When it comes to selecting a protocol to share files over the network, you commonly come across the SMB and CIFS terms in software interfaces and documentation. Some users think that SMB and CIFS are the same thing, and clearly identifying the difference may be difficult. However, let’s look at why CIFS can’t be used as a synonym for SMB. Learn about the SMB vs CIFS protocols differences and how to use the terms.
What Is SMB?
SMB, or Server Message Block, is a network protocol working at the application layer of the OSI communications model. SMB is used for providing shared access to resources over the network. The SMB protocol is widely used to share files on file servers, share files between user computers, and copy files between computers.
In addition to manipulating files, the other use case for SMB is messaging and printing (general purpose remote transactions), as well as browsing computers in the network. IBM developed SMB in 1983, and since then the protocol has been improved multiple times.
What is SMB file share?
SMB file shares are directories on a remote host that are made available via the SMB protocol. They are configured on file servers, and read and write access can be configured to these shares. One file server can have multiple SMB shares.
How SMB Works: What does SMB do?
SMB works based on the client-server network principle. The protocol uses a set of data packets containing a request sent by a client or a reply sent by a server. Clients can connect to a server by using an IP address or hostname. These SMB data packets can be classified as:
- Session control packets, which establish/stop connections to file shares
- File access packets, which, as the name suggests, access the file shares and manipulate the files
- General message packets
SMB opens a session after establishing a connection and completing authentication. Then SMB messages can be transmitted across this session. When initiating a session, an SMB client sends a list of its capabilities (capabilities depend on the SMB version of the client).
The SMB protocol can work:
- directly via TCP by using port 445 (without NetBIOS) – this is the modern approach.
- via NetBIOS API by using UDP ports 137 and 138 and TCP ports 137 and 139 – this is the legacy approach used up to Windows 2000. The first versions of SMB used NetBIOS over TCP/IP for transport.
The SMB protocol supports batching, that is, grouping multiple messages and sending them in one transmission to improve performance.
Additional functionality includes file locking mechanisms to protect shared files when multiple users open the same file. Locking files allows avoiding data being writing by multiple users simultaneously and causing data inconsistency in a file.
IPC (inter-process connection) is also known as a null session connection. The IPC$ share created by Windows is used with temporary connections between clients and servers. This hidden share is created for sharing data that cannot be classified as files/directories and printers, for example, users and share enumeration.
Windows systems contain a native SMB client and server. However, client Windows versions have a limit on the number of users that can connect to a host, unlike Windows Server versions, which don’t have such limitations.
- Windows XP and Vista – maximum 10 concurrent connections
- Windows 7 and Windows 10 – maximum 20 concurrent connections
An SMB server on Linux is installed by configuring Samba, which is a free SMB server implementation for Linux. Note that Samba also allows you to join Linux to an Active Directory domain and allows Linux to act as a domain controller. SMB client software is also available on Linux (for free) and on other operating systems.
What Is CIFS?
CIFS, or Common Internet File System, is a particular implementation or dialect of SMB developed by Microsoft in 1996 following the Windows 95 release. A dialect is a version and not a separate independent protocol. A dialect is a set of message packets sent/received for communicating between hosts that defines a particular protocol version. CIFS is not a file system, unlike the name suggests.
The CIFS protocol specification is based on the original SMB protocol but with some additional features added by Microsoft. Microsoft implemented direct connections via TCP and port 445 without using NetBIOS over TCP (which was used on the first SMB 1 implementations). CIFS is an implementation of SMB 1 and not a separate file-sharing protocol.
SMB Protocol Dialects
When we are talking about the SMB1 implementation by Microsoft, we can use the CIFS term. In all other cases, and in general, SMB is the correct term to refer to this network protocol. Let’s take a closer look at SMB versions released after CIFS to gain a better understanding of the difference between CIFS and other (newer) SMB dialects (versions).
SMB 2.0
Microsoft released SMB 2.0 (or SMB2) in 2006 with Windows Vista. This SMB version is more reliable than SMB 1.0/CIFS, and it is not CIFS. The number of commands needed to transfer files is reduced from more than 100 to 20. The performance is higher due to the pipeline processing mechanisms, that is, the ability to send an additional request before getting the reply to the previous one. Packing multiple actions into one request reduces the number of requests to a client, which improves performance.
