[Samba] Bad SMB2 (sign_algo_id=1) signature for message

Michael Tokarev mjt at tls.msk.ru
Fri Mar 1 13:03:45 UTC 2024 

Hi!

I'm seeing quite some messages in log.smbd like this:

[2024/03/01 15:59:00.612141,  0, pid=1778617] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
   Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612146,  0, pid=1778616] lib/util/util.c:578(dump_data)
   [0000] 7E 8D E3 FE A9 44 E8 E3   A6 76 22 6A B2 A4 27 CF   ~....D.. .v"j..'.
[2024/03/01 15:59:00.612166,  0, pid=1778617] lib/util/util.c:578(dump_data)
   [0000] 2D 99 5B 40 BA B0 66 BA   12 18 38 1D B0 98 DA F4   -.[@..f. ..8.....
[2024/03/01 15:59:00.612194,  0, pid=1778616] lib/util/util.c:578(dump_data)
   [0000] C7 20 D2 A3 8F 8E 5B A4   88 A2 46 A1 C6 FA 86 3F   . ....[. ..F....?
[2024/03/01 15:59:00.612204,  0, pid=1778617] lib/util/util.c:578(dump_data)
   [0000] 1A 87 8B ED C2 24 9E 4A   BD 15 15 F2 B0 DD 24 D8   .....$.J ......$.
[2024/03/01 15:59:00.612268,  0, pid=1778616] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
   Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612270,  0, pid=1778617] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
   Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612294,  0, pid=1778616] lib/util/util.c:578(dump_data)
   [0000] 1A 95 AA 9E F2 49 2E 0F   8C 82 D7 83 DB 64 A9 C7   .....I.. .....d..
[2024/03/01 15:59:00.612301,  0, pid=1778617] lib/util/util.c:578(dump_data)
   [0000] E6 58 44 BB 80 A5 A1 FE   BA 69 E1 82 E5 6D 7B 72   .XD..... .i...m{r
[2024/03/01 15:59:00.612330,  0, pid=1778616] lib/util/util.c:578(dump_data)
   [0000] BE 1E BB 30 83 7B DB 8A   14 88 AD 45 46 5F 50 76   ...0.{.. ...EF_Pv
[2024/03/01 15:59:00.612338,  0, pid=1778617] lib/util/util.c:578(dump_data)
   [0000] 25 53 2E 95 16 EB 27 59   FB 46 8B 95 70 B1 3A 39   %S....'Y .F..p.:9
[2024/03/01 15:59:00.612396,  0, pid=1778616] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
   Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612403,  0, pid=1778617] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
   Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612421,  0, pid=1778616] lib/util/util.c:578(dump_data)
   [0000] E5 45 8A 18 82 4F 94 ED   D7 F1 1B D3 57 F6 4D 50   .E...O.. ....W.MP
[2024/03/01 15:59:00.612429,  0, pid=1778617] lib/util/util.c:578(dump_data)
   [0000] 68 AA 9B 0B 8A 8B 66 F6   2C 89 98 EE 3D 47 EE 3C   h.....f. ,...=G.<
[2024/03/01 15:59:00.612457,  0, pid=1778616] lib/util/util.c:578(dump_data)
   [0000] BC 98 94 AE AB 9B 31 F7   42 09 78 C3 E1 C0 D7 A4   ......1. B.x.....
[2024/03/01 15:59:00.612465,  0, pid=1778617] lib/util/util.c:578(dump_data)
   [0000] 49 D0 35 7E 15 82 68 CE   93 02 6C F1 93 EA 7E D2   I.5~..h. ..l...~.
[2024/03/01 15:59:00.612525,  0, pid=1778616] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
   Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612533,  0, pid=1778617] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
   Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612550,  0, pid=1778616] lib/util/util.c:578(dump_data)
   [0000] D1 94 B3 7B 0E 17 86 0D   07 A8 9B 77 4E D0 17 4C   ...{.... ...wN..L
[2024/03/01 15:59:00.612558,  0, pid=1778617] lib/util/util.c:578(dump_data)
   [0000] 40 96 4B 98 0A FE 90 16   6B 43 2D 09 33 8C 5E 06   @.K..... kC-.3.^.
[2024/03/01 15:59:00.612586,  0, pid=1778616] lib/util/util.c:578(dump_data)
   [0000] B1 AA 84 F1 DA AD E9 EC   89 66 2C 47 75 F6 A1 CF   ........ .f,Gu...
[2024/03/01 15:59:00.612595,  0, pid=1778617] lib/util/util.c:578(dump_data)
   [0000] 27 C7 08 0A B2 21 B7 0A   0D 99 BA 4E DE 51 CF 03   '....!.. ...N.Q..
[2024/03/01 15:59:00.612657,  0, pid=1778616] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
   Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612670,  0, pid=1778617] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
   Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612683,  0, pid=1778616] lib/util/util.c:578(dump_data)
   [0000] 08 C8 F3 E0 5A 41 2F 4A   10 5A C7 C6 E6 DC 3C 38   ....ZA/J .Z....<8
[2024/03/01 15:59:00.612696,  0, pid=1778617] lib/util/util.c:578(dump_data)
   [0000] 53 0F 19 E8 8B 2C 42 6A   6F AF 9B 1F 97 B1 CE 5A   S....,Bj o......Z
[2024/03/01 15:59:00.612719,  0, pid=1778616] lib/util/util.c:578(dump_data)
   [0000] AC D9 66 B7 8E 93 3F 24   9D 05 91 F7 49 32 06 DE   ..f...?$ ....I2..
[2024/03/01 15:59:00.612732,  0, pid=1778617] lib/util/util.c:578(dump_data)
   [0000] 46 8B B9 4D 99 BA 84 8B   77 80 F4 66 2B 9E FE 57   F..M.... w..f+..W

(interestingly enough this happens in batches, several messages from different PIDs
at exactly the same time).

Should I be concerned?  What it *can* be, anyway?

The problem is that there's no context logged, so it's impossible to find out
even which IP address is associated with these messages.

Thanks,

/mjt

More information about the samba mailing list