-
-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
smbclient: cleanup smbclient configuration #12110
Conversation
https://lists.samba.org/archive/samba-technical/2016-November/117005.html Samba defaults to NT1 client connections unless I've just checked the latest Samba master[1] and the default client connection is still(!) NT1... utter madness. |
@@ -4065,7 +4065,9 @@ msgctxt "#1208" | |||
msgid "Mount SMB shares" | |||
msgstr "" | |||
|
|||
#empty string with id 1209 | |||
msgctxt "#1209" |
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
You probably do not want to force rewrite smb.conf on a plain linux distro. Or do I miss something? |
The problem is that currently the config isn't updated at all, even if a setting is changed. This currently requires the user to delete the .smb folder before new settings can be applied. What is the problem with updating |
Yes. smb.conf is the standard user libsmbclient config file, so other apps or even the user might have tweaked it on a Linux distro, and we probably should not unconditionally overwrite it. But I'll completely trust @wsnipex 's opinion on this. PS BTW, this is exactly why I have an "overwrite" setting in spmc although it's not needed for Android. |
2fdca9f
to
6c98742
Compare
Note that an automagic way to overwrite config could be to calculate the hash of the existing file and compare with a precalculated one of our "old" default. |
We should never overwrite anything outside of our userdata dir. why don't we use our own smb.conf instead of the standard one? That way there is no problem with overwriting. And the client max protocol won't work anywhere but linux until we somehow manage to upgrade samba to a more recent version. So this setting should only be visible if supported. |
@wsnipex then this would need run-time detection of the smb library version. I can build Kodi on Ubuntu 16.04 which has support for SMB2 and SMB3 client connections (smb library 4.3.11). Also it doesn't appear easy to use an alternative location for smb.conf. @koying an option to overwrite has been added to this PR overnight - once enabled it allows the WINS and max protocol settings to be changed (and written at next restart or when next new context is established). The overwrite setting will be automatically disabled once the new conf is written. Not sure if a magic hash would work as once you change any of the defaults your precalculated "default" hash would no longer match and you'd never update the file again, not even to set it back to current defaults (plus this would make life harder for anyone using appliance.xml etc.). :) |
@wsnipex If you run smbclient from the console you can append |
build time version check is enough. But @Rechi managed to get samba 4.1 built for osx, so there is hope :) |
09e8e4d
to
3edead1
Compare
xbmc/filesystem/SMBFile.cpp
Outdated
fprintf(f, "\tclient lanman auth = yes\n"); | ||
fprintf(f, "\tlanman auth = yes\n"); | ||
|
||
fprintf(f, "\tsocket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536\n"); | ||
fprintf(f, "\tlock directory = %s/.smb/\n", getenv("HOME")); |
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
@chewitt this needs to be rebased |
rebased .. do we want to add the home/env hack @koying suggested in Slack? |
With this change |
The only way I found to have our own smb.conf is:
SMB_CONF_PATH didn't work for me PS: Obviously, we have to create smb.conf in "special://home" as well. |
98f4ae9
to
08836fa
Compare
Note that, if we go the "own smb.conf" route, CSettings::SETTING_SMB_OVERWRITECONF doesn't make sense anymore |
Yes, and no... being able to selectively overwrite would at least allow users to "tune" the smb.conf if they wished. And constant rewriting seems a little unnecessary. |
@MilhouseVH rebased for changes in xbmc/settings/Settings.cpp - no real-world issues from my side on testing - only the standard BS that you see with browsing when browse master changes in the network. Good to merge? |
What's gonna happen with this and backport? |
It's been in my LE test builds for several weeks and is working as intended. It will produce an "invalid parameter" warning to stdout for those systems with libsmbclient prior to 4.1. Users with broken/ancient Samba servers that claim to support SMB3 (but don't) will need to configure SMB2 or SMB1 to restore Samba functionality. Disabling NT1/SMB1 on the server (as recommended by everyone, which is the reason why this PR is becoming necessary) seems to break network browsing but that's an unrelated issue to this PR (and is a core Samba issue rather than Kodi). |
Is it just me or is On 3.6, and in the doc, it's clearly stated that |
I was looking at samba configuration, and stumbled across posts suggesting auto-negotiation (no "client max protocol" at all) is the preferred way. |
@koying PR is updated with a small tweak from @MilhouseVH so we default to no extra config and smbclient autonegotiates. |
