[Samba] win7 domain pc to standalone samba server

Mike Kakowski kmikey90 at yahoo.com
Wed Nov 13 22:34:29 MST 2013


Can anyone shed light please?

1. Can I implement smb signing on standalone samba server and client?  

2. Is it possible for a domain-joined pc to map a network share on a standalone samba server, with smb signing?  

>From a bit of cursory reading, I thought that smb signing just uses the negotiated session key to create a hmac for the packets, and that it doesn't actually reqiure either party to be authenticated as members of the same domain.

--------------------------------------------
On Wed, 11/6/13, Mike Kakowski <kmikey90 at yahoo.com> wrote:

 I'm trying to map a network drive
 using my workplace's Win7 laptop to a fileserver at home.
 The Win7 laptop is joined to the work domain.  The
 fileserver is my own standalone fileserver, not joined to
 any domain, and is configured to be accessible to everyone
 without authentcation.  
 
 I'm not able to get this to work, with varying error
 messages from Windows ("The account is not authorized to
 login from this station", etc).  This message made me
 look into client/server signing settings.  But when I
 tried to enable signing, I'm not even able to map the share
 using smbclient on my own fileserver.
 
 So, my questions are:
 1.  How to map a network share on a standalone samba
 server from a computer that is joined to domain.  
 
 2.  Can a standalone samba server implement smb
 signing?  Or maybe there's something wrong with my
 configuration because my smbclient can't even talk to
 samba.
 
 
 Samba (4.0.6+dfsg) is configured thus:
 [global]
         workgroup = HOME
         server role = standalone server
         map to guest = Bad User
         obey pam restrictions = Yes
         pam password change = Yes
         passwd program = /usr/bin/passwd
 %u
         passwd chat =
 *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
 %n\n *password\supdated\ssuccessfully* .
         unix password sync = Yes
         syslog = 0
         log file =
 /var/log/samba/log.%m
         max log size = 1000
         client signing = if_required
         server signing = if_required
         usershare allow guests = Yes
         panic action =
 /usr/share/samba/panic-action %d
         idmap config * : backend = tdb
 
 [shares]
         path = /shares
         read only = No
         guest ok = Yes
 
 
 When I try to map this share using smbclient, I get these:
 
 $ smbclient -N  //localhost/shares -S required -d 10
 [snipped]
 smb_signing_sign_pdu: sent SMB signature of
 [0000] 42 53 52 53 50 59 4C 20       
                
     BSRSPYL  
 smb_signing_activate: user_session_key
 [0000] 21 53 41 A7 EB 74 5B 55   37 58 31 34
 89 5E 55 10   !SA..t[U 7X14.^U.
 smb_signing_activate: NULL response_data
 smb_signing_md5: sequence number 1
 smb_signing_check_pdu: BAD SIG: wanted SMB signature of
 [0000] 7D 4C 0A 44 B2 8E F0 1E       
                
     }L.D.... 
 smb_signing_check_pdu: BAD SIG: got SMB signature of
 [0000] 42 53 52 53 50 59 4C 20       
                
     BSRSPYL  
 smb_signing_md5: sequence number 4294967292
 smb_signing_md5: sequence number 4294967293
 smb_signing_md5: sequence number 4294967294
 smb_signing_md5: sequence number 4294967295
 smb_signing_md5: sequence number 0
 smb_signing_md5: sequence number 1
 smb_signing_md5: sequence number 2
 smb_signing_md5: sequence number 3
 smb_signing_md5: sequence number 4
 smb_signing_md5: sequence number 5
 smb_signing_good: BAD SIG: seq 1
 SPNEGO login failed: Access denied
 [snipped]
 
 If I set "server signing=mandatory" and use "smbclient -N
 //localhost/shares -S on -d 10", I get
 
 smb_signing_sign_pdu: sent SMB signature of
 [0000] 42 53 52 53 50 59 4C 20       
                
     BSRSPYL  
 smb_signing_activate: user_session_key
 [0000] B7 FD 5B E4 15 E3 7C 97   03 FB 4B 8D
 C0 20 44 52   ..[...|. ..K.. DR
 smb_signing_activate: NULL response_data
 smb_signing_md5: sequence number 1
 smb_signing_check_pdu: BAD SIG: wanted SMB signature of
 [0000] A1 A1 1B 1B 4D 32 32 EA       
                
     ....M22. 
 smb_signing_check_pdu: BAD SIG: got SMB signature of
 [0000] 42 53 52 53 50 59 4C 20       
                
     BSRSPYL  
 smb_signing_md5: sequence number 4294967292
 smb_signing_md5: sequence number 4294967293
 smb_signing_md5: sequence number 4294967294
 smb_signing_md5: sequence number 4294967295
 smb_signing_md5: sequence number 0
 smb_signing_md5: sequence number 1
 smb_signing_md5: sequence number 2
 smb_signing_md5: sequence number 3
 smb_signing_md5: sequence number 4
 smb_signing_md5: sequence number 5
 smb_signing_good: signing negotiated but not required and
 peer isn't sending correct signatures. Turning off.
 
 
 
 -- 
 To unsubscribe from this list go to the following URL and
 read the
 instructions:  https://lists.samba.org/mailman/options/samba
 


More information about the samba mailing list