Support SMB2 and SMB3 when browsing shares

[L6Xv3kWu]

Currently the library does not support browsing and opening shares which enforce the SMB2 or later protocol. This is kinda a dupe for https://github.com/videolabs/libdsm/issues/80. Microsoft officially recommends that file servers disable the SMB1 protocol, so it would be nice if SMBv2 and later is supported.

[jbkempf]

Yes. What Windows version was it based?

[jbkempf]

Also, this is different from #80, I'd say.

[L6Xv3kWu]

SMB2 is supported by Microsoft since Windows Vista. The reason I am filing this enhancement request now is that to mitigate against the wannacrypt worm, you can turn off SMB1. So there will be more and more file servers not supporting SMB1.

[jbkempf]

Sure, but which one did you test?

[MrMC]

I've also started to see signs that disabling the SMB1 protocol prevents libdsm from discovering/connecting. No real debug info yet. Under Libdsm 0.2.7

[jbkempf]

Yes, libdsm does "NT LM 0.12" not "SMB 2.002"

[MrMC]

Is anyone working on adding support for SMB2 and/or SMB3 ?

[jbkempf]

So far, nothing serious was done for that.

[jbkempf]

https://wiki.wireshark.org/SMB2

[MrMC]

Looks like I'm about to become a smb expert :) On the list it goes as with the recent exploit, I see that smb1 usage will soon hit the dustbin.

[jbkempf]

See https://msdn.microsoft.com/en-us/library/cc212614.aspx

[kbalint]

Microsoft already started forcefully disabling SMBv1 on Windows 10 (at least in Developer builds). I spent a real hard time figuring out why VLC on Android TV stopped working on my home network with Windows network shares. The reason is that VLC uses this library to connect - so currently any users who wants to play via a network share must enable back the flawed MS implementation on Windows....

[juanradark]

any news on this issue? now SMBv1 is disabled on Windows 10.

[Arno53]

Juanradark talk about this : SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709 : https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-windows-10-and-windows-server-version-1709

[TimOliver]

I’ve finally tested this too. libdsm works on my Synology NAS if I have it’s minimum SMB version set to 1, but will outright refuse to connect if I set the minimum SMB version of the NAS to 2.

I just spent a few hours playing with Wireshark and reviewing the SMB1 and SMB2 specs. They’re pretty different. Is it even possible to just slide SMB2 alongside SMB1 in this library?

[jbkempf]

@TimOliver it's a good question. Technically, it should be doable, but it's a lot of work, notably for authentication.

[Uldiniad]

still no progress on this issue?

[MrMC]

https://github.com/sahlberg/libsmb2 seems to be the new shiny

[juanradark]

I successfully cross compiled libsmb2 for iOS and run some examples with https://github.com/szanni/ios-autotools

[yllekz]

I can't connect to my Win10 system via VLC due to turning off SMB1. What's the update on this? SMB1 is insecure.

[TimOliver]

If Windows 10 automatically disabled SMBv1 on your system, here's how to turn it back on: https://www.kapilarya.com/how-to-enable-or-disable-smb-protocols-in-windows-10 :)

Libdsm was built from the beginning as an SMBv1 library. If it wasn't obvious from the above conversation, adding v2 support and above would be a huge amount of work. I'm sure extra help would be appreciated. :)

[yllekz]

I have no desire to re-enable it. I disabled it myself. As I stated, smbv1 is insecure and newer versions need to be properly supported. Enabling a security hole is not a solution.

[TimOliver]

This is an open source project that people contribute to in their free time. If you think it "needs to be supported properly", then please, by all means, start filing pull requests. :)

Or conversely, I wonder if it would be feasible to integrate Ronnie Sahlberg's libdsm2 library into VLC alongside libdsm. The licenses should be compatible.

[yllekz]

I know that, and understood, but please do not suggest an insecure solution. I simply am asking if there is a fix. Your second paragraph satisfies my query which is what I asked for. Have a good one.

[kbalint]

@TimOliver : if we turn SMBv1 back on Windows, we'll open a vector for serious exploits.

On the other hand, some NAS/router with USB port with a read-only-rom has it's Samba config fixed on SMB1, as I tested; but Samba's SMB1 is not exploitable. So somehow VLC should be able to do SMBv1 as a fallback, if higher versions are not supported by the server.

As for the flame for filling pull requests: I don't know @yllekz, but I'm not an multi-platform C developer, I'm simply not qualified to do this kind of low level networking and integration task on this completely unknown codebase; and I think there are only a couple devs who can do it properly, so this is a bit of a cynic request.

Thirdly, I'd label this issue as a serious security-related task, not an enhancement.

[TimOliver]

@yllekz I was half joking about turning it back on (That's what the ':)' was for at the end). I apologise. Yeah! I'm following the progress of libsmb2 and a it's evolving really quickly. Hopefully that'll be good enough for VLC soon. :)

@kbalint Thanks for the clarification. It's good to know there might be some edges cases where SMBv1 might still be okay.

