Skip to content

SMB Client-signing OSX El Capitan

samba

Mac OS X 10.11.5 has introduced SMB Client-Signing to mitigate the Badlock bug and with the latest release of OS X 10.11.6 the enabled function of client-signing has not been reversed.
This leads me to believe that this function will not be changed. For security reasons it makes sense to enabled this kind of feature. But the feature is a Mac-only feature so far. Thus preventing people with 3. party NAS or servers from connecting over SMB with full performance.

With client-signing on, connecting to a 3. party NAS that is using the Open source version of Samba will halt your connection to around 25-40 MB/s regardless connection speed. I have tested this both with 1GbE and 10GbE.

The feature can be disabled by making a config file in /etc called nsmb.conf and adding the lines:

[default]
signing_required=0

With El Capitan, Apple introduced the feature called root-less system with prevent users from altering the core system files in the Unix/BSD layer. This feature prevents normal users of making this config file under /etc and therefore its not that easy to disable Client-signing on the SMB connection.

I have made a small installer file package, that will run a script to disable Client-Signing by adding the config file without the need to disable the rootless feature. And I have added a uninstall script to tis installer package to get your system back to originalt state.

The small package installer can be found here: 10.11.X-SMBfix.pkg

So what are the consequences of disabling the Client-Signing?

Well, Man in the Middle attacks will be possible. But then again opening up the SMB protocol to the internet is a bad bad idea. So on trusted local network you should still be fine. The best thing would be to enable Client-signing on the server/NAS but many 3. party NAS solutions that is not possible until the vendor chooses to release a new update with that feature enabled.

Disclaimer: I will and can not be held responsible for any attacks, dataloss  or other bad stuff that can happen to your server, system or network by installing this software. The software is provided as is. Below you can see the content of the 2 scripts that is being run by the installer. No binaries are being installed on your system.

Install script:

#!/bin/bash
conffile="/etc/nsmb.conf"
if grep -Fxq "signing_required=0" $conffile
then
echo "Signing already disabled."
echo "Exiting..."
exit 0
else
echo "[default]" > $conffile
echo "signing_required=0" >> $conffile
fi

Uninstall script:

#!/bin/bash
conffile="/etc/nsmb.conf"
if grep -Fxq "signing_required=0" $conffile
then
rm $conffile
else
echo "SMB client signing is already enabled."
echo "Restart to ensure that it has been activated."
fi

Copyright notice: Kulmosen.dk is an independent blog-site and has not been authorized, sponsored, or otherwise approve by Apple Inc. Use of the name Apple and Mac OS X has only been used to describe features and the issue found with the use of Mac OS X against 3. party servers and NAS solutions with the use of the SMB protocol. And to help the thousands of people that are experiencing low performance with those types of systems.

Published inAppleScriptingServer ServicesTroubleshooting

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.