SMB 2.1
SMB 2.1 provides insignificant improvements in performance and blocking mechanisms compared to SMB 2.0. This protocol version was released with Windows 7 and Windows Server 2008 R2.
SMB 3.0
At first, this protocol version was called SMB 2.2, but it was subsequently renamed SMB 3.0 with Windows 8. The SMB 3.0 version:
- added SMB Direct (direct access to memory), SMB Multichannel, and SMB Transport Failover
- improved security
- added support for end-to-end encryption
- improved network efficiency by reducing latency
SMB 3.0.2
SMB 3.0.2 or 3.02 has been available since Windows 8.1 and Windows Server 2012 R2. In this version, the SMB 1.0 compatibility can be turned off to improve security.
SMB 3.1.1
This version became available starting with Windows 10 and Windows Server 2016. The improvements include better encryption (AES 128 GCM and AES 128 CCM) and SHA-512 hash for pre-authentication integrity checks.
SMB in Windows and Microsoft Server
SMB is available in Windows starting from Windows 3.1 (Windows for Workgroups). SMB versions and compatibility for different Windows versions are explained in the table.
Columns and rows contain Windows versions that can run an SMB client or SMB server (columns and rows are interchangeable). A cell at the intersection of a column and row displays which SMB protocol version is used for communication between the respective Windows versions.
Windows 10 Server 2016 and newer | Windows 8.1 Server 2012 R2 | Windows 8 Server 2012 | Windows 7 Server 2008 R2 | Windows Vista Server 2008 | Win XP, Server 2003 and older | |
Windows 10 Server 2016 and newer | SMB 3.1.1 | SMB 3.02 | SMB 3.0 | SMB 2.1 | SMB 2.0 | SMB 1.0 |
Windows 8.1 Server 2012 R2 | SMB 3.02 | SMB 3.02 | SMB 3.0 | SMB 2.1 | SMB 2.0 | SMB 1.0 |
Windows 8 Server 2012 | SMB 3.0 | SMB 3.0 | SMB 3.0 | SMB 2.1 | SMB 2.0 | SMB 1.0 |
Windows 7 Server 2008 R2 | SMB 2.1 | SMB 2.1 | SMB 2.1 | SMB 2.1 | SMB 2.0 | SMB 1.0 |
Windows Vista Server 2008 | SMB 2.0 | SMB 2.0 | SMB 2.0 | SMB 2.0 | SMB 2.0 | SMB 1.0 |
Win XP, Server 2003 and older | SMB 1.0 | SMB 1.0 | SMB 1.0 | SMB 1.0 | SMB 1.0 | SMB 1.0 |
CIFS vs SMB: The Likely Source of the Confusion
Let’s find out using an example why CIFS and SMB terms are still confused by users. To do that, let’s say we are using a file server with an SMB share configured on Windows Server 2019 and a Linux machine connecting to this file server via the SMB protocol. Ubuntu 20.04 is the Linux distribution we’re using in this example. Note that the configuration is the same for Ubuntu 22.
We have the following configuration in our environments:
- Windows Server 2019: 192.168.101.209
- Linux Ubuntu 20.04: 192.168.101.210
- SMB share on Windows Server: \\192.168.101.209\share
In Windows Server 2019, the SMB 1.0/CIFS protocol is disabled by default. To check this setting and enable/disable the SMB1.0/CIFS client and server manually, go to Server Manager > Add Roles and Features > Features.
We keep SMB 1.0/CIFS disabled on our Windows Server 2019 machine. It means that SMB 3 is used by default with the ability to switch to SMB 2 for compatibility with clients using SMB 2 versions (dialects).
The CIFS protocol is disabled by default In modern Windows versions like Windows 10 for better security, and you can enable it manually if needed.
Note: In 2017, massive worldwide ransomware attacks (WannaCry and NotPetya) were carried out by using exploits for SMB 1 vulnerabilities. These exploits were dubbed EternalBlue, EternalRomance, and EternalChampion. Microsoft released security patches for its operating systems starting from Windows XP and Windows Server 2003, despite the fact that these OSs were not an officially supported version at that time. Microsoft recommended using SMB 2 and SMB 3 (supporting pre-authentication integrity) instead of using SMB 1.0/CIFS.
As mentioned above, the name of the SMB server for Linux is Samba (samba is the package name). We use an SMB server on Windows. So we don’t need Samba in this example, but rather we need an SMB client for Ubuntu Linux.
