No access to shares after disabling SMB1 as recommended by Microsoft

We're using samba 3.5.22 in RAIDiator-arm 5.3.12. This has experimental support for SMB2, but for using SMB2 you'd really want to be using a newer samba series.

We have no plans to update to a newer version of samba for RAIDiator-arm as far as I'm aware.

Our ReadyNAS OS6 devices currently use the samba 4.4 series.

Welcome to the Community!

I switched to NFS on my ReadyNAS Duo. Windows has an NFS client which you can enable in Control Panel -> Programs and features -> Turn Windows features on and off. Then enable NFS on your NAS and set your shares to use it.

If you're sharing a printer (as I am) you can switch from SMB to IPP and access it that way.

---

@peterkin wrote:

I switched to NFS on my ReadyNAS Duo. Windows has an NFS client which you can enable in Control Panel -> Programs and features -> Turn Windows features on and off. Then enable NFS on your NAS and set your shares to use it.

 

If you're sharing a printer (as I am) you can switch from SMB to IPP and access it that way.

---

Hi peterkin

how are you?

Thank you for the reply.

I tried NFS (Enable NFS on the share, install the NFS Client on Windows 10), but is super slow on this unit.

RAIDiator 4.x and 5.x SMB uses a version of Samba that depends on SMB/CIFS 1 client support to work. They won't be getting feature updates at this point. ReadyNAS OS 6.x supports up to SMB 3 and will happily keep working if you disable SMB 1 support on your client computers.

Windows 10 was never vulnerable to Wannacrypt. I think the security benefits to disabling it are speculative at best, especially if you actually need it to access your files.

@alfred56. You need disable SMB1 and enable SMB2 as discribed in link you provided.

I have same issue. Cannot view shares without turning on SMB1. Using Windows 10 1703.15063 Retail.

I can get to it fine manually via Run.

Turned on SMB2 in LanmanServer/Parameters. Tried every setting in SMB Plus.

Using OS6 version 6.7.4

Problem is, the next public release will have SMB1 disabled and the fast ring release already has SMB1 disabled. Microsoft states this is for security reasons.

So question is, how can I view NAS shares without SMB1 enabled?

---

@tpcr wrote:

I have same issue. Cannot view shares without turning on SMB1. Using Windows 10 1703.15063 Retail.

 

 

 

---

I tried this with Windows 7.

Disable SMB1 by running elevated CMD

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

Then reboot to apply.

I had no problems accessing my RN526x (OS 6.7.5) and my RN202 (OS 6.8.0-T40). entering \\nas-ip-address in the file explorer address bar.

The PC can no longer access my Pro (running 4.2.31) or my Duo v1 (running 4.1.16)

---

@tpcr wrote:

I can get to it fine manually via Run.

 

---

Run what?

---

@Hubris1 wrote:
Windows 10 next release removing smbv1, so accessing my duo 1 from my laptop on 10 home is not possible, access via nfs on a 10 pro is very slow, have now to replace and obviously I'm not inclined to buy another netgear so have to buy disks and copy.. Shocking support

---

Netgear hasn't said what they are doing longer term, though some people have speculated.

---

@Hubris1 wrote:
 an official statement even saying no longer supported would help my decision,

---

It would be nice to know.

I don't know what they'll decide to do - it could be a lot of work.

This is only a Windows 10 Issue only. Disabling SMB1/CIFS is what causes the issue. SMB1 must be enables or you cannot view shares.

Also Netgear removed the WINS ability in OS6, so I cannot even use my WINS server.

It appears to me that SMB Plus does not work, because no matter how that is set the ReadyNAS still only usis SMB1/CIFS. Also NFS only works on some workstations and not others. Yes NFS is enabled in Windows 10 and ReadyNAS.

What I meant when I stated 'Run', was I can get to the NAS with a direct connection in the runbox. ie \\192.168.1.28\MyShare works fine,

Issue is the shares will not show in the network workgroup list. In my case it actually hangs when I try to list the network shares.

I guess the only answer here is to save up and buy a new NAS before the next version of Windows 10 comes out. It won't be Netgear.

If anyone has found a solution, please post

---

@Hubris1 wrote:
That will translate as upgrade or tough then

---

Again, I have no inside scoop.

The 4.1.x and 5.x systems have SAMBA 3.5, which has experimental SMB2, the OS 4.2 systems have Samba 3.6, which has a more complete SMB2.  Simply allowing those to be used is easy enough, but there could be other CVEs and bugs that would need to be backported.

Also, the info on Windows I have is

• All Home and Professional editions now have the SMB1 server component uninstalled by default. The SMB1 client remains installed. This means you can connect to devices from Windows 10 using SMB1, but nothing can connect to Windows 10 using SMB1. 
• Windows 10, we may uninstall SMB1 client if we detect that you are not using it.
• All Enterprise and Education editions have SMB1 totally uninstalled by default.
• The removal of SMB1 means the removal of the legacy Computer Browser service. The Computer Browser depends exclusively on SMB1 and cannot function without it.
• If you are upgrading or need to install the protocol after a clean install, you will still be able to do so

Assuming this is all correct, it's not as stark as "you can't access the old NAS after the next Win10 release"  SMB1 still be available, though of course it is a vulnerability.  

FWIW, Microsoft is building their own list of products requiring SMB1 - it is here: https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/  I'm sure there are a lot more.

In my own case, the 4.1 and 4.2 systems I have are purely backup NAS, and losing SMB access is not a big problem - arguably I should turn SMB off altogether on them anyway, and just leave rsync enabled..  I could easily upgrade the 4.2 system to OS 6.

---

@tpcr wrote:

 

 It appears to me that SMB Plus does not work, because no matter how that is set the ReadyNAS still only usis SMB1/CIFS.