I wasn't trying to flame. I'm not a low level network engineer either, but SMBv2 is something I want badly enough that until I found out about libsmb2, I was seriously considering willing to put in the hours needed to add SMBv2 to libdsm myself. So I don't think that was cynical.

In any case, if that looked like an attack, then I'm sorry.

[Uldiniad]

if the licenses are compatible, what are the hurdles left? waiting to see some specific issues reported on his repo fixed?

[sahlberg]

@Uldiniad Patience grasshopper, patience.

[Yannovitch]

Any updates on this ? I am almost sure that this is the reason why I can't access anymore any of my files from VLC on iPad since switching to FreeNAS (which, afaik, enforce SMBv2) Can I do something to help speed up the process ? I don't want to use Plex (because it's pushing so hard for me to pay to stream my own files, and it's getting more and more closed source), UPnP is quite buggy, and I can't use NFS on iOS VLC as far as I am aware. So this leaves SMB ;)

[mdPlusPlus]

So, from what I can gather from the VLC for Android git repository, it seems like VLC should be able to access SMB2 shares now. Ist this correct?

What would it take for libdsm to support SMB3? Would setting up a bounty help to implement this? Because I would be willing to pitch in for SMB3 support in VLC (for Android).

[sahlberg]

Using libsmb2 it should support SMB3. The two, SMB2 and SMB3 are very similar and usse the same headers and payload structures. The place where they differ are in featureset.

The main features I think libssmb2 is lacking are

• dfs
• witness protocol support
• failover
• smb3 encryption
• smb3 secure negotiation (smb 3.1.1)

If your concern is "can I use VLC and libsmb2 against a SMB3 file server?" then yes, that should definitely work already. Unless the server requires smb3 encryption.

On Wed, Jan 16, 2019 at 5:13 AM mdPlusPlus notifications@github.com wrote:

So, from what I can gather from the VLC for Android git repository https://code.videolan.org/search?utf8=%E2%9C%93&search=libdsm&group_id=&project_id=36&search_code=true&repository_ref=master, it seems like VLC should be able to access SMB2 shares now. Ist this correct?

What would it take for libdsm to support SMB3? Would setting up a bounty help to implement this? Because I would be willing to pitch in for SMB3 support in VLC (for Android).

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/videolabs/libdsm/issues/110#issuecomment-454514293, or mute the thread https://github.com/notifications/unsubscribe-auth/AAeNkBNgWcsoK-xgF44GeuI4hG5ij_zNks5vDihagaJpZM4Nd1cy .

[Yannovitch]

Well, since i last commented on the issue, i switched from FreeNAS to OpenMediaVault. And now whenever i'm trying to access my SMB shares from iOS VLC, iOS VLC crashes. Woohoooo ^^

[zhaccc]

Can we expect SMB2 and/or SMB3 any time soon? I Would love to see it.

[camrockz]

Samba 4.11 now disables SMB1 by default. https://github.com/samba-team/samba/blob/59cca4c5d699be80b4ed22b40d8914787415c507/WHATSNEW.txt Debian Testing/Sid has samba 4.11 live now.

[TheNetworkGuy]

Just went through some debugging on why the mobile VLC app wasn't able to connect to some SMB shares. Turns out that enabling SMBv1 support fixes the issue.

It feels wrong to do so, especially with the security concerns the SMBv1 protocol carries.

I would love to see support for version 2 and / or 3 as well.

[0b-1]

Because of this bug, users are keeping highly insecure SMBv1 protocol enabled on their systems. This bug should be considered as a (indirect) security vulnerability and high priority.

[jbkempf]

@0b-1 this library is for SMBv1. SMBv2/v3 is in libsmb2.

[0b-1]

Merci Jean-Baptiste,
(read the end of this post, I thing I spotted something and it's now working!) I use the F-droid VLC build and it can't login to SMBv2 shares (on Samba 4.11.11). Just did some test again: When using "min protocol = SMB2" on server, I still can see the shares but after the "SMB authentication required" it stays on "Chargement". On my server I have: check_ntlm_password: authentication for user [MyLogin] -> [MyLogin] -> [MyLogin] succeeded

Now I find another samba logfile with this : [2020/08/10 19:07:56.686215, 3] ../../lib/util/access.c:369(allow_access) Allowed connection from 192.168.1.2 (192.168.1.2) [2020/08/10 19:07:56.686241, 1] ../../source3/smbd/service.c:349(create_connection_session_info) create_connection_session_info: guest user (from session setup) not permitted to access this share (partageName) [2020/08/10 19:07:56.686254, 1] ../../source3/smbd/service.c:533(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2020/08/10 19:07:56.686279, 3] ../../source3/smbd/smb2_server.c:3254(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:142 [2020/08/10 19:07:56.688082, 3] ../../source3/smbd/server_exit.c:243(exit_server_common) Server exit (NT_STATUS_END_OF_FILE)

Ok now I just found something : After typing once a wrong password, then trying again with the correct one, I can now browse the share ... Weird as I did clear the app data and cache before ... But well, very good as it's now working and I can ditch SMBv1 :+1:

[firestorm99]

I can relate to https://github.com/videolabs/libdsm/issues/110#issuecomment-671491437

If I enter the information wrong once, the second time it works and loads the folders content. However afterwards VLC is stuck again.

