jsmith841
1 Copper

VNX5300 and SMBv1

Jump to solution

Is there any truth to this statement?

"VNX5300 needs SMB 1.0 enabled on the DC or kerberos fails between the VNX and the DC to authenticate all user access to the CIFS shares."


If I'm on code levels: Block-05.32.000.5.219 and File-7.1.79-8, does it use SMBv3 by default?

The output of command "server_cifs server_2" shows Max protocol = SMB3.0.

Labels (1)
Tags (1)
0 Kudos
1 Solution

Accepted Solutions
Rainer_EMC
5 Osmium

Re: VNX5300 and SMBv1

Jump to solution

yes that is correct.

there are two different SMB communication paths and code

For the SMB clients talking to the VNX data mover it acts as a server and supports the SMB protocols listed with server_cifs.

A client connecting to the VNX will usually negotiate the highest available SMB version that both sides speak (depending on client settings and GPOs) - so yes by default SMB3 capable Windows client will use that.

If you are curious you can verify using server_cifs -o audit

For some administrative work like resolving SID's the VNX data mover talks to the domain controller and uses SMB secure channel. There it acts as a client and currently needs SMB1 available on the DC to work.

This will change with an upcoming patch.

Note that in both cases the VNX is NOT vulnerable to WannaCry since we dont use the Microsoft SMB code that has the remote execution vulnerability and it doesnt run Windows OS so the executable wouldnt run there.

View solution in original post

8 Replies
Rainer_EMC
5 Osmium

Re: VNX5300 and SMBv1

Jump to solution

yes that is correct.

there are two different SMB communication paths and code

For the SMB clients talking to the VNX data mover it acts as a server and supports the SMB protocols listed with server_cifs.

A client connecting to the VNX will usually negotiate the highest available SMB version that both sides speak (depending on client settings and GPOs) - so yes by default SMB3 capable Windows client will use that.

If you are curious you can verify using server_cifs -o audit

For some administrative work like resolving SID's the VNX data mover talks to the domain controller and uses SMB secure channel. There it acts as a client and currently needs SMB1 available on the DC to work.

This will change with an upcoming patch.

Note that in both cases the VNX is NOT vulnerable to WannaCry since we dont use the Microsoft SMB code that has the remote execution vulnerability and it doesnt run Windows OS so the executable wouldnt run there.

View solution in original post

coey
1 Copper

Re: VNX5300 and SMBv1

Jump to solution

Hi,

Is there an official response from EMC on the VNX (clarion CX5300) vulnerability?

Regards,

Paul

0 Kudos
Rainer_EMC
5 Osmium

Re: VNX5300 and SMBv1

Jump to solution

coey wrote:

Hi,

Is there an official response from EMC on the VNX (clarion CX5300) vulnerability?

Regards,

Paul

yes - see knowledgebase article 499808 on support.emc.com

SMBv1 protocol is blocked by design and not accessible from external communications in the VNX Block system.

0 Kudos
coey
1 Copper

Re: VNX5300 and SMBv1

Jump to solution

Thanks, I don't think I can access the nkb article? have you got a link?

Regards,

0 Kudos
coey
1 Copper

Re: VNX5300 and SMBv1

Jump to solution

Hi,

Do you have a link to article? Can locate ☹

0 Kudos
Rainer_EMC
5 Osmium

Re: VNX5300 and SMBv1

Jump to solution

I cant right now either - I guess its being changed or re-published

I would suggest a KB search

0 Kudos
Rainer_EMC
5 Osmium

Re: VNX5300 and SMBv1

Jump to solution

if that doesnt work then please open a service request to ask for a statement

0 Kudos
jsmith841
1 Copper

Re: VNX5300 and SMBv1

Jump to solution

Here you go. It was last updated this morning.

KBA_499808.png

0 Kudos