AgNO3 / jcifs-ng

A cleaned-up and improved version of the jCIFS library
GNU Lesser General Public License v2.1
318 stars 103 forks source link

recommend universal configuration granting maximum interoperability #259

Open courville opened 3 years ago

courville commented 3 years ago

It has been (and still is) a real quest to find the correct configuration options of jcifs-ng to grant interoperability with the multitude of devices out there (old linux routers; linux PC; windows XP, 7, 10; macOS; NAS: synology, QNAP, WD; etc...). I would like to propose to track in this issue the recommended best options to initialize jcifs-ng and get feedback so that other users of the library would benefit from my stumbling around that unfortunately might not be over yet...

What I have done so far when dealing with a server is to probe it using a strict SMB2 only CIFSContext, reverting to a strict SMB1 only CIFSContext if it fails. Each server is then tagged with the previous finding to avoid rediscovery and the corresponding CIFSContext is used afterwards when dealing with this server.

The two CIFSContexts are configured this way (obviously isSmb2 = true indicates the SMB2 only CIFSContext, and isSmb2 = false the SMB1 only CIFSContext):

if (isSmb2) {
    prop.put("jcifs.smb.client.disableSMB1", "true");
    prop.put("jcifs.smb.client.enableSMB2", "true");
    // note that connectivity with smbV1 will not be working
    prop.put("jcifs.smb.client.useSMB2Negotiation", "true");
    // disable dfs makes win10 shares with ms account work
    prop.put("jcifs.smb.client.dfs.disabled", "true");
} else {
    prop.put("jcifs.smb.client.disableSMB1", "false");
    prop.put("jcifs.smb.client.enableSMB2", "false");
    prop.put("jcifs.smb.client.useSMB2Negotiation", "false");
    // see https://github.com/AgNO3/jcifs-ng/issues/226
    prop.put("jcifs.smb.useRawNTLM", "true");
}

// get around https://github.com/AgNO3/jcifs-ng/issues/40 and this is required for guest login on win10 smb2
prop.put("jcifs.smb.client.ipcSigningEnforced", "false");
// allow plaintext password fallback
prop.put("jcifs.smb.client.disablePlainTextPasswords", "false");

All the above options might not be the best ones and some might be obsolete (used to deal with old behaviors of the code that are not required anymore). Please do not hesitate to review, comment, correct the above settings so that ultimate configuration is revealed.

courville commented 3 years ago

Note that with these options, users cannot connect to Western Digital NAS MyCloud MyBook devices cf. https://www.reddit.com/r/NovaVideoPlayer/comments/k793s6/not_reading_smb_on_firestick/ (without really exploitable data). But changing jcifs resolveOrder to jcifs.resolveOrder="BCAST,DNS" makes WD NAS devices able to connect again but breaks others https://github.com/AgNO3/jcifs-ng/issues/258

EDIT: this issue has been resolved cf. https://github.com/AgNO3/jcifs-ng/issues/258

courville commented 3 years ago

Trying now to revert to one universal configuration without probing server capabilities:

prop.put("jcifs.smb.client.enableSMB2", String.valueOf(isSmb2));
// must remain false to be able to talk to smbV1 only
prop.put("jcifs.smb.client.useSMB2Negotiation", "false");
prop.put("jcifs.smb.client.disableSMB1", "false");

// get around https://github.com/AgNO3/jcifs-ng/issues/40 and this is required for guest login on win10 smb2
prop.put("jcifs.smb.client.ipcSigningEnforced", "false");
// allow plaintext password fallback
prop.put("jcifs.smb.client.disablePlainTextPasswords", "false");
// disable dfs makes win10 shares with ms account work
prop.put("jcifs.smb.client.dfs.disabled", "true");

// needed for Huawei router https://github.com/AgNO3/jcifs-ng/issues/225 using SMB1 see also https://github.com/AgNO3/jcifs-ng/issues/226, not clear it does not interfere with SMB2 only servers
prop.put("jcifs.smb.useRawNTLM", "true");