SMB2 Signing and WAN Accelerator problems ...

Christopher R. Hertel crh at
Wed Jul 31 09:00:41 MDT 2013

Some of the WAN accelerator companies have, in the past, required that
customers disable signing on both ends.  I don't know if that works with
SMB2, but the correct solution is for the WAN accelerators to become
replica-only DCs and do "real" proxying.

Chris -)-----

On 07/31/2013 08:49 AM, Richard Sharpe wrote:
> Hi folks,
> I have evidence that at least one code revision in one of the WAN
> Accelerator products out there (I don't know which one) modifies SMB2
> Headers, and thus breaks SMB2 signing. The evidence takes the form of
> captures on both sides of the WAN and the packets have been modified
> on the server side of the WAN compared with the client side.
> They did not understand, it seems, that Command IDs can appear out of
> order in SMB2 PDUs on a TCP connection and they reorder them. This
> changes the SMB2 signature and breaks SMB2 signing.
> This might have been caused by the fact that the Wireshark SMB2
> dissector mislabels this field as the Command Sequence Number which
> has certain connotations.
> A patch to fix this has been applied to the Wireshark repository and
> should turn up with the next release.
> (I have also checked the SMB2 Signing code and it looks pretty solid.)

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team --     -)-----   Christopher R. Hertel
jCIFS Team --   -)-----   ubiqx development, uninq.
ubiqx Team --     -)-----   crh at
OnLineBook --    -)-----   crh at

More information about the samba-technical mailing list