During a package audit, I noticed that several Samba-related packages — including samba-common, samba-common-bin, smbclient, and supporting libraries — are installed by default.
When I ran a dry-run purge to see what would happen, APT reported that removing `samba-common` would also remove critical core packages such as:
This implies Proxmox’s core stack depends directly (or indirectly) on Samba being present, even when CIFS/SMB storage is not configured or used.
My Concern:
From a security and hardening standpoint, it’s generally desirable to reduce the installed footprint and eliminate unnecessary network-exposed components. While Samba itself is not running as a daemon in this configuration, having these packages installed by default:
Additional Context
It is worth noting that this installation was performed by a cloud provider and that there may have been an option to install without samba-core; however, it is no longer as simple as apt purge...
When I ran a dry-run purge to see what would happen, APT reported that removing `samba-common` would also remove critical core packages such as:
pve-manager
pve-container
pve-ha-manager
qemu-server
This implies Proxmox’s core stack depends directly (or indirectly) on Samba being present, even when CIFS/SMB storage is not configured or used.
My Concern:
From a security and hardening standpoint, it’s generally desirable to reduce the installed footprint and eliminate unnecessary network-exposed components. While Samba itself is not running as a daemon in this configuration, having these packages installed by default:
- Expands the potential attack surface,
- Increases patching overhead,
- And may introduce latent vulnerabilities in environments where SMB is never used.
- Is there a technical reason that `pve-storage` and other components must depend on smbclient/samba-common instead of treating CIFS support as optional?
- Does the Proxmox team have plans to split CIFS support into a separate, optional package (e.g., pve-storage-cifs) so minimal or hardened deployments don’t have to carry the dependency?
- Is there any supported method to safely remove or mask these packages when SMB/CIFS is not used?
Additional Context
It is worth noting that this installation was performed by a cloud provider and that there may have been an option to install without samba-core; however, it is no longer as simple as apt purge...
- Proxmox VE 9, default install (ZFS root)
- No CIFS storage defined
- Environment runs isolated VMs only
- Goal: minimal attack surface / compliance with internal hardening standards