Is using userspace tools (like Samba's "ftp like" smbclient tool) an option to migrate these files? On Wed, Jul 27, 2022 at 3:04 PM Clemens Leu <clemens.leu@xxxxxxxxx> wrote: > > Hi all > > Here follows now another practical reason why it is at the moment a > quite unhappy decision to ditch the NTLM/CIFS 1.0 support entirely. > > I am on Kubuntu 20.04 LTS and the access to my Apple Time Capsule worked > fine. This changed when kernel 5.15.0-41-generic was installed some time > ago. Since then I have in dmesg the known "kernel: bad security option: > ntlm" and "kernel: CIFS: VFS: bad security option: ntlm" messages and no > access is possible any longer to the Time Capsule. > > So it looks that commit "[76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c] > cifs: remove support for NTLM and weaker authentication algorithms" has > completely broken my Time Capsule access. > > Yes, I know, ntlm is more than 20 years old and a quite insecure > protocol. It is absolutely understandable to disable it as default. > However, it should be also regarded that there exist companies which > decided because of narrow-minded reasons to implement only the old SMB1 > protocol also on not so old hardware. Apple is such an example, they > really implemented on all of their Time Capsule models (which were using > a special Samba implementation) only the stone-age variant of SMB/NTLM. > This is true even for the last 2013 variant which was discontinued on > April 26, 2018. Apple could for sure support a more recent SMB version > but they didn't do it most likely to make their own AFP3 protocol look > and perform better. > > So the alternative would be AFP in my case, unfortunately it's not so > easy. While we have thanks to Netatalk a rock-solid AFP support in Linux > at the server side, this is unfortunately not true for the client one. > The corresponding "afpfs-ng" (Apple Filing Protocol Library, a client > implementation of the Apple Filing Protocol) project is unmaintained and > dormant for years. > > Long story short, the current situation in this topic is as I said quite > unhappy. While I fully agree to disable NTLM/CIFS 1.0 as default, it > shouldn't be removed entirely. Maybe it is possible to enable it only > for accessing older network volumes/shares while on the same time block > the possibility to create insecure NTLM network shares? I am aware that > the risk in enabling this old and flawed protocol will be my own > problem. I won't complain if I get into trouble because of it. ;-) > Unfortunately I have no alternative other than buying a new NAS or > downgrading to an older kernel which is also not a really practical option. > > Whatever, many thanks for all your great work! > -- Thanks, Steve
