proxmox samba window11

[hansat]

problems smb windows 11 use this see link
https://techcommunity.microsoft.com...-smb-in-windows-11-24h2-may-fail/ba-p/4154300

What changed​

In Windows 11 24H2, we've made two major security changes that can affect mapping drives to third-party consumer NAS or routers with USB storage:

1. By default, SMB signing is required on all connections. This increases your security by preventing tampering on the network and stops relay attacks that send your credentials to malicious servers.
2. Guest fallback is disabled on Windows 11 Pro edition. This increases your security when connecting to untrustworthy devices. Guest allows you to connect to an SMB server with no username or password. While convenient for the maker of your NAS, it means that your device can be tricked into connecting to a malicious server without prompting for credentials, then given ransomware or having your data stolen.

SMB signing has been available in Windows for 30 years but, for the first time, is now required by default on all connections. Guest has been disabled in Windows for 25 years and SMB guest fallback disabled since Windows 10 in Enterprise, Education, and Pro for Workstation editions. Both changes will make billions of devices - not just Windows, but everything running SMB that wants to talk to Windows - more secure. They've been in Windows Insider Dev and Canary builds for a year.

What happens with a third-party NAS​

There's one unavoidable consequence, though: we don't know when someone intended to be unsafe.

• We don't know the difference between a NAS that doesn't have SMB signing enabled and an evil server that doesn't want SMB signing enabled.
• We also don't know the difference between a consumer NAS - where the manufacturer used guest access to simplify connecting to their storage at the expense of security - and an evil server that wants you to connect without any security prompts in order to steal all of your files and or deliver malware. Furthermore, SMB signing cannot be used with guest credentials. So even if you have guest fallback enabled, SMB signing will prevent it from working.

If you have installed Windows 11 24H2 Release Preview and see one of these errors trying to connect to your third-party device afterwards that was working fine previously, you're in the right place.



If signing isn't supported by your third-party device, you may get error:

• 0xc000a000
• -1073700864
• STATUS_INVALID_SIGNATURE
• The cryptographic signature is invalid

If guest access is required by your third party, you may get error:

• You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network
• 0x80070035
• 0x800704f8
• The network path was not found
• System error 3227320323 has occurred

How to solve the issues​

To solve these issues, we recommend you do the following in this order. It's ordered from the safest to the least safe approach, and our goal is for your data to be protected, not to help third parties sell you unsafe products.

1. Enable SMB signing in your third-party NAS. Your vendor will have steps to do this online if it's possible in the device's management software.
2. Disable guest access in your third-party NAS. Your vendor will have steps to do this online if it's possible in the device's management software.
3. Enable a username and password in your third-party NAS. Your vendor will have steps to do this online if it's possible in the device's management software.
4. Upgrade your NAS if you cannot enable signing, cannot disable guest, or cannot use a username and password. The NAS will usually have an upgrade option in its management software, possibly labeled as "firmware update."
5. Replace your NAS if you cannot upgrade your NAS software to support signing and credentials (you will need to use steps 6 and later to copy your data off of it to your new NAS first)

Now we're into the less recommended steps, as they will make your Windows device and your data much less safe. They will, however, let you access this unsafe NAS.



6. Disable the SMB client signing requirement:

a. On the Start Menu search, type gpedit and start the Edit Group Policy app (i.e. Local Group Policy Editor). If you are using Home edition, skip to step 8.

b. In the console tree, select Computer Configuration > Windows Settings > Security Settings> Local Policies > Security Options.

c. Double-click Microsoft network client: Digitally sign communications (always).

d. Select Disabled > OK.



7. Disable the guest fallback protection:

a. On the Start Menu search, type gpedit and start the Edit Group Policy app (i.e. Local Group Policy Editor). If you are using Home edition, skip to step e.

b. In the console tree, select Computer Configuration > Administrative Templates> Network > Lanman Workstation.

c. Double-click Enable insecure guest logons

d. Select Enabled > OK.



8. If you're running Windows 11 Home edition, the guest fallback option is still enabled by default, so you're probably not reading this blog post. But if for some reason it is on, or you need to turn off SMB signing due to some third-party NAS, you will need to use PowerShell to configure your machine because there is no gpedit tool by default. To do this:

a. On the Start Menu search, type powershell then under the Windows PowerShell app, click Run as administrator. Accept the elevation prompt.

b. To disable SMB signing requirement, type:



Set-SmbClientConfiguration -RequireSecuritySignature $false
d. Hit enter, then hit Y to accept.

c. To disable guest fallback, type:



Set-SmbClientConfiguration -EnableInsecureGuestLogons $true
e. Hit enter, then hit Y to accept.

 

[t.lamprecht]

Hmm, what does this have to do with Proxmox VE? And can you please add, copy, ... the actual question and context directly here, as links tend to go dead, and we would not have to churn through some Microsoft forum.

 

[t.lamprecht]

OK, you now edited your post and copied over the one from the Microsoft forum, but still:

what does this have to do with Proxmox VE?

Or what's your question/point/...?

 

[_--James--_]

Hmm, what does this have to do with Proxmox VE? And can you please add, copy, ... the actual question and context directly here, as links tend to go dead, and we would not have to churn through some Microsoft forum.

