From owner-freebsd-fs@freebsd.org Wed Dec 18 23:16:27 2019 Return-Path: Delivered-To: freebsd-fs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 349FA1C8EA3 for ; Wed, 18 Dec 2019 23:16:27 +0000 (UTC) (envelope-from SRS0=pYOZ=2I=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47dW9608Wtz3P0s for ; Wed, 18 Dec 2019 23:16:25 +0000 (UTC) (envelope-from SRS0=pYOZ=2I=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 617A828426; Thu, 19 Dec 2019 00:16:23 +0100 (CET) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 54BD02842E; Thu, 19 Dec 2019 00:12:01 +0100 (CET) Subject: Re: SMBv1 Deprecation / SMBv2 support in FreeBSD To: Matt B Cc: "freebsd-fs@freebsd.org" References: <9b556cbe-f9f3-ab15-6fcd-71397d18c126@freebsd.org> <20170623104654.07e5a3e0@ernst.home> <45b0864b-680c-8fe0-f5a5-353b6373d069@freebsd.org> <20170624045543.GY39245@kduck.kaduk.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Thu, 19 Dec 2019 00:12:00 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47dW9608Wtz3P0s X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=pYOZ=2I=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=pYOZ=2I=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [3.98 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; IP_SCORE(0.88)[ip: (0.37), ipnet: 94.124.104.0/21(0.19), asn: 42000(3.73), country: CZ(0.09)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.91)[0.909,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; NEURAL_SPAM_LONG(0.99)[0.993,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=pYOZ=2I=quip.cz=000.fbsd@elsa.codelab.cz]; FREEMAIL_TO(0.00)[gmail.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=pYOZ=2I=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Dec 2019 23:16:27 -0000 Matt B wrote on 2017/06/24 16:35: > It is about decreasing the attack surface. I certainly trust the level of > security and validation the Kerberos provides. The physical act of going > into the security gateways and opening ports is quite the menial task. The > main problem I have with the implementation is the deployment of keytabs to > the physical systems, which is a bit of a process to actually get the key > over there, then configuring idmapping in Windows, which brings another > round of issues regarding AD structure and permissions on the shares. More > ports open between the DMZ and the core is just one more negative reason > (to me) to not go forward with an NFS Kerberos deployment. Kerberos and NFS > are definitely a great combination when the configuration suites the > situation. I am looking into figuring out how to just implement SMBv2 for > BSD as I believe that is the best solution for my network architecture. I would like to resurrect this old thread from 2017-06 as I have the need to use mount_smbfs on FreeBSD but this old implementation (still) lacks support for SMB2/3. I am not a developer so I cannot do any coding work. I would like to know if somebody tried to add support for SMBv2 to FreeBSD? Is it really hard to extend it to support SMB2? Or should it be implemented from scratch? I tried to find more on this topic in mailing lists and FreeBSD forums without much success. I found that Apple open source has it. For example https://opensource.apple.com/source/smb/smb-759.40.1/kernel/smbfs/smbfs_smb_2.c.auto.html I know Apple kernel is too different but anyway - can it be ported to FreeBSD in some way? It is very sad that FreeBSD is so far behind competitors in some network service where FreeBSD was very strong in the past. CIFS/SMB2 is the only option in some heterogenous environments. Kind regards Miroslav Lachman