I have some issues using the LAN plugin for Total Commander with SMBv3 enabled. SMB3 option only seems to work correctly when SMB2 is also enabled. Enabling only SMB3 does let me browse shares but accessing individual files does not work.
After investigating the network traffic with Wireshark, there are two things noticable:
The LAN plugin always requests SMB dialects 2.002 and 2.??? using a SMBv1 'negotiate protocol request', followed by another SMBv2 'negotiate protocol request' which correctly specifies dialects 2.0.2 and 2.1 if only SMB2 is enabled and additionally the dialects 3.0, 3.0.2 and 3.1.1 if also (or only) SMB3 is enabled. This works for browsing folders / listing files in both cases (SMB2+SMB3 enabled or only SMB3 enabled). However, when accessing files, e.g. playing a shared video, the LAN plugin suddenly request the dialect 'NT LM 0.12' using a SMBv1 'negotiate protocol request' which Windows quits with a TCP connection reset (SMBv1/CIFS is disabled in Windows) when only the SMB3 option is enabled in the LAN plugin.
So 1) Why does the LAN plugin requests 'NT LM 0.12' dialect for direct file accesses when only SMB3 is enabled (and a SMB 2.x dialect was requested and confirmed before by the server) 2) Why is there any SMBv1 'negotiate protocol request' when SMB2/SMB3 is enabled? SMBv2 should work with a stand-alone v2 'negotiate protocol request'. Maybe there should be a switch to disable SMBv1 completely (or it should be removed as it is more or less absolete anyways).
LAN Plugin with SMB3 enabled: I found two things noticable
Moderators: white, Hacker, petermad, Stefan2
-
ghisler(Author)
- Site Admin
- Posts: 48088
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: LAN Plugin with SMB3 enabled: I found two things noticable
This is odd, here is how I call the smbj library:
So if both SMB2 and SMB3 are allowed, it should request all the dialects
SMB 2.02, 2.1, 3.0, 3.02 and 3.11.
If only SMB3 is allowed, it should request all the dialects
SMB 3.0, 3.02 and 3.11
And if only SMB2 is allowed, it should request all the dialects
SMB 2.02, 2.1.
The 'NT LM 0.12' dialect isn't used. It sounds like the plugin is falling back to SMB1, but it should do that only when there is a negotiation error for SMB2 or SMB3.
Code: Select all
if (osVersion>=14 && allowSmb3) {
if (allowSmb2)
builder = builder.withDialects(SMB2Dialect.SMB_3_1_1, SMB2Dialect.SMB_3_0_2,
SMB2Dialect.SMB_3_0, SMB2Dialect.SMB_2_1, SMB2Dialect.SMB_2_0_2);
else
builder = builder.withDialects(SMB2Dialect.SMB_3_1_1, SMB2Dialect.SMB_3_0_2,
SMB2Dialect.SMB_3_0);
} else
builder = builder.withDialects(SMB2Dialect.SMB_2_1, SMB2Dialect.SMB_2_0_2);SMB 2.02, 2.1, 3.0, 3.02 and 3.11.
If only SMB3 is allowed, it should request all the dialects
SMB 3.0, 3.02 and 3.11
And if only SMB2 is allowed, it should request all the dialects
SMB 2.02, 2.1.
The 'NT LM 0.12' dialect isn't used. It sounds like the plugin is falling back to SMB1, but it should do that only when there is a negotiation error for SMB2 or SMB3.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Re: LAN Plugin with SMB3 enabled: I found two things noticable
Thanks for your response and the pointers to smbj.
I digged through the smbj sources and found the possible cause. There is a config option withMultiProtocolNegotiate(boolean useMultiProtocolNegotiate) that seems to control whether SMBv1 is used together with SMBv2 or not. The code for this is in SMBProtocolNegotiator.negotiateDialect(). So it looks like the mentioned behavior can actually be configured in smbj. I'm not sure if I'm the only one to have observed this behavior but maybe an option for the LAN plugin would be possible.
I digged through the smbj sources and found the possible cause. There is a config option withMultiProtocolNegotiate(boolean useMultiProtocolNegotiate) that seems to control whether SMBv1 is used together with SMBv2 or not. The code for this is in SMBProtocolNegotiator.negotiateDialect(). So it looks like the mentioned behavior can actually be configured in smbj. I'm not sure if I'm the only one to have observed this behavior but maybe an option for the LAN plugin would be possible.
-
ghisler(Author)
- Site Admin
- Posts: 48088
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: LAN Plugin with SMB3 enabled: I found two things noticable
I actually have some code with this in my plugin: First I call withMultiProtocolNegotiate(true). If I get immediately an EOFException, I set ksmbdBug to true and try again with withMultiProtocolNegotiate(false), ksmbd immediately drops the connection when a client attempts multi-protocol negotiation. withMultiProtocolNegotiate(true) is called to detect SMB1 only servers, and then switch to jcifs. Any idea what I should change for your server?
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Re: LAN Plugin with SMB3 enabled: I found two things noticable
A possibility would be to add another LAN plugin option for explicit SMBv1 support, where only if this is enabled, withMultiProtocolNegotiate(true) would be used. The default could be disabled (due to legacy protocol and security risks with SMBv1).
Currently, I'm using SMB2+SMB3 configs enabled which works for me and SMBv3 is also used according to Wireshark. So at least in my case I have found a working solution. I just need to remember to enable both SMB2 and SMB3. FYI, the server is Windows 11 in this case (and I believe I had the same behavior with Windows 10 as well).
Currently, I'm using SMB2+SMB3 configs enabled which works for me and SMBv3 is also used according to Wireshark. So at least in my case I have found a working solution. I just need to remember to enable both SMB2 and SMB3. FYI, the server is Windows 11 in this case (and I believe I had the same behavior with Windows 10 as well).