[Samba] RequireSecuritySignature=1 and public share with guest not working
Olszewski, Raphael
r.olszewski at ssc-services.de
Thu Mar 12 11:16:34 MDT 2015
Hello
I have an samba server with a public share. It was configured with security=share.
Now I have to tight security with setting those flags in the windows client:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
EnablePlainTextPassword=0
EnableSecuritySignature=1
RequireSecuritySignature=1
Since this change the public share is not working anymore. I found that smb signing requires security=user
So I tried with this and it is not working too.
My config is
[global]
security = user
auth methods = guest
map to guest = Bad User
log file = /var/log/samba/log.%m
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required
[pub]
path = /fs1/smb_test_signing
read only = No
create mask = 0777
directory mask = 0777
guest only = Yes
The user coming from Windows to samba is NOT configured and user nobody as guest should be the used at the end to write or read on the filesystem
I already updated from 3.6.3 and have now installed sernet-samba-4.1.17-11.suse111.x86_64 (SLES11 SP3)
The Clients are Win7-client joined to foreign domains
while debugging I see on samba-server-side (stripped):
[2015/03/12 15:44:01.506174, 6, pid=421, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2658(lp_file_list_changed)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Thu Mar 12 09:58:57 2015
[2015/03/12 15:44:01.506728, 1, pid=421, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug)
&global_blob: struct smbXsrv_session_globalB
version : SMBXSRV_VERSION_0 (0)
seqnum : 0x00000002 (2)
info : union smbXsrv_session_globalU(case 0)
info0: struct smbXsrv_session_global0
session_global_id : 0xfeda2f8e (4275711886)
session_wire_id : 0x00000000feda2f8e (4275711886)
creation_time : Thu Mar 12 03:44:01 PM 2015 CET
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
auth_session_info_seqnum : 0x00000001 (1)
auth_session_info: struct auth_session_info
security_token: struct security_token
num_sids : 0x00000008 (8)
sids: ARRAY(8)
sids : S-1-5-21-1006455019-4192495585-3927419034-501
sids : S-1-5-21-1006455019-4192495585-3927419034-514
sids : S-1-22-2-65533
sids : S-1-22-2-65534
sids : S-1-1-0
sids : S-1-5-2
sids : S-1-5-32-546
sids : S-1-22-1-65534
privilege_mask : 0x0000000000000000 (0)
rights_mask : 0x00000000 (0)
unix_token: struct security_unix_token
uid : 0x000000000000fffe (65534)
gid : 0x000000000000fffd (65533)
ngroups : 0x00000002 (2)
groups: ARRAY(2)
groups : 0x000000000000fffd (65533)
groups : 0x000000000000fffe (65534)
info: struct auth_user_info
account_name : 'nobody'
domain_name : 'SMB'
authenticated : 0x00 (0)
unix_info: struct auth_user_info_unix
unix_name : 'nobody'
torture : NULL
credentials : NULL
connection_dialect : 0x0210 (528)
signing_required : 0x00 (0)
encryption_required : 0x00 (0)
num_channels : 0x00000001 (1)
[2015/03/12 15:44:01.514273, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2494(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[8] dyn[yes:9] at ../source3/smbd/smb2_sesssetup.c:168
[2015/03/12 15:44:01.514343, 50, pid=421, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug)
s3_tevent: Destroying timer event 0x7fee588a5570 "smbd_smb2_request_pending_timer"
[2015/03/12 15:44:01.514397, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:874(smb2_set_operation_credit)
smb2_set_operation_credit: requested 31, charge 1, granted 31, current possible/max 512/512, total granted/max/low/range 31/8192/4/31
[2015/03/12 15:44:01.515362, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:1002(smbd_server_connection_terminate_ex)
smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3304
[2015/03/12 15:44:01.515495, 4, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2015/03/12 15:44:01.515551, 5, pid=421, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
Wondering about
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
signing_required : 0x00 (0)
encryption_required : 0x00 (0)
And then
smb2_server.c:1002(smbd_server_connection_terminate_ex) smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3304
The Client shows ReasonCode: 0x80004005
When I change registry to RequireSecuritySignature=0, I can access
How I have to configure the smb-server to have a real public share for windows7-clients not being configured especially (domain, computer-account, user, ...)
Do I understand Security-signature wrong?
Is this scenario possible without being the samba server joined to the domain? (What I wanted)
Raphael
More information about the samba
mailing list