@chewitt the default is still SMBv3 which personally I'd keep, but to match the help message (which now says the default is auto-negotiate) this value needs to be changed to 0. The purpose of this PR however is to support better than NT1 and with more servers dropping NT1 (which will continue to be negotiated when the setting is |
Is "negotiation" not implying client and server agree on a mutually acceptable level? |
Negotiation will only happen if Without Forcing In order for Samba to automatically negotiate a better than |
Ok, thanks for the clarification. |
We thought so, but then you asked for the "do nothing" option! I guess it's possible that samba.org may flip the default connecting behaviour from "forced Perhaps the posts you found that suggested not setting anything were either misinformed (you'd expect Samba to auto-negotiate, but that's not what it does by default) or were written from the perspective of ensuring maximum compatibility in an age when every server supported |
And apparently it will be auto-negotiate by default with Samba 4.7 https://git.samba.org/?p=samba.git;a=commitdiff;h=1199907cbe2f003a7df6f56e6cf3878d0732344d |
Sorry about that ;) it was just a suggestion btw, although reading me back might seem more imperative than I intended. |
8eb915a
to
7d550b9
Compare
xbmc/filesystem/SMBFile.cpp
Outdated
// force libsmbclient to use our own smb.conf by overriding HOME | ||
std::string truehome(getenv("HOME")); | ||
setenv("HOME", CSpecialProtocol::TranslatePath("special://home").c_str(), 1); | ||
|
||
// Create ~/.smb/smb.conf. This file is used by libsmbclient. |
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
d1394e5
to
38c2e53
Compare
I confirm "auto-negotiation" is kind of BS ;) |
The default option and wording is now set to "SMB3" to provide compatibility. Samba <4.1 will still connect using NT1, while Samba 4.1+ will connect using SMB3_11 and should step down to SMB2 if required. The none option (remove config and use Samba defaults) is retained as it does no harm and may be useful with support. The code comment on ~/.kodi/.smb/smb.conf path has been amended. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keeping "None" as an option for the future makes sense.
+1, nice work :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good now, thanks 👍
This PR does some overdue cleanup on the smbclient configuration used by Kodi.
Description
Removed by fritch:
socket options
tuning that is not recommended: https://lists.samba.org/archive/samba/2013-February/171836.htmlRemoves
preferred master
,local master
,domain master
smbd configuration that is irrelevant to smbclient.Removes
client lanman auth
so smbclient can use more secure hash algorithms. This breaks compatibility with Windows 95/98 and pre Samba 2.2 shares (c.2000) that do not support NTLM or NTLMv2.Removes
lanman auth
smbd configuration that is irrelevant to smbclient.Sets
client max protocol
to SMB3. Without this smbclient (and thus Kodi) defaults to NT1 (SMB1) and will not attempt connecting at higher protocol versions. Setting to SMB3 allows smbclient to auto-negotiate a higher protocol with most devices. Some older Windows and Samba versions can requireclient max protocol
to be reduced to SMB2 or SMB1 to solve connectivity issues (server side bugs or misconfiguration) so we expose this as a configuration option in Kodi settings. Using SMB3 with smbclient versions below 4.1 that do not support SMB2+ are not affected; older smbclient versions simply negotiate up to what they understand, i.e. NT1. This is part based on koying/SPMC@833aacd that forces NT1 connectivity.Fixes a bug where
smb.conf
was not written if the file was not already present. The smb.conf file is also created under the Kodi home folder to prevent clashes with other smb.conf files that may exist on the users' system. The smb.con file is rewritten if the user changes the client max protocol setting (and the user is prompted to restart Kodi to effect the change). This borrows from koying/SPMC@2771cb2 that made rewrite on start user configurable and other ideas from Slack.Motivation and Context
Wannacry ransomware attacks have woken people up to the security issues with SMB1 and Kodi refusing to use anything newer forces people to continue using insecure shares. LE plans to use a Krypton version of this with samba 4.6 in a future release to bring SMB2/3 support. NB: This PR is intended as a nip/tuck improvement to the existing regime until someone comes up with a more long-term replacement for smbclient.
How Has This Been Tested?
Lots of experimentation and detective work from @MilhouseVH. An earlier variant of the max client protocol change and samba 4 have been in his nightly builds for several months and this specific PR will be included shortly. It has not been tested with other Kodi build targets that use smbclient (macOS, Android, etc.) but testing with older smbclient 3.6 on Linux hasn't thrown up any obvious issues.
Types of change
Checklist: