How to configure Samba to use SMBv2 and disable SMBv1 on Linux or Unix

Posted on in Categories , , , , , , , last updated May 18, 2017

I am a new Linux user and for security reasons and to avoid ransomware, I would like to disable the SMB1 protocol in samba configuration on a CentOS Linux version 7 server. Is it possible to disable SMBv1 on a Linux or UNIX-like operating system?

WannaCrypt/WannaCry targets the Microsoft Windows operating system. The attack spreads by phishing emails but also uses the EternalBlue exploit and DoublePulsar backdoor developed by the U.S. National Security Agency (NSA). If you are using older and unsupported operating systems such as Windows XP and Windows Server 2003, you will get infected. All of your files will be encrypted. To get back your files, you need to pay ransom payments in the cryptocurrency Bitcoin. Microsoft has released software updates for Windows XP and Windows Server 2003. You must apply those patches ASAP. In short Linux/Unix users are not affected by this attack. However, you must disable SMBv1 on Samba server running on Linux or Unix-like system.

Disable SMBv1 on Linux or Unix when using Samba

Samba is an open-source implementation of the SMB or CIFS protocol, which allows PC-compatible machines (especially Windows oese) to share files, printers, and other information with Linux and vice-versa.

Configuration to enable SMBv2

Edit smb.conf file, run:
$ sudo vi /etc/samba/smb.conf
Find the [global] section and append the following line:
min protocol = SMB2
Here is my updated file:

Fig.01: How to force SMB2 protocol in samba on Linux or Unix
Fig.01: How to force SMB2 protocol in samba on Linux or Unix

Save and close the file.

Restart the samba server

Run the following command on CentOS 7/RHEL 7/Fedora Linux:
$ sudo systemctl restart smb.service
Run the following command on Debian 8.x/Ubuntu 16.04 LTS Linux:
$ sudo systemctl restart smbd.service

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

12 comment

  1. man smb.conf:
    SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.

    You will prevent Windows 7 machines from connecting..

  2. Hello
    Thanks for this, it seems to create problems with Windows 10 clients:
    [2017/05/18] smbd/negprot.c:694(reply_negprot)
    No protocol supported !
    We use port 139, this may be the problem or the old samba version we have. I have to check further
    I had to revert this and can’t find another solution for the moment. (Still searching)

  3. Hello.
    I followed this, however, there’s a problem.

    I have a samba server. I added the line on the smb.conf file.
    After that, I could connect the server from Windows 10 machine, but not from Ubuntu(16.04/17.04) file manager and Android(using Total commander) machines.

    It works find without “min protocol = SMB2”.
    Any help?

  4. I’ve found the following to work. It raises the bar i little extra, but so far, no complaints have been heard (SMB2_10 should be fine, unless you have Windows XP or older clients).

    The client stuff is to make smbclient (if you use that) skip SMB 1 in negotiations. The client max protocol may appear weird, but if it’s not included, then its value will defaul to something lower than 2.1, and then it will conflict with “client min protocol = SMB2_10”.

    server min protocol = SMB2_10
    client max protocol = SMB3
    client min protocol = SMB2_10

  5. After appending “min protocol = SMB2” in global section on my smb.conf server, I no longer connect from my linux laptop. Error displayed: “Error: Connection timed out. Please select another viewer and try again.” in my caja file manager.
    Am using Linux Mint 18.1 Mate as client, with Ubuntu 14.04.5 as server using samba 4.3.11.
    Same error for setting “min protocol = SMB3”.

  6. Depending on your needs, this is easy and did the trick for my network:
    protocol = SMB3

  7. Server:
    min protocol = SMB2
    Client:
    smbclient -U=username -N –command=”dir Directory/*” //192.168.0.1/Directory

    Error:
    protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE

Comments are closed.