Kodi and SMBv1 – how to jump into the 21st century

Kodi logo

What is it?

The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application or the user can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.

What versions are out there?

The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists.

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008. The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

WannaCry

Almost everyone has heard of WannaCry in the recent weeks, an exploit that propagates EternalBlue, made by the NSA and lost by the NSA, an exploit of Windows’ Server Message Block (SMB) protocol.

WannaCry is made less harmful by patching Microsoft’s Operating Systems, disabling SMBv1 and blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

 

How to enable or disable SMB protocols on the Windows SMB server

If you are running Windows Server you can use the Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component. You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

To obtain the current state of the SMB server protocol configuration, run the following cmdlet:

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration -EnableSMB1Protocol $false
Notes
  • You must run these commands at an elevated command prompt.
  • You do not have to restart the computer after you make these changes.

 

To enable or disable SMB protocols on an SMB Server that is running a Windows Desktop OS use Windows PowerShell or Registry Editor.

To disable SMBv1 on the SMB server-side, run the following cmdlet:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
Notes
  • You must run these commands at an elevated command prompt.
  • You must restart the computer after you make these changes.

 

How to enable or disable SMB protocols on the Windows SMB client

Note

You might think a Windows Server has nothing to do with the client side of SMB but it uses the client to connect to other servers. So if you want to completely disable SMBv1 you also need to do the following on the Server OS.

To disable SMBv1 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi 
sc.exe config mrxsmb10 start= disabled
Notes
  • You must run these commands at an elevated command prompt.
  • You must restart the computer after you make these changes.

 

How to gracefully remove SMBv1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016

If you are sure you do not need SMBv1 and will never need it you can also remove it from the OS.

If you are using Windows Server run the following cmdlet:

Remove-WindowsFeature FS-SMB1

If you are using a Windows Client IS run the following cmdlet:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Note
  • You must run these commands at an elevated command prompt.

 

 

When does Kodi come into play?

You might have read this so far and asked yourself what has this to do with Kodi? Well after I disabled SMBv1 on my free Microsoft Hyper-V Server 2016 (Blog Post coming soon) I noticed my OSMC Kodi client couldn’t access the libraries anymore.

That’s weird, OSMC is running a fairly new Linux kernel and is normally shipped with up to date packages. Samba 3.6 was the first version that made SMBv2 possible. Released at the end of 2011 this should have worked.

After a lot of time on the Kodi and OSMC forum it turns out that Kodi has some sort of its own smb configuration.

While normal Linux systems have the configuration file located in the /etc/samba/smb.conf file, it turns out that Kodi uses it own configuration file.

While bumping the system wide smb.conf file for Samba up to SMB2 or higher I was still unable to connect my Pi with OSMC to my Ubuntu Server running SMB3.

Using smbstatus you can get a report on current Samba connections

$ sudo smbstatus -b

The almost hidden .smb/smb.conf

Kodi has very poorly documented its own smb.conf file in the ~/.kodi/.smb/smb.conf location. This is the file that Kodi uses for its Samba configuration.

I started adding the option client min protocol = SMB2 to bypass SMB1. After this I still couldn’t make a connection with my files. Some people stated client max protocol = SMB3 should go along with the min setting. I also added client NTLMv2 auth = yes since this kinda is the default settings since Windows Server 2008.

After this I was able to connect with my Windows Server 2016 but still not with my Ubuntu Server. I downgraded the server protocol to SMB2 with server min protocol = SMB2 and things started to work.

$ sudo smbstatus -b

Samba version 4.3.11-Ubuntu
PID Username Group Machine Protocol Version
------------------------------------------------------------------------------
1741 nobody nogroup 172.16.1.195 (ipv4:172.16.1.195:50393) Unknown (0x0311)
1758 nobody nogroup 172.16.1.187 (ipv4:172.16.1.187:47632) SMB3_00
1758 -1 -1 172.16.1.187 (ipv4:172.16.1.187:47632) SMB3_00

Nice to see the client is connecting with SMB3 while it wouldn’t connect while the server was on SMB3 level… interoperability… jeej! 😉

So after some time I ended with the following configuration file for my Linux computers:

smb.conf

[global]
 client min protocol = SMB2
 client max protocol = SMB3_11
 client NTLMv2 auth = yes
 server min protocol = SMB2

 

After-effects

Disabling SMBv1 in Kodi breaks the SMB browsing function. You will not be able to use the SMB browser to navigate through your network and shares. If you want to connect to a new source you will have to type smb://MyServer/MyShare/

Android Phones/Tables/Players will not be able to make use of the more secure servers. While the same mechanism is still there the Samba client shipped with Kodi is not able to connect to SMB2/3 shares. According a developer from Kodi their Samba version for Android is not compatible with it.