I would say, PVE using SMB shares to Windows SMB services hosted on 24H2 where signing is not just required but enforced now.
As it stands today, seems that PVE talking to Windows SMB with signing drops the performance to 1Gb/s(90MB/s-120MB/s) even on a 10G link. to the same box running NFS/iSCSI we can achieve 5Gb/s-8Gb/s.

 

[t.lamprecht]

I would say, PVE using SMB shares to Windows SMB services hosted on 24H2 where signing is not just required but enforced now.
As it stands today, seems that PVE talking to Windows SMB with signing drops the performance to 1Gb/s(90MB/s-120MB/s) even on a 10G link. to the same box running NFS/iSCSI we can achieve 5Gb/s-8Gb/s.

Ah ok, that sounds like reasonable context, thanks! So I'd figure it doesn't have to be that slow, so this could be something that might be improvable on the Linux SMB implementation as I'd figure that it isn't that slow between another windows host?
Or, if you perchance have that info, Windows client to Linux SMB server?

Anyhow, if the network between PVE and the SMB host is trusted then disabling the enforcement through the group policy editor seems like a valid workaround for now.

 

[_--James--_]

Ah ok, that sounds like reasonable context, thanks! So I'd figure it doesn't have to be that slow, so this could be something that might be improvable on the Linux SMB implementation as I'd figure that it isn't that slow between another windows host?
Or, if you perchance have that info, Windows client to Linux SMB server?

Anyhow, if the network between PVE and the SMB host is trusted then disabling the enforcement through the group policy editor seems like a valid workaround for now.

I dont have the full scope of info, as PVE SMB to Windows servers is rarely used in our environments. But we do use it for local PVE backup jobs outside of PBS deployments on our testing clusters. Mainly because NFS on windows is a PITA. It is a problem with S2019 and S2022 when Signing is enabled here.

We have a few Linux SMB systems(Truenas, Synology, Qnap, and Netapp for the most part) that have signing enabled and there are no issues there. Most of our endpoints are windows, windows CE thin clients, or iOS/ChromeOS tablet type devices.

Since 1Gb/s is achievable in this model we have not really investigated further into the SMB signing on windows SMB hosted shares, as most of that is hosted on our Linux SMB today. So at the very least, hosted shares from PVE's SMB service(LXC or Native tooling) shouldn't have any effect here.

But it seems the Linux SMB client to WIndows SMB service with signing is something that could be looked into. But is it a proxmox issue per say? I think its more of a general Linux issue, personally.

Trusted network or not, disabling SMB signing will fail compliance audits.

 

[t.lamprecht]

Thanks for your detailed response!

But is it a proxmox issue per say? I think its more of a general Linux issue, personally.

I think so too, but it might well affected a few PVE users, so having a post in our community support forum here with the background for why SMB might be suddenly slower doesn't hurt.

 

[waltar]

smb.conf:
...
server signing = mandatory # doesn't hurt performance
smb encrypt = mandatory # is still ok with 1Gb but with 10Gb performance loss is strong vs. no encrypt
...

 

[_--James--_]

smb.conf:
...
server signing = mandatory # doesn't hurt performance
smb encrypt = mandatory # is still ok with 1Gb but with 10Gb performance loss is strong vs. no encrypt
...

yea, but this is always in the name of security. Even on windows to windows with signing 10G performance takes a dip.

The only thing i can say in relation to PVE, SMB connected data storage does suffer. But Why would you use SMB over NFS when possible? which does not have that issue.

I cant speak to PBS as I only use NFS/ZFS on those deployments, but I know more then a few (100's) people that use SMB connected storage to PBS VMs. I wonder if they have issues with this and just dont know it yet. Backups are moot, they take as long as they take, however restores with leadership/management (me) breathing down your neck would be a completely different story.

 

[waltar]

But Why would you use SMB over NFS when possible?

No, don't using smb for pve/pbs storage (doing nfs !) ! That's just experienced behavier by between linux fileserver and actual windows desktops where encryption was demanded but as pc's just have 1Gb connection that doesn't matter. But if you test in DC with 10Gb it hurts by 3x but depends strong on cpu server/client as the less cpu power the bigger the difference.

 

[_--James--_]

No, don't using smb for pve/pbs storage (doing nfs !) ! That's just experienced behavier by between linux fileserver and actual windows desktops where encryption was demanded but as pc's just have 1Gb connection that doesn't matter. But if you test in DC with 10Gb it hurts by 3x but depends strong on cpu server/client as the less cpu power the bigger the difference.

Right and since PVE is not a fileserver its not a PVE issue.

My additional point to the OP was that when PVE is connected to Windows servers (22H2+) with SMB signing enabled, network speeds are fine but protocol speeds are 5x lower then compared to NFS because of signing. 24h2 enforces it, security requirements inside of compliance regulations requires it.

But that was my only point here. I do not really feel PVE using SMB for storage is appropriate unless there are no other options (lets face it, NFS on windows is a HUGE PITA). But I have a feeling this might be a issue for the likes of PBS. But honestly, someone else can dig into it.