From owner-freebsd-fs@freebsd.org Thu Jun 22 19:36:16 2017 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 40AAAD93331 for ; Thu, 22 Jun 2017 19:36:16 +0000 (UTC) (envelope-from theunusualmatt@gmail.com) Received: from mail-yw0-x241.google.com (mail-yw0-x241.google.com [IPv6:2607:f8b0:4002:c05::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EADC42DBC for ; Thu, 22 Jun 2017 19:36:15 +0000 (UTC) (envelope-from theunusualmatt@gmail.com) Received: by mail-yw0-x241.google.com with SMTP id s127so1590434ywg.3 for ; Thu, 22 Jun 2017 12:36:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=U1dL32fARACwJf4MH9lG9gOa1MpyLW7Q9MMkuKzjhN4=; b=YJMZVaXjRShF0DbLni4t05WmUIp30GNhJzTzWmwoS04SyLSNTIp36ttapdH8zX1j67 GYFYgjA3My8Xn4yETjYET+TxyiSYsUxSKMl/afQU/gcidoUDhEb5cDmRC/HvrDldlUBt Wgcd79UxkYCC1ub6I5b1zh5zmY33bYDOqp6wjVjGrw6negDOqxYJOZM0JRAjoqjq84CR ktFU+S/ozyFka3eeZg/biGDyjshAOp4g0oXwe5Y16/OqMS07TwdxhVgOmf93kb3WqpJ9 b7pvnJhn6m012whpUHvYWYANva8NIHReaXWgHm6zi2OA0GfxK5Wmx0bXz1VFI64e2Z56 L75A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=U1dL32fARACwJf4MH9lG9gOa1MpyLW7Q9MMkuKzjhN4=; b=Kb1nTD5R57GCK4jinaMqZN8jW6E58tJQABieRUlUJaN4S3mgcnHSiX7M6TLYhafGy/ ePakj8soBH5+KSISaMdVx3SkbB70ZSSTIux17lJ6hDnplSFOkICANEm+VMZ7R7dyMlQj J+EUZX6keMO+VS0KBYpHkaU+Jb48zjWOLUoq1EUR5I3WEe5gtxK38JfgGLqCPKMnNRzb LYuqya0O5eoQDytAFlcsVokaav7Ytk13lu6gsljf4TWVPsWnVLxLHeK8JnF9UK3oEQpg uZ+U3XSvv8p3P+MgGFMK15nDNcF99tpvBloRhajZ9SAXDzBrH2ojh6fmNyjq9cp55eZz OXjw== X-Gm-Message-State: AKS2vOzMzgDJ70LnDyv4CkqgKNNU0Ec9EeQY0Zyk6D8y53HeUqN+uoM0 jTqrg+yrRBe3zbMNpiRJmaIZ5SkAtI8DJ1A= X-Received: by 10.129.147.5 with SMTP id k5mr3090453ywg.128.1498160174869; Thu, 22 Jun 2017 12:36:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.103.70 with HTTP; Thu, 22 Jun 2017 12:36:14 -0700 (PDT) From: Matt B Date: Thu, 22 Jun 2017 15:36:14 -0400 Message-ID: Subject: SMBv1 Deprecation To: freebsd-fs@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2017 19:36:16 -0000 Long time user of FreeBSD here. I have been happily using the mount_smbfs binary and in my fstab to mount Windows Shares on boot to be used by various network services house on multiple FreeBSD systems. Sadly, it appears these connections all use SMBv1 NT1 security to perform the mount operation. With the new security landscape, post-WannaCry ransomware, in a mixed-mode environment where all the shares live in Windows, that just won't do. This has been discussed many times before in the past but there hasn't been any headway AFAIK. Every other piece of software I have encountered has moved away from this deprecated network protocol to the far more secure versions of SMB to perform Windows share operations. As a stop gap, I have implemented a very rudimentary NFS server advertising shares, but configuring a Kerberos infrastructure and setting new accounts for each and every service (not to mention the new permissions nightmares even with Active Directory) on multiple BSD systems is arduous. Rather, I am wondering why FreeBSD is behind the ball on the development? The other Linux based systems I run required a simple addition of the vers=SMB2 flag to the fstab entry to successfully mount. I understand the code base is very old for the mount_smbfs, but what is the way forward here? NFS is simply a workaround as far as I am concerned and every other *nix style distro seems to play nice with SMB. Is there an ETR on this greatly needed and long overdue update to mount newer style SMB shares?