SMB over Quic plus file server and authentication for current day

I have a beef with LAN style authentication and file sharing stuff like SMB, NFS and the whole LDAP plus Kerberos GSSAPI thing. I’ve lived most my career configuring those services and integrating different types of client and server operating systems. Crazy stuff like on Solaris 10 where the SMB implementation is in the kernel instead of a service. User ID mapping is almost always a made up mess.

I’m also not a fan of a mess of PHP code serving files over Webdav. SMB and NFS mounts over your file system like its locally attached. Those are lean protocols with just enough chatting and on a good connection you may not notice a difference between your local disk and what’s over the wire. Webdav on the other hand is wanky AF. A home user in this category would be serving files from some {Next,Own}Cloud or Seafile and the performance is not even close to a proper file sharing protocol.

Then there is weird stuff like files belonging to the web server service account and not using proper file system ACLs but instead using whatever the web program offers. Yeah I know Windows, POSIX and NFSv4 file system ACL implementations are not perfect but at least they try to reach a standard.

So I found out about SMB over Quick:

SMB over QUIC introduces an alternative to the TCP network transport, providing secure, reliable connectivity to edge file servers over untrusted networks like the Internet. QUIC is an IETF-standardized protocol with many benefits when compared with TCP:

  • All packets are always encrypted and handshake is authenticated with TLS 1.3
  • Parallel streams of reliable and unreliable application data
  • Exchanges application data in the first round trip (0-RTT)
  • Improved congestion control and loss recovery
  • Survives a change in the clients IP address or port

SMB over QUIC offers an “SMB VPN” for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of the legacy TCP port 445. All SMB traffic, including authentication and authorization within the tunnel is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn’t change. SMB features like multichannel, signing, compression, continuous availability, directory leasing, and so on, work normally.

It looks like same old same old protocol but encapsulated over Quic which is kinda like an accelerated streaming HTTP solution over UDP instead off TCP. That was a rough description. I’m sure both Quic and SMB over Quic probably bring lots of optimization to the table. But what matters is that you could finally serve files over the internet without webdav wankiness.

Thing is according to the aforementioned MS article this thing is already available on Server 2022 and Windows 11.

Sadly this is not yet a thing in Sambaland:

  • Microsoft have experimental servers / clients running on Windows.

  • Microsoft is happy to open protocol and document changes needed.

  • Samba implementation is awaiting stable QUIC library framework and service manager framework on Linux we can plug into.

  • How do we route QUIC connection requests from web server to smbd ?

  • Lots of interest, but no code yet.

  • SMB3 over QUIC is the future of SMB over the Internet and into Cloud storage.

Anyway I’m interested in whatever thing comes out of this. While at it, *Nix (actually PAM and NSS) and MacOS could work on a current century authentication method that doesn’t assume everything is in the same LAN.

2 Likes

Interesting, how does auth work? Kerberos/AD as usual?

Seems sot. For now it seems to just tunnel SMB3 through Quic. It doesn’t change the underlying protocol that much.

Wonder how this performs compared to SMB over Wireguard.