:02
Do you have tcpdump?
– mzhaase
Sep 16 '16 at 11:02
Yes, I have tcpdump. I have discovered that RHEL6 will do SMB2 as a server, but the cifs kernel module does not support SMB2, RHEL7 is needed for mounting SMB2 shares. Would have liked SMB2, but now all I can do is enable signatures. How can I prove they are enabled using tcpdump?
– gtmcclinton
Sep 16 '16 at 13:40
Yes, I have tcpdump. I have discovered that RHEL6 will do SMB2 as a server, but the cifs kernel module does not support SMB2, RHEL7 is needed for mounting SMB2 shares. Would have liked SMB2, but now all I can do is enable signatures. How can I prove they are enabled using tcpdump?
– gtmcclinton
Sep 16 '16 at 13:40
add a comment |
1 Answer
1
active
oldest
votes
As per the mount.cifs manpage:
The CIFS protocol is the successor to the SMB protocol and is
supported by most Windows servers and many other commercial servers
and Network Attached Storage appliances as well as by the popular Open
Source server Samba.
Further in this manpage, the CIFS/SMB2 protocol is mentioned repeatedly. Obviously, in ordinary Linux and Samba parlance, CIFS equals SMB2.
However the CIFS kernel documentation is more precise:
The Linux cifs kernel client has been included in the kernel since
2.5.42. The cifs protocol (and related earlier SMB dialects) is the default ("vers=1.0") but support for newer dialects (SMB2.02, SMB2.1
and SMB3 and SMB3.02) can be selected by specifying "vers=2.0" or
"vers=2.1" or "vers=3.0" or "vers=3.02" on mount.
So the answer is clear: you should use mount.cifs anyway. Your kernel ability to use SMB protocols higher than 2.0 should be tested, though (RedHat kernels are very heavily patched and bear little resemblance with vanilla kernels with the same version number).
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f803477%2fsamba-cifs-message-signing-confusion%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As per the mount.cifs manpage:
The CIFS protocol is the successor to the SMB protocol and is
supported by most Windows servers and many other commercial servers
and Network Attached Storage appliances as well as by the popular Open
Source server Samba.
Further in this manpage, the CIFS/SMB2 protocol is mentioned repeatedly. Obviously, in ordinary Linux and Samba parlance, CIFS equals SMB2.
However the CIFS kernel documentation is more precise:
The Linux cifs kernel client has been included in the kernel since
2.5.42. The cifs protocol (and related earlier SMB dialects) is the default ("vers=1.0") but support for newer dialects (SMB2.02, SMB2.1
and SMB3 and SMB3.02) can be selected by specifying "vers=2.0" or
"vers=2.1" or "vers=3.0" or "vers=3.02" on mount.
So the answer is clear: you should use mount.cifs anyway. Your kernel ability to use SMB protocols higher than 2.0 should be tested, though (RedHat kernels are very heavily patched and bear little resemblance with vanilla kernels with the same version number).
add a comment |
As per the mount.cifs manpage:
The CIFS protocol is the successor to the SMB protocol and is
supported by most Windows servers and many other commercial servers
and Network Attached Storage appliances as well as by the popular Open
Source server Samba.
Further in this manpage, the CIFS/SMB2 protocol is mentioned repeatedly. Obviously, in ordinary Linux and Samba parlance, CIFS equals SMB2.
However the CIFS kernel documentation is more precise:
The Linux cifs kernel client has been included in the kernel since
2.5.42. The cifs protocol (and related earlier SMB dialects) is the default ("vers=1.0") but support for newer dialects (SMB2.02, SMB2.1
and SMB3 and SMB3.02) can be selected by specifying "vers=2.0" or
"vers=2.1" or "vers=3.0" or "vers=3.02" on mount.
So the answer is clear: you should use mount.cifs anyway. Your kernel ability to use SMB protocols higher than 2.0 should be tested, though (RedHat kernels are very heavily patched and bear little resemblance with vanilla kernels with the same version number).
add a comment |
As per the mount.cifs manpage:
The CIFS protocol is the successor to the SMB protocol and is
supported by most Windows servers and many other commercial servers
and Network Attached Storage appliances as well as by the popular Open
Source server Samba.
Further in this manpage, the CIFS/SMB2 protocol is mentioned repeatedly. Obviously, in ordinary Linux and Samba parlance, CIFS equals SMB2.
However the CIFS kernel documentation is more precise:
The Linux cifs kernel client has been included in the kernel since
2.5.42. The cifs protocol (and related earlier SMB dialects) is the default ("vers=1.0") but support for newer dialects (SMB2.02, SMB2.1
and SMB3 and SMB3.02) can be selected by specifying "vers=2.0" or
"vers=2.1" or "vers=3.0" or "vers=3.02" on mount.
So the answer is clear: you should use mount.cifs anyway. Your kernel ability to use SMB protocols higher than 2.0 should be tested, though (RedHat kernels are very heavily patched and bear little resemblance with vanilla kernels with the same version number).
As per the mount.cifs manpage:
The CIFS protocol is the successor to the SMB protocol and is
supported by most Windows servers and many other commercial servers
and Network Attached Storage appliances as well as by the popular Open
Source server Samba.
Further in this manpage, the CIFS/SMB2 protocol is mentioned repeatedly. Obviously, in ordinary Linux and Samba parlance, CIFS equals SMB2.
However the CIFS kernel documentation is more precise:
The Linux cifs kernel client has been included in the kernel since
2.5.42. The cifs protocol (and related earlier SMB dialects) is the default ("vers=1.0") but support for newer dialects (SMB2.02, SMB2.1
and SMB3 and SMB3.02) can be selected by specifying "vers=2.0" or
"vers=2.1" or "vers=3.0" or "vers=3.02" on mount.
So the answer is clear: you should use mount.cifs anyway. Your kernel ability to use SMB protocols higher than 2.0 should be tested, though (RedHat kernels are very heavily patched and bear little resemblance with vanilla kernels with the same version number).
edited Jun 10 at 4:43
Pang
1751 silver badge7 bronze badges
1751 silver badge7 bronze badges
answered Aug 29 '17 at 11:25
wazooxwazoox
4,9894 gold badges24 silver badges49 bronze badges
4,9894 gold badges24 silver badges49 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f803477%2fsamba-cifs-message-signing-confusion%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
you can easily just install nmap, its free.
– mzhaase
Sep 16 '16 at 10:50
I know, but I am working in a very locked down environment where installing anything requires multiple hoops to be jumped through, totalling weeks of time usually
– gtmcclinton
Sep 16 '16 at 11:01
Do you have tcpdump?
– mzhaase
Sep 16 '16 at 11:02
Yes, I have tcpdump. I have discovered that RHEL6 will do SMB2 as a server, but the cifs kernel module does not support SMB2, RHEL7 is needed for mounting SMB2 shares. Would have liked SMB2, but now all I can do is enable signatures. How can I prove they are enabled using tcpdump?
– gtmcclinton
Sep 16 '16 at 13:40