SMB Plus only lets the NAS disable SMB 3 or SMB 2 - it doesn't let you disable SMB1.

But in my testing, I confirmed that I can access my OS 6 NAS when I disable SMB1 in my PC.

---

@tpcr wrote:

 

What I meant when I stated 'Run', was I can get to the NAS with a direct connection in the runbox. ie \\192.168.1.28\MyShare works fine,

Issue is the shares will not show in the network workgroup list. In my case it actually hangs when I try to list the network shares.

  

---

That says you proved you can access the NAS w/o SMB1 too.  Shortcuts, mapped drives, Network locations all would work.  Your issue might be related to the computer browser issue I quoted above (and sounds more like a Windows issue than a NAS issue)..

As I noted, I turned off SMB1 on Win-7.  I can do the same on Win10 easily enough - I'll see if I can duplicate your hang.

Regardless of the SMB Plus setting, I still can only get the share listings if I enable SMB1 in Windows 10. Also, when MS totally disables SMB1, that will also remove the computer browser service, which only uses SMB1/CIFS.

The reason I say this is a Netgear issue is because I do not have this issue with my FreeNAS device where I can disable SMB1.

Make sure if you are testing with Win10, use the latest public release 1703-15063

Also, SMB Plus sets the maximum protocol version to use, not the minimum, so you cannot turn off SMB1/CIFS. I believe that is why I have this problem. The ReadyNAS communicates with SMB1 and when SMB1 is turned off in Windows it still sees the SMB1 protocol and hangs on it. Yes this is a Windows issue. I think when you disable SMB1, the driver is disabled, but Windows is still tring to use SMB1 for directory browsing and hangs because that is the protocol coming from the ReadyNAS. When you do a direct access to the network share it uses the proper SMB2/3 protocol.

So to fix this problem, you would either have to disable SMB1 from the ReadyNAS, or fix the bug in Windows, which I have reported. Over and over again to MS. Do a search for SMB issues in the feedback hub, you will see a lot of them.

---

@tpcr wrote:

Regardless of the SMB Plus setting, I still can only get the share listings if I enable SMB1 in Windows 10. Also, when MS totally disables SMB1, that will also remove the computer browser service, which only uses SMB1/CIFS.

 .

---

My win10 system is running version 1607 (build 14393-1358), and turning off SMB1 causes no problem with my OS 6 NAS - I could see the share list with no problem.  Accessing my pro-6 share list failed (as expected).  No changes were made with SMB Plus

I know my cb isn't the same as yours, but both were updated on 13 June 2017.

If I have a chance, I will try manually updating to Windows Creator and see if I get your results.  Perhaps some other OS-6 folks can also test this.

---

@StephenB wrote:

---

If I have a chance, I will try manually updating to Windows Creator and see if I get your results.  Perhaps some other OS-6 folks can also test this.

 

---

I upgraded that system to Windows 10 version 1703 (15063.413) and I am getting exactly the same results.

-with the SMB1 client enabled: I can access my OS 4.2 pro and OS 6 NAS.  \\nas-ip-address shows me their share lists

-with the SMB1 client disabled: My OS 6 NAS remain accessible, and \\nas-ip-address continues to show me their share lists.  My 4.2 Pro becomes not accessible.

So I can't reproduce your results.  I do have NAS credentials saved in the windows credentials manager - do you?

The SMB1 vulnerability is on the SERVER side. You can disable it on the client all you like, but if the SERVER is accepting SMB1 requests, you may be vulnerable. There *is* a setting to add to smb.conf to properly disable the vulnerable call (it relates to netlogin), but it absolutely does disable most clients' ability to browse shares on the server.

So I would ask... do these later 6.7.4 and 6.7.5 builds properly disable SMBv1 or at least patch related vulns so that SMBv1 may remain enabled without worry?

Certainly for newer OS releases/builds lack of SMBv1 client side support will be an issue for ROS versions not supporting SMBv2 or higher... but just wanted to put this data point out there. Disabling SMBv1 on client doesn't protect your NAS/server.

---

@btaroli wrote:

The SMB1 vulnerability is on the SERVER side.

I think it's important to be clear on what the threats are.  The remote code execution vulnerability in SAMBA has been patched.

The inherent vulnerablities in the SMB1 protocol itself are

• subject to security downgrade attacks
• subject to man-in-the-middle attacks
• MD5 message signing is too weak.

All of these are unacceptable in a modern internet protocol, and many enterprises will also find them unacceptable in their enterprise networks. 

But the risks on a small home network are much less, and (for now at least) I am comfortable taking them.  If you allow anonymous access to your shares (which is the default) none of the threats above really apply to you anyway - the door to your NAS is already wide open.

That said, I agree that customers do need the ability to disable SMB1 on ReadyNAS that support SMB 2 or better.

I don't disagree with that assessment. But it will happen that folks have vectors on their network that could attack the NAS (Windows machines) and/or people may choose to (dangerously, in my opinion) expose SMB through their home firewall. That would substantially increase their attack surface, despite whatever functional benefits they may derive from this.

So, when deployed in a safe way, I'd agree wholeheartedly. But as we know the home environment often includes practices that aren't all that secure. 😉 So having that SMBv1 hole plugged would be a really great idea.. in the event that someone may not be totally up on updates.

I think I read somewhere that Netgear was posting updates on significantly older firmware for the Samba issues, which I thought was awesome!

I think we both basically agree.  We'll see if Netgear goes beyond just patching the CVE - hopefully they will.

I got SMB2 working on my old ReadyNAS Pro running the latest 4.2.31 x86 by installing the enablerootssh plugin and using WinSCP to edit the /etc/samba/samba.conf file and adding the following line to the global section:

max protocol = SMB2