[OdinVex]

Regarding GitHub posts... I hate using 'bumps', but this is fairly self-explanatory. BUMP, it's 2021... SMB2 was released in 2006, 15 years ago, a decade and a half. SMB3 was released in 2012, 9 years ago, almost a decade. Most installations disable SMB1 and very few run SMB2. I see no reason to not adopt SMB3, especially considering the backwards-compatibility in the protocol with SMB2. I've used separate software to create mounted points handling the SMB3 protocol with encryption, but I'm just tired of monkeying multiple points and the pain it is on Android to try to do that too without commercial software, switching players. :/ Wish VLC well.

VLC uses libsmb2, which supports SMB2/3 and encryption, but for some reason VLC just doesn't use it. Just pointing that out for people. Libsmb2's README states encryption can be enabled for SMB3 using the seal argument.

[sahlberg]

I just tried downloading VLC from the playstore and it can use SMB3 and encryption just fine for me.

In the dialog in VLC to configure the server. Type in the URL arguments you need for the connection. I.e. the url arguments from libsmb2 README.

For example: set folder path to "/?seal" if you want to enforce encryption from VLC.

If you set the server to REQUIRE encryption, then vlc/libsmb2 should automatically switch to use smb3-encryption without you having to set it via the ?seal argument.

[OdinVex]

I just tried downloading VLC from the playstore and it can use SMB3 and encryption just fine for me.

In the dialog in VLC to configure the server. Type in the URL arguments you need for the connection. I.e. the url arguments from libsmb2 README.

For example: set folder path to "/?seal" if you want to enforce encryption from VLC.

If you set the server to REQUIRE encryption, then vlc/libsmb2 should automatically switch to use smb3-encryption without you having to set it via the ?seal argument.

All the servers my friends and I run all use encryption and force it (require), VLC will fail. Edit: This is VLC for Android.

[sahlberg]

I just tried current playstore version of VLC and took a wireshark trace. It used smb 3.0.2 and wireshark shows all the traffic beyond the SMB2 Session Setup commands to be encrypted.

[OdinVex]

I just tried current playstore version of VLC and took a wireshark trace. It used smb 3.0.2 and wireshark shows all the traffic beyond the SMB2 Session Setup commands to be encrypted.

Latest from PlayStore available to me (Edit: v3.3.4), VLC can always view the mDNS records and can always list root dir but anything after, VLC will spit an error and fuss about not being able to browse it. Raw logs show client not handling encryption+auth. Edit: Min Version is always 3 or better on installs.

[sahlberg]

I am testing against a SAMBA server, configured to only support SMB2/3 : ... /etc/samba/smb.conf: [global] workgroup = SAMBA client min protocol = SMB2 client max protocol = SMB3 security = user passdb backend = tdbsam keepalive = 0 usershare allow guests = no name resolve order = lmhosts bcast host wins log level = 0 guest ok = no map to guest = never

server signing = mandatory

    #smb encrypt = mandatory

[SNAP-3] path = /data/SNAP-3 ...

I install VLC from the playstore. I click Browse icon at the bottom row, I then click the orange circle with the plus sign. In the dialog I switch protocol to smb. In network share name I type in "ip-address/share-name", as folder path I type in "/?seal", as servername I type in a name for this. I click done/ok until I am back at the main VLC screen.

At the top, at the row called "Favorites" I scroll to the right until I find the servername I typed in. I click on it. After a few seconds it opens a dialog that says "The computer you are trying to connect to requires authentication..." I type in the username and password in the two boxes and click done/ok.

I can now access the share and see all the files.

I am running tshark (console version of wireshark) and I can see lines like this: 722 158.251975256 10.10.10.106 → 10.10.10.11 SMB2 226 Encrypted SMB3 723 158.252135824 10.10.10.11 → 10.10.10.106 SMB2 195 Encrypted SMB3 724 158.256575811 10.10.10.106 → 10.10.10.11 SMB2 210 Encrypted SMB3 which tells me that we are indeed using SMB3 encryption for this session.

So, it does work. Maybe it is a configure issue on your server. Maybe something else, but it does work. If nothing else, the VLC might need a wiki with good detailed instructions on how to connect to and use smb2/3 servers and where in the ui to type in what. Maybe would be nice to have tickboxes for features like sign and seal too instead of having to specify them as a "/?..." url argument string.