Android/data/org.xbmc.kodi/files/.smb/smb.conf

A bit snooping arround github shows they are probably using Samba 3.0 with a lot of patches. The good news is that three weeks ago they started some work with Samba 4.1.

Until that work is complete a workaround for Kodi on Android might be switching to NFS or going truly hardcore with mounting cifs on the Android system.

Windows Server 2016 docs are now on docs.microsoft.com

Windows Server logo

Microsoft announced the availability of the IT pro technical documentation for Windows Server 2016 and Windows 10 and Windows 10 Mobile on docs.microsoft.com.

docs.microsoft.com?

Docs is a crisp new design that should work better on your phone, tablet, and PC. You’ll see new ways to engage with Microsoft and contribute to the larger IT pro community on docs.

Performance Tuning Guidelines for Windows Server 2016

When you run a server system in your organization, you might have business needs not met using default server settings. For example, you might need the lowest possible energy consumption, or the lowest possible latency, or the maximum possible throughput on your server. This guide provides a set of guidelines that you can use to tune the server settings in Windows Server 2016 and obtain incremental performance or energy efficiency gains, especially when the nature of the workload varies little over time.

It is important that your tuning changes consider the hardware, the workload, the power budgets, and the performance goals of your server. This guide describes each setting and its potential effect to help you make an informed decision about its relevance to your system, workload, performance, and energy usage goals.

Warning

Registry settings and tuning parameters changed significantly 
between versions of Windows Server. Be sure to use the latest 
tuning guidelines to avoid unexpected results.

You can download the official document here.

Power Throttling your background apps on Windows

Most people have multiple apps running at the same time – and often, what’s running in the background can drain your battery. In the latest Insider Preview build (Build 16176), Microsoft allows you to run background work in a power-efficient manner, thereby enhancing battery life significantly while still giving users access to powerful multitasking capabilities. With “Power Throttling”, when background work is running, Windows places the CPU in its most energy-efficient operating modes – work gets done, but the minimal possible battery is spent on that work.

Microsoft mentioned in January that they where doing some power experiments. Power Throttling was one of those experiments, and showed up to 11% savings in CPU power consumption for some of the most strenuous use cases. This capability should help many of you see a nice boost in battery life!

Background Moderated apps are the Power Throttled ones.

Power Throttling is currently available only for processors with Intel’s Speed Shift technology, available in Intel’s 6th-gen (and newer) Core processors. Processors where the first number after i3, i5 or i7 starts with a 6 are currently available (for example i5-6400, i7-6600). Other processors, read older ones, will likely be added to the support list in the future.

A passage from Microsoft:

How does it work? To give great performance to the apps you’re using, while at the same time power throttling background work, we built a sophisticated detection system into Windows. The OS identifies work that is important to you (apps in the foreground, apps playing music, as well as other categories of important work we infer from the demands of running apps and the apps the user interacts with). While this detection works well for most apps, if you happen to notice an app that is negatively impacted by Power Throttling, we really want to know!! You can do 3 things:

1. Provide feedback! Please run the Feedback Hub and file feedback under the Power and Battery > Throttled Applications category

2. Control power throttling system-wide, using the Power Slider. Windows works hardest to keep the processor in its efficient ranges when you’ve selected “Battery Saver” or “Recommended”, and turns off completely when you’ve selected “Best Performance”.

Power Slider

3. Opt individual apps out from Power Throttling:

  • Go to Battery Settings (Settings >  System > Battery).
  • Click on “Battery Usage by App”.
  • Select your app.
  • Toggle “Managed by Windows” to “Off”.
  • Uncheck the “Reduce work app does when in background” checkbox.

Note that benchmark results may vary with power throttling turned on. While most benchmarks run fine and produce great performance results, some benchmark processes may be affected by throttling. Our general recommendation is to always run performance benchmarks while plugged in, as power throttling does not apply in that case.

I find a few things weird in this text. First of all, why mention music apps? It’s not like an app playing music would need full power of a 6th generation Intel Core processor. Are there some restrictions with apps that use DirectSound or Direct3D?

And as you can read in the final sentence this feature won’t be available on your Desktop. Why? Why wouldn’t I want 11% power-savings (or even more since desktops processors are likely to use more power) on my desktop?

Windows Vista support has ended

As of April 11, 2017, Windows Vista customers are no longer receiving new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates from Microsoft. Microsoft has provided support for Windows Vista for the past 10 years, but the time has come for us, along with our hardware and software partners, to invest our resources towards more recent technologies so that we can continue to deliver great new experiences.

No tears from me about this one 😉

You can read the full story here on Microsoft’s support site.

 

The next ‘bigger’ product to follow this year are Windows Phone 8.1 on 11 July 2017 and Microsoft Office 2011 products for Mac on 10 October 2017.

