Is your feature request related to a problem? Please describe.
The issue/problem and its analysis was the following: I am authenticating against a Samba server (run by Synology DSM) via SMB which I had updated (from 6.2 to 7.2) and for which I now have switched off SMB1. On this server I have a log notification running to report more than a certain number of SMB actions a second to determine any brute force login attempts or excessive file changes (like by a ransomware). This notification was now bothering me about many unsuccessful SMB1 requests and I wanted to get rid of them. The reason for the SMB1 connects is this app using smbclient -L and I mimicked the command to see whats happening:
# smbclient -L //127.0.0.1/dummy -U jni // the password I provided on the console
...
Sharename Type Comment
--------- ---- -------
home Disk
...
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
cli_cm_open returned NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
Further on I found on https://wiki.ubuntuusers.de/Samba_Client_smbclient/ that from Samba 4.7.0 / Bionic Beaver smbclient tries to do the connection with SMB3 and shares will be shown (successful command execution) but if the server is not supporting SMB1 the workgroup browsing is no more possible. I searched for a way to avoid smbclient doing the SMB1 reconnect. Unfortunately there does not seem to be another way than using -L to check the login without establishing an interactive client connection. And there is no parameter to say the server listing should skip the workgroup listing.
Describe the solution you'd like
But I found that one can pass --option='client min protocol=SMB2' to smbclient and this then results in no reconnect with SMB1 attempt and a SMB1 disabled -- no workgroup available output with the exit code 0. If this could somehow be added to SMB.php as an option that would be great. For now I will keep it as a local patch.
Describe alternatives you've considered
The client min protocol option could also be set-up in the Samba server configuration but on the one hand on a Synology DSM it's not so easy to get this permanent and may be overruled by an update. On the other hand others may still rely on smbclient reconnecting with SMB1. If anybody knows a different method instead of smbclient -L to check the credentials that would also be a good change as actually asking for the /dummy share and getting the full list of shares of the server is not needed at all.
Additional context
See my currently only hard coded change nextcloud-user_external-no-SMB1-reconnect.patch . This may become an option, e.g., a 2nd parameter in the config which will overrule the const SMBCLIENT.
Is your feature request related to a problem? Please describe. The issue/problem and its analysis was the following: I am authenticating against a Samba server (run by Synology DSM) via SMB which I had updated (from 6.2 to 7.2) and for which I now have switched off SMB1. On this server I have a log notification running to report more than a certain number of SMB actions a second to determine any brute force login attempts or excessive file changes (like by a ransomware). This notification was now bothering me about many unsuccessful SMB1 requests and I wanted to get rid of them. The reason for the SMB1 connects is this app using
smbclient -Land I mimicked the command to see whats happening:Further on I found on https://wiki.ubuntuusers.de/Samba_Client_smbclient/ that from Samba 4.7.0 / Bionic Beaver
smbclienttries to do the connection with SMB3 and shares will be shown (successful command execution) but if the server is not supporting SMB1 the workgroup browsing is no more possible. I searched for a way to avoidsmbclientdoing the SMB1 reconnect. Unfortunately there does not seem to be another way than using-Lto check the login without establishing an interactive client connection. And there is no parameter to say the server listing should skip the workgroup listing.Describe the solution you'd like But I found that one can pass
--option='client min protocol=SMB2'tosmbclientand this then results in no reconnect with SMB1 attempt and aSMB1 disabled -- no workgroup availableoutput with the exit code 0. If this could somehow be added to SMB.php as an option that would be great. For now I will keep it as a local patch.Describe alternatives you've considered The
client min protocoloption could also be set-up in the Samba server configuration but on the one hand on a Synology DSM it's not so easy to get this permanent and may be overruled by an update. On the other hand others may still rely on smbclient reconnecting with SMB1. If anybody knows a different method instead ofsmbclient -Lto check the credentials that would also be a good change as actually asking for the/dummyshare and getting the full list of shares of the server is not needed at all.Additional context See my currently only hard coded change nextcloud-user_external-no-SMB1-reconnect.patch . This may become an option, e.g., a 2nd parameter in the config which will overrule the
const SMBCLIENT.