samba - Oct 2023 - Low performance when using "server signing" = "mandatory"

On Mon, 16 Oct 2023 15:13:49 +0200
Adam B?aszczykowski via samba <samba at lists.samba.org> wrote:
> Hello,
> I'm experiencing very slow read/write performance, about 20 MB/s, on
> Samba share when I configure the "server signing" option as
> "mandatory". Once I set "server signing" to
"default", the read/write
> performance returns to average speed about 800 MB/s.
> I am using Samba 4.9.4 on server with Intel Xeon CPU E5-2690 0 @
> 2.90GHz (32 threads) and 10 Gbit ethernet controller.
> I need to set "mandatory" value for security reasons, but the
> performance is unacceptable. How to solve this problem ?
Hmm, you need to set a parameter for security reasons, but you are quite
prepared to continue using a 5 year old, EOL version of Samba, a
version that quite likely contains numerous CVE's that have been
fixed in later versions ????

What OS is this on ?

Rowland

Hi,
If I update the Samba server version to the latest one, set the "server
signing = default" parameter and the "server role = standalone"
parameter,
will my server be vulnerable to CVE-2016-2114?

Thank you.

pon., 16 pa? 2023 o 16:50 Rowland Penny via samba <samba at
lists.samba.org>
napisa?(a):
> On Mon, 16 Oct 2023 15:13:49 +0200
> Adam B?aszczykowski via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> > I'm experiencing very slow read/write performance, about 20 MB/s,
on
> > Samba share when I configure the "server signing" option as
> > "mandatory". Once I set "server signing" to
"default", the read/write
> > performance returns to average speed about 800 MB/s.
> > I am using Samba 4.9.4 on server with Intel Xeon CPU E5-2690 0 @
> > 2.90GHz (32 threads) and 10 Gbit ethernet controller.
> > I need to set "mandatory" value for security reasons, but
the
> > performance is unacceptable. How to solve this problem ?
>
> Hmm, you need to set a parameter for security reasons, but you are quite
> prepared to continue using a 5 year old, EOL version of Samba, a
> version that quite likely contains numerous CVE's that have been
> fixed in later versions ????
>
> What OS is this on ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hello,
I have updated my system to Debian 12 with Samba 4.17.12, but the problem
with performance still exist.
On the Samba page there is a note in the CVE-2016-2114 description:
"Note that the default for server roles other than active directory domain
controller, is "off" because of performance reasons."
https://www.samba.org/samba/security/CVE-2016-2114.html

Does it mean that using "server signing = required" for file server
with
"server role = standalone" doesn't increase security and only
cause
problems with performance ?
My Nessus security scaner reports problem with "SMB signing not
required"
even on newest Debian 12 bookworm with Samba version 4.17.12:

Nessus CVE-2016-2114 description:
Signing is not required on the remote SMB server. An unauthenticated,
remote attacker can exploit this to conduct man-in-the-middle attacks
against the SMB server.

Nessus CVE-2016-2114 solution:
Enforce message signing in the host's configuration. On Windows, this is
found in the policy setting 'Microsoft network server: Digitally sign
communications (always)'. On Samba, the setting is called 'server
signing'.

Best regards.
Adam Bllaszczykowski

pon., 16 pa? 2023 o 16:50 Rowland Penny via samba <samba at
lists.samba.org>
napisa?(a):
> On Mon, 16 Oct 2023 15:13:49 +0200
> Adam B?aszczykowski via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> > I'm experiencing very slow read/write performance, about 20 MB/s,
on
> > Samba share when I configure the "server signing" option as
> > "mandatory". Once I set "server signing" to
"default", the read/write
> > performance returns to average speed about 800 MB/s.
> > I am using Samba 4.9.4 on server with Intel Xeon CPU E5-2690 0 @
> > 2.90GHz (32 threads) and 10 Gbit ethernet controller.
> > I need to set "mandatory" value for security reasons, but
the
> > performance is unacceptable. How to solve this problem ?
>
> Hmm, you need to set a parameter for security reasons, but you are quite
> prepared to continue using a 5 year old, EOL version of Samba, a
> version that quite likely contains numerous CVE's that have been
> fixed in later versions ????
>
> What OS is this on ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>