[Samba] Samba 3.5.8 / Windows error and system errors while mapping network drive on some PC's

Dodson, Eric (COT) EricN.Dodson at ky.gov
Mon Apr 18 08:23:29 MDT 2011 

Yes, nmbd is running. WINS settings are blank and default on all
clients.

I have compared Windows Local Security Policy and found differences. I
have it narrowed down to 1 difference that gives us a work-around (just
discovered and tested), so this may be RESOLVED now:

Start -> Settings -> Control Panel -> Administrative Tools -> Local
Security Policy
Under Security Settings -> Local Policies -> Security Options
Set "Microsoft network client: Digitally sign communications (always)"
to "Disabled"
Restart the computer
Then the Windows network drive will map to the Samba 3.5.8 share on AIX
OK.

I searched the Samba HOWTO PDF for "signing". I have found these
settings on the Samba server:

$ testparm -v | grep channel
Load smb config files from /usr/lib/smb.conf
...
        client schannel = Auto
        server schannel = Auto

$ testparm -v | grep -i sign
Load smb config files from /usr/lib/smb.conf
...
        client signing = auto
        server signing = No

I did not find possible values listed for the "server signing" setting
in the HOWTO doc. Does anyone know where these are documented? There are
actually no "signing" settings in the smb.conf file, so the default must
be "No". Is that correct?

I would guess that "auto" if supported may resolve the problem for all
of our clients without forcing any client setting changes. I have not
tested that yet as I have to request the change be made by our AIX
admin.

I believe "server signing = No" is the cause of our errors. Our older,
working Windows clients have:
"Microsoft network client: Digitally sign communications (always)" set
to "Disabled"

Our newer, failing-to-map-to-Samba Windows clients have:
"Microsoft network client: Digitally sign communications (always)" set
to "Enabled"

When I toggle the setting on the client and reboot, then the client can
map the drive!

Below I am including the explanation of the client setting.

Thank you,
Eric Dodson


Explanation of the "Microsoft network client: Digitally sign
communications (always)" setting:

This security setting determines whether packet signing is required by
the SMB client component.

The server message block (SMB) protocol provides the basis for Microsoft
file and print sharing and many other networking operations, such as
remote Windows administration. To prevent man-in-the-middle attacks that
modify SMB packets in transit, the SMB protocol supports the digital
signing of SMB packets. This policy setting determines whether SMB
packet signing must be negotiated before further communication with an
SMB server is permitted.

If this setting is enabled, the Microsoft network client will not
communicate with a Microsoft network server unless that server agrees to
perform SMB packet signing. If this policy is disabled, SMB packet
signing is negotiated between the client and server.

Default: Disabled.

Important:
For this policy to take effect on computers running Windows 2000,
client-side packet signing must also be enabled. To enable client-side
SMB packet signing, set "Microsoft network client: Digitally sign
communications (if server agrees)".

Computers that have this policy set will not be able to communicate with
computers that do not have server-side packet signing enabled. By
default, server-side packet signing is enabled only on domain
controllers running Windows 2000 and later.

Server-side packet signing can be enabled on computers running Windows
2000 and later by setting "Microsoft network server: Digitally sign
communications (if client agrees)"

Server-side packet signing can be enabled on computers running Windows
NT 4.0 Service Pack 3 and later by setting the following registry value
to 1:
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSec
uritySignature

Server-side packet signing cannot be enabled on computers running
Windows 95 or Windows 98.

Notes:
All Windows operating systems support both a client-side SMB component
and a server-side SMB component. To take advantage of SMB packet
signing, both the client-side SMB component and server-side SMB
component that are involved in a communication must have SMB packet
signing either enabled or required. On Windows 2000 and later operating
systems, enabling or requiring packet signing for client and server-side
SMB components is controlled by the following four policy settings:

"Microsoft network client: Digitally sign communications (always)" -
Controls whether or not the client-side SMB component requires packet
signing.
"Microsoft network client: Digitally sign communications (if server
agrees)" - Controls whether or not the client-side SMB component has
packet signing enabled.
"Microsoft network server: Digitally sign communications (always)" -
Controls whether or not the server-side SMB component requires packet
signing.
"Microsoft network server: Digitally sign communications (if client
agrees)" - Controls whether or not the server-side SMB component has
packet signing enabled.

If server-side SMB signing is required, a client will not be able to
establish a session with that server, unless it has client-side SMB
signing enabled. By default, client-side SMB signing is enabled on
workstations, servers, and domain controllers. Similarly, if client-side
SMB signing is required, that client will not be able to establish a
session with servers that do not have packet signing enabled. By
default, server-side SMB signing is enabled only on domain controllers.

If server-side SMB signing is enabled, SMB packet signing will be
negotiated with clients that have client-side SMB signing enabled.

Using SMB packet signing can impose up to a 15 percent performance hit
on file service transactions.

______


-----Original Message-----
From: John Drescher [mailto:drescherjm at gmail.com] 
Sent: Friday, April 15, 2011 12:55 PM
To: Dodson, Eric (COT)
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba 3.5.8 / Windows error and system errors while
mapping network drive on some PC's

On Fri, Apr 15, 2011 at 12:36 PM, Dodson, Eric (COT)
<EricN.Dodson at ky.gov> wrote:
> Problem: We have a share defined using Samba 3.5.8 on AIX 6.1. Several
> people can map a Windows Network Drive to the share and it works fine.
> Several other people get Windows errors or system errors when trying
to
> map a drive to the same share.
>
>
>
> Command line errors (from the net use command):
>
> System error 59
>
> or
>
> System error 64
>
>
>
> Windows Explorer error:
>
> The specified network name is no longer available.

Is the WINS server entered in the windows client? Is the nmbd daemon
running?

John

More information about the samba mailing list