What is it?
The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application or the user can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.
What versions are out there?
The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists.
The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008. The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.
WannaCry
Almost everyone has heard of WannaCry in the recent weeks, an exploit that propagates EternalBlue, made by the NSA and lost by the NSA, an exploit of Windows’ Server Message Block (SMB) protocol.
WannaCry is made less harmful by patching Microsoft’s Operating Systems, disabling SMBv1 and blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.
How to enable or disable SMB protocols on the Windows SMB server
If you are running Windows Server you can use the Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component. You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.
To obtain the current state of the SMB server protocol configuration, run the following cmdlet:
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
To disable SMBv1 on the SMB server, run the following cmdlet:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Notes
- You must run these commands at an elevated command prompt.
- You do not have to restart the computer after you make these changes.
To enable or disable SMB protocols on an SMB Server that is running a Windows Desktop OS use Windows PowerShell or Registry Editor.
To disable SMBv1 on the SMB server-side, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
Notes
- You must run these commands at an elevated command prompt.
- You must restart the computer after you make these changes.
How to enable or disable SMB protocols on the Windows SMB client
Note
You might think a Windows Server has nothing to do with the client side of SMB but it uses the client to connect to other servers. So if you want to completely disable SMBv1 you also need to do the following on the Server OS.
To disable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start= disabled
Notes
- You must run these commands at an elevated command prompt.
- You must restart the computer after you make these changes.
How to gracefully remove SMBv1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016
If you are sure you do not need SMBv1 and will never need it you can also remove it from the OS.
If you are using Windows Server run the following cmdlet:
Remove-WindowsFeature FS-SMB1
If you are using a Windows Client IS run the following cmdlet:
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Note
- You must run these commands at an elevated command prompt.
When does Kodi come into play?
You might have read this so far and asked yourself what has this to do with Kodi? Well after I disabled SMBv1 on my free Microsoft Hyper-V Server 2016 (Blog Post coming soon) I noticed my OSMC Kodi client couldn’t access the libraries anymore.
That’s weird, OSMC is running a fairly new Linux kernel and is normally shipped with up to date packages. Samba 3.6 was the first version that made SMBv2 possible. Released at the end of 2011 this should have worked.
After a lot of time on the Kodi and OSMC forum it turns out that Kodi has some sort of its own smb configuration.
While normal Linux systems have the configuration file located in the /etc/samba/smb.conf file, it turns out that Kodi uses it own configuration file.
While bumping the system wide smb.conf file for Samba up to SMB2 or higher I was still unable to connect my Pi with OSMC to my Ubuntu Server running SMB3.
Using smbstatus you can get a report on current Samba connections
$ sudo smbstatus -b
Note
To get the Windows equivalent of smbstatus use the following PowerShell line:
Get-SmbSession | Select-Object -Property SessionId,ClientComputerName,ClientUserName,NumOpens,Dialect | Format-Table
The almost hidden .smb/smb.conf
Kodi has very poorly documented its own smb.conf file in the ~/.kodi/.smb/smb.conf location. This is the file that Kodi uses for its Samba configuration.
I started adding the option client min protocol = SMB2 to bypass SMB1. After this I still couldn’t make a connection with my files. Some people stated client max protocol = SMB3 should go along with the min setting. I also added client NTLMv2 auth = yes since this kinda is the default settings since Windows Server 2008.
After this I was able to connect with my Windows Server 2016 but still not with my Ubuntu Server. I downgraded the server protocol to SMB2 with server min protocol = SMB2 and things started to work.
$ sudo smbstatus -b Samba version 4.3.11-Ubuntu PID Username Group Machine Protocol Version ------------------------------------------------------------------------------ 1741 nobody nogroup 172.16.1.195 (ipv4:172.16.1.195:50393) Unknown (0x0311) 1758 nobody nogroup 172.16.1.187 (ipv4:172.16.1.187:47632) SMB3_00 1758 -1 -1 172.16.1.187 (ipv4:172.16.1.187:47632) SMB3_00
Nice to see the client is connecting with SMB3 while it wouldn’t connect while the server was on SMB3 level… interoperability… jeej! 😉
So after some time I ended with the following configuration file for my Linux computers:
smb.conf
[global] client min protocol = SMB2 client max protocol = SMB3 client NTLMv2 auth = yes server min protocol = SMB2
After-effects
Disabling SMBv1 in Kodi breaks the SMB browsing function. You will not be able to use the SMB browser to navigate through your network and shares. If you want to connect to a new source you will have to type smb://MyServer/MyShare/
Android Phones/Tables/Players will not be able to make use of the more secure servers. While the same mechanism is still there the Samba client shipped with Kodi is not able to connect to SMB2/3 shares. According a developer from Kodi their Samba version for Android is not compatible with it.
Android/data/org.xbmc.kodi/files/.smb/smb.conf
A bit snooping arround github shows they are probably using Samba 3.0 with a lot of patches. The good news is that three weeks ago they started some work with Samba 4.1.
Until that work is complete a workaround for Kodi on Android might be switching to NFS or going truly hardcore with mounting cifs on the Android system.
IOblogblog 
Hello,
that a pretty awesome documentation of your work so i also tried this today but i always get “Connection timed out” on my raspberry
I edited on my Raspberry the smb.conf in the samba and the kodi folder and also added the Network path manually but no success so far 😦
Could you give me any advice?
LikeLiked by 1 person
There could be a few things happening here. In my experience two things are be likely to happen. To rule out Kodi you could try to connect to your server with smbclient. Try: smbclient -U yourusername \\\\yoursevername\\yourshare -m SMB3_00
(Yes, there are a lot of backslashes in that command but thats how it works, if your server doesn’t have SMB3 you could use SMB2_24 instead.)
If this works Samba is configured correctly and the error should be around Kodi.
Another pitfall is the way you connect to the share. Kodi needs to know your username and password for the share if you’re share has any form of authentication requirement. You should input the share like this:
smb://Yourusername:Yourpassword@Yourservername\Yourshare
This will be stored in the sources.xml file located in the kodi/userdata folder. Editing this file by adding the username and password could be easier then entering it in Kodi.
LikeLiked by 1 person
On my setup (kodi 17.4 on a rasberry pi) the smb.conf file is overwritten each time kodi started but it has this line in it:
include = /home/kodi/.kodi/.smb/user.conf
so I added those settings into “/home/kodi/.kodi/.smb/user.conf” instead and that fixed it.
THANKS!
LikeLiked by 1 person
Hello there,
i am also struggling since a while to connect my raspi with openelec/kodi to my windows server 2012 R2 through smb share.
It’s very interesting to note that finally you were able to connect to winserver 2016.
I need some help to follow.
What in detail is to be added where?
Many thanks
Peter
LikeLiked by 1 person
In the paragraph ‘The almost hidden .smb/smb.conf’ you will find the answer to get your Kodi connecting. If you haven’t changed any major permissions in Windows you can solve the connection issue by adding the options in smb.conf on your Linux machine.
LikeLiked by 1 person