How to get the Windows 10 Creators Update

Starting yesterday, the Windows 10 Creators Update is rolling out to Windows 10 PCs across the world in phases, starting with newer machines first but If you don’t want to wait, you can manually get the update now.

The easiest way is to upgrade your pc with the new version is to download the upgrade assistant from here. direct link: http://go.microsoft.com/fwlink/?LinkID=799445

Just run the app and follow the instructions.

The Microsoft Azure, Bing, Dynamics 365, Office 365, OneDrive, Xbox network

Every day, people around the world connect to Microsoft Azure, Bing, Dynamics 365, Office 365, OneDrive, Xbox, and many other services through trillions of requests.

Your traffic enters our global network through strategically placed Microsoft edge nodes, our points of presence. These edge nodes are directly interconnected to more than 2,500 unique Internet partners through thousands of connections in more than 130 locations. Microsoft’s rich interconnection strategy optimizes the paths that data travels on their global network. As a user you get a better network experience with less latency, jitter, and packet loss with more throughput. Direct interconnections give customers better quality of service compared to transit links, because there are fewer hops, fewer parties, and better networking paths.

Microsoft Global WAN
Microsoft Global WAN

 

Azure traffic between Microsoft datacenters stays on their network and does not flow over the Internet. This includes all traffic between Microsoft services anywhere in the world. For example, within Azure, traffic between virtual machines, storage, and SQL communication traverses only the Microsoft network, regardless of the source and destination region. Intra-region VNet-to-VNet traffic, as well as cross-region VNet-to-VNet traffic, stays on the Microsoft network.

To give customers a service that works well, Microsoft’s network must be able to handle failures and rapidly respond to demand spikes. To support the tremendous growth of the cloud services and maintain consistent service level agreements, Microsoft invest in private fiber (sometimes called dark fiber), for their metro, terrestrial, and submarine paths. Microsoft owns and runs one of the largest backbone networks in the world, connecting our datacenters and customers. Over the last three years, they have grown their long-haul WAN capacity by 700 percent. Within a given region, they can support up to 1.6 Pbps of inter-datacenter bandwidth. Microsoft continues to increase capacity to meet the strong demand for Microsoft cloud services.

Microsoft’s submarine investments improve resiliency, performance, and reliability across the Pacific and Atlantic Oceans. Their latest investment is the MAREA cable, a 6,600 km submarine cable between Virginia Beach, Virginia, USA, and Bilbao, Spain, which they jointly developed with Facebook. MAREA will be the highest-capacity subsea cable to cross the Atlantic, featuring eight fiber pairs and an initial estimated design capacity of 160 Tbps. This open cable system is an innovation in submarine cable design and delivery, which allows for greater bandwidth capacity thresholds and reduces cost.

Global network infrastructure can be surprisingly vulnerable. For example, fiber optic cables can be cut by ship anchors dragging along the seabed. For an example, see a ship accidentally cut Jersey’s internet cables with its anchor. To provide the reliability the cloud needs, Microsoft has many physical networking paths with automatic routing around failures for optimal reliability.

Microsoft datacenter backbone
Datacenter backbone

 

 

Announcing Windows 10 Insider Preview Build 15058 for Slow Ring

Windows 10 Insider Preview Build 15058 is being pushed to Windows Insiders in the Slow ring. The list of changes is not huge. The second bullet is fixed and the watermark introduced on the previous build is gone again.

Other changes, improvements, and fixes for PC

  • We fixed the issue causing a number of inbox apps to fail to launch (such as Store) and preventing any app updates from the Store from installing.
  • We fixed another issue causing some UWP apps would unexpectedly appear with their app package name in the title bar as opposed to the app name.
  • We fixed an issue where going to fullscreen or maximizing Microsoft Edge when Microsoft Edge’s window was snapped to a size smaller than half the screen would trigger back navigation.
  • We fixed an issue resulting in the mouse pointer staying visible when watching a video fullscreen in Microsoft Edge.
  • We fixed a crash Insiders may have sometimes experienced in recent builds when accessing the Wi-Fi Settings page via Settings > Network & Internet > Wi-Fi.
  • We fixed an issue where the desktop session sometimes crashed for Insiders after locking if the PC was set to lock on sleep. After this happened, trying to unlock the computer could result either seeing an unexpected “Can’t log in: The number of connections to this computer is limited and all connections are in use” error on the login screen, or a successful login only to find all open apps had been closed.
  • We fixed an issue where renaming an encrypted PDF would reset the default PDF reader if it was not currently set to Microsoft Edge.
  • We have improved video playback quality on the target device when using Miracast to wirelessly connect from a high DPI PC to another high DPI device.