smbclient Security for Windows Printing and File Transfer

A distinctive property of printer shares is that logging in and issuing any type of put will send the file transfer directly to the attached printer. Most commercial laser printers will accept PostScript output, in addition to text files with DOS-style line endings.

There have been several revisions to the SMB protocol through the years. The version 1 protocol was finalized and offered as an internet standard as the "Common Internet File System" (CIFS) in the late 1990s. Many extensions with new features were developed for CIFS by various parties, but Microsoft accepted none of them into the Windows implementation.

Windows Vista marked the first appearance of SMB2, a complete rework of the protocol, which consolidated the command set and reduced the number of round trips required for data transfers. Protocol support for SMB2 was experimentally introduced with Samba 3.5 server and went production with Samba 3.6. Note that smbclient did not receive SMB2 until the 4.1 release.

Windows 8 (and Server 2012) introduced further important improvements with SMB3, which (finally) introduced encryption and high-availability features. Protocol support for SMB3 was introduced with Samba 4.1, where the Samba server and client achieved protocol version parity.

Below is the Samba project's documentation on the various revisions of SMB:

SMB1: Original DOS/Windows LANMAN protocol, which evolved through several versions.

  • CORE: Earliest version. No concept of user names.

  • COREPLUS: Slight improvements on CORE for efficiency.

  • LANMAN1: First modern version of the protocol. Long filename support.

  • LANMAN2: Updates to Lanman1 protocol.

  • NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.

SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.

  • SMB2_02: The earliest SMB2 version.

  • SMB2_10: Windows 7 SMB2 version.

  • SMB2_22: Early Windows 8 SMB2 version.

  • SMB2_24: Windows 8 beta SMB2 version.

By default SMB2 selects the SMB2_10 variant.

SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub protocols available.

  • SMB3_00: Windows 8 SMB3 version. (Mostly the same as SMB2_24.)

  • SMB3_02: Windows 8.1 SMB3 version.

  • SMB3_10: early Windows 10 technical preview SMB3 version.

  • SMB3_11: Windows 10 technical preview SMB3 version (maybe final).

By default SMB3 selects the SMB3_11 variant.

The smbclient program allows a specific protocol version to be locked to a server as the maximum supported revision:


-m|--max-protocol protocol

This allows the user to select the highest SMB protocol level that smbclient will use to connect to the server. By default this is set to NT1, which is the highest available SMB1 protocol. To connect using the SMB2 or SMB3 protocol, use the strings SMB2 or SMB3, respectively. Note that to connect to a Windows 2012 server with encrypted transport selecting a max-protocol of SMB3 is required.

The commentary presented upon initial login (Domain, OS and Server) can change when different protocol revisions are selected (the previous login identified Server 2008 on the same server):


$ smbclient //dc.somecompany.com/file_stash -U nt_username -W nt_domain -mSMB3

Enter nt_username's password:

Domain=[NT_DOMAIN] OS=[] Server=[]

smb: \>

______________________

Charles Fisher has an electrical engineering degree from the University of Iowa and works as a systems and database administrator for a Fortune 500 mining and manufacturing corporation.