[OdinVex]

... No, it does not work. You're not listening, SMB3, not SMB2+3. SMB3...only. client min protocol = SMB3

Might want to uncomment these as well:

server signing = mandatory smb encrypt = mandatory

Edit: Also not just me, various people I deal with around the world. Most just ended up buying an extra bit of storage and using a sync software like SyncThing/rsync/etc. I do both. My other machines can use my Samba install, other people VPNing can see and use it (just to test, we don't expect good throughput across the planet), but only VLC hates it. It won't list anything outside of root. I can browse files if I immediately specify a share in URL, but not from root dir. ?seal isn't implicit, it requires explicit usage/declaration, which is borked. What typical VLC user will know that only VLC uses some random lib which requires a non-standard way of specifying encryption to only then work, rather than using protocol flags. Not many.

Also requiring /?seal seems to break mDNS discovery browsing, too.

[sahlberg]

What do you mean SMB2+3 ?
It is smb3 only in this config.

Tshark/Wireshark shows it as SMB2 in the protocol column because when I wrote the SMB2 support for wireshark I never bothered to create a separate protocol for SMB3. Technically SMB3 is not a protocol, it is a different featureset/dialect but the protocol is still SMB2. It is a new "name" for marketing reasons but the actual protocol is SMB2. That is why wireshark says SMB2 as the protocol.

Please try yourself running wireshark between two windows computers using SMB 3.0.2 or SMB 3.1.1. Wireshark will still show the protocol as SMB2 because that is how I wrote this code in wireshark. To see if it is SMB2 or SMB3 you need to look at the SMB2 Negotiate Protocol Reply from the server in wireshark. It will tell which version of SMB2/3 is used. In this case my wireshark trace shows Dialect: SMB 3.0.2 (0x0302)

Thus It is SMB3.

[OdinVex]

What do you mean SMB2+3 ? It is smb3 only in this config.

Tshark/Wireshark shows it as SMB2 in the protocol column because when I wrote the SMB2 support for wireshark I never bothered to create a separate protocol for SMB3. Technically SMB3 is not a protocol, it is a different featureset/dialect but the protocol is still SMB2. It is a new "name" for marketing reasons but the actual protocol is SMB2. That is why wireshark says SMB2 as the protocol.

Please try yourself running wireshark between two windows computers using SMB 3.0.2 or SMB 3.1.1. Wireshark will still show the protocol as SMB2 because that is how I wrote this code in wireshark. To see if it is SMB2 or SMB3 you need to look at the SMB2 Negotiate Protocol Reply from the server in wireshark. It will tell which version of SMB2/3 is used. In this case my wireshark trace shows Dialect: SMB 3.0.2 (0x0302)

Thus It is SMB3.

Your config: client min protocol = SMB2 client max protocol = SMB3 ...You're specifying support for SMB2+3.

[sahlberg]

Those things are not relevant. I say that as the person that wrote libsmb2 and also the person that wrote the smb2/3 support in wireshark.

But I will humor you, I changed samba to : [global] workgroup = SAMBA client min protocol = SMB3 client max protocol = SMB3 security = user passdb backend = tdbsam keepalive = 0 usershare allow guests = no name resolve order = lmhosts bcast host wins log level = 0 guest ok = no map to guest = never server signing = mandatory smb encrypt = mandatory

And did everything as I described above. Except I no longer specify "/?seal" as the folderpath since I don;t need to since seal is mandatory now on the server. It still works, I can access the files and wireshark shows that SMB3 Encryption is used.

Maybe you are doing something wrong or have messed up the server? I have no idea. SMB3 and SMB3 encryption does work on the version of vlc that can be downloaded right now from the playstore.

[OdinVex]

I'll just try to summarize and just walk away, maybe someday someone will realize what I'm talking about and will fix the issue.

mDNS browsing any SMB3 share that forces encryption won't work, you can get prompted to enter authentication details and see the initial root directory but nothing further. Adding ?seal will work, but it is explicit, not implicit/auto, breaking mDNS access through the UI. But that's just hurting the easy-access of clicking on an mDNS-visible share, not a big deal.

But no one knowing about ?seal ends up not being able to browse any encrypted SMB3-ONLY shares. This makes VLC pointless to any average user. It does not work from any usability standpoint. You're forced to add a server to Favorites and manually add a non-standard ?seal string to the folder path, something I'm betting most users won't have a clue to do.

Edit: Without ?seal, VLC won't work in our SMB3-only+mandated encryption environments. Other software programs work fine, VLC won't. Linux, Windows, various SMB3+encryption mounting apps for mobile platforms will work, even a Pinephone mainline Linux install works fine, but VLC won't. Unsubscribing for now, I don't feel I'll be able to clarify any further.