An SMB client for Linux is included in Linux CIFS Utils (cifs-utils is the package name). This is where the confusion stems from. The first version of this client for Linux was created at a time when SMB 1.0/CIFS was widely used. The SMB protocol was updated, SMB versions 2 and 3 were released, but the name of the Linux SMB client remains the same, and the package including the SMB client is still called CIFS Utils. The package cifs-utils is not part of samba.
We will connect from Linux using CIFS Utils to an SMB share located on Windows Server 2019 to find out whether CIFS is still used. To install CIFS Utils, run the following command with root privileges:
sudo apt-get install cifs-utils
Create a directory to be used as a mount point for SMB share:
mkdir /mnt/share
Connect to the SMB file share located on a remote Windows file server:
mount.cifs //192.168.101.209/share /mnt/share -o user=administrator
We use a Windows administrator user account in our example for educational purposes.
CIFS vs SMB – which one is used in the current session for connecting to the file server? Check the SMB version of clients connected to the SMB share on Windows Server with the PowerShell command on Windows Server 2019:
Get-SmbSession | Select-Object -Property ClientComputerName,ClientUserName,Dialect
As we can see in the PowerShell output, SMB 3.1.1 is used for our connection from Ubuntu Linux. SMB 1.0/CIFS is not used when we connect with cifs-utils and the mount.cifs command to a file server configured on Windows Server 2019.
We can also check the SMB protocol version in /proc/mounts with the cat /proc/mounts command in Linux. We can use the following command to filter only the needed results:
cat /proc/mounts | grep cifs
As we see in the output, the protocol version for connecting to the file share is marked cifs, but the displayed version is 3.1.1 (vers=3.1.1), which is not a version of CIFS. This is one more example showing how the SMB vs CIFS terms can get confused.
If fact, SMB 3.1.1 is used and not CIFS. We can prove it with one more method by using nmap, which is a free network discovery tool used for analysis and troubleshooting.
To install nmap in Ubuntu run the command as root:
sudo apt-get install nmap
To scan all hosts that are online and connected to our 192.168.101.0/24 network, we use the command:
nmap –script smb-protocols 192.168.101.0/24
We are interested in viewing the result for 192.168.101.209, which is the IP address of our Windows Server 2019 that is working as a file server. Linux is connected to the file share on this server. In the output, we see that the dialects for SMB protocols supported by our Windows Server are 2.02, 2.10, 3.00, 3.02, and 3.11. There is not SMB 1.0/CIFS, even though the CIFS term is still used in Linux configuration files and commands.
We can force using CIFS manually by adding the vers=1.0 parameter in the mount command in Linux (at the client side) to use only the SMB 1.0/CIFS protocol when connecting to a file share on a remote server.
mount -t cifs //192.168.101.209/share /mnt/share -o user=administrator,vers=1.0
or
mount.cifs //192.168.101.209/share /mnt/share -o user=administrator,vers=1.0
The result is as follows:
Server abruptly closed the connection. This can happen if the server does not support the SMB version you are trying to use. The default SMB version recently changed from SMB1 to SMB2.1 and above.
This result matches the previous results of our SMB vs CIFS investigation in modern operating systems. CIFS is not used, and SMB 1.0/CIFS is disabled on our Windows Server.
If we set it to use at least SMB 2.0, then we can connect to the server (remember the list of SMB dialects supported by our Windows Server 2019 displayed in nmap):
mount.cifs //192.168.101.209/share /mnt/share -o user=administrator,vers=2.0
When using the graphical user interface in Linux or other operating systems, use smb:// in the address line when defining the network protocol to be used for connecting to a file share on a remote server.
When entering the address to an SMB file share, you should use:
smb://server-name/share-name
Don’t use: cifs://server-name/share-name
because the client will try to connect using SMB1.0/CIFS protocol, which may be disabled on a server (if the client even supports the cifs:// syntax).
Conclusion
Now that the CIFS protocol is outdated, SMB is one of the protocols used to connect to shared storage on file servers and NAS (the other commonly used one is NFS). With shared storage being particularly vulnerable to data corruption, ransomware, and other threats that can easily spread over a network, make sure to back up files and folders stored on shared resources to avoid data loss. Infecting the computer of even one user with write permissions to shared files can cause data loss for all users.