[Samba] RequireSecuritySignature=1 and public share with guest not working

Olszewski, Raphael r.olszewski at ssc-services.de
Thu Mar 12 11:16:34 MDT 2015


Hello
I have an samba server with a public share. It was configured with security=share.
Now I have to tight security with setting those flags in the windows client:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
EnablePlainTextPassword=0
EnableSecuritySignature=1
RequireSecuritySignature=1

Since this change the public share is not working anymore. I found that smb signing requires security=user
So I tried with this and it is not working too.

My config is

[global]
        security = user
        auth methods = guest
        map to guest = Bad User
        log file = /var/log/samba/log.%m
        client max protocol = SMB3
        client min protocol = SMB2
        client signing = required
        server signing = required
[pub]
        path = /fs1/smb_test_signing
        read only = No
        create mask = 0777
        directory mask = 0777
        guest only = Yes

The user coming from Windows to samba is NOT configured and user nobody as guest should be the used at the end to write or read on the filesystem

I already updated from 3.6.3 and have now installed sernet-samba-4.1.17-11.suse111.x86_64 (SLES11 SP3)
The Clients are Win7-client joined to foreign domains

while debugging I see on samba-server-side (stripped):

[2015/03/12 15:44:01.506174,  6, pid=421, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2658(lp_file_list_changed)
  lp_file_list_changed()
  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Thu Mar 12 09:58:57 2015
[2015/03/12 15:44:01.506728,  1, pid=421, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug)
       &global_blob: struct smbXsrv_session_globalB
          version                  : SMBXSRV_VERSION_0 (0)
          seqnum                   : 0x00000002 (2)
          info                     : union smbXsrv_session_globalU(case 0)
              info0: struct smbXsrv_session_global0
                  session_global_id        : 0xfeda2f8e (4275711886)
                  session_wire_id          : 0x00000000feda2f8e (4275711886)
                  creation_time            : Thu Mar 12 03:44:01 PM 2015 CET
                  expiration_time          : Thu Jan  1 01:00:00 AM 1970 CET
                  auth_session_info_seqnum : 0x00000001 (1)
                      auth_session_info: struct auth_session_info
                              security_token: struct security_token
                                  num_sids                 : 0x00000008 (8)
                                  sids: ARRAY(8)
                                      sids                     : S-1-5-21-1006455019-4192495585-3927419034-501
                                      sids                     : S-1-5-21-1006455019-4192495585-3927419034-514
                                      sids                     : S-1-22-2-65533
                                      sids                     : S-1-22-2-65534
                                      sids                     : S-1-1-0
                                      sids                     : S-1-5-2
                                      sids                     : S-1-5-32-546
                                      sids                     : S-1-22-1-65534
                                  privilege_mask           : 0x0000000000000000 (0)
                                  rights_mask              : 0x00000000 (0)
                              unix_token: struct security_unix_token
                                  uid                      : 0x000000000000fffe (65534)
                                  gid                      : 0x000000000000fffd (65533)
                                  ngroups                  : 0x00000002 (2)
                                  groups: ARRAY(2)
                                      groups                   : 0x000000000000fffd (65533)
                                      groups                   : 0x000000000000fffe (65534)
                              info: struct auth_user_info
                                      account_name             : 'nobody'
                                      domain_name              : 'SMB'
                                  authenticated            : 0x00 (0)
                              unix_info: struct auth_user_info_unix
                                      unix_name                : 'nobody'
                          torture                  : NULL
                          credentials              : NULL
                  connection_dialect       : 0x0210 (528)
                  signing_required         : 0x00 (0)
                  encryption_required      : 0x00 (0)
                  num_channels             : 0x00000001 (1)
[2015/03/12 15:44:01.514273, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2494(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[8] dyn[yes:9] at ../source3/smbd/smb2_sesssetup.c:168
[2015/03/12 15:44:01.514343, 50, pid=421, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug)
  s3_tevent: Destroying timer event 0x7fee588a5570 "smbd_smb2_request_pending_timer"
[2015/03/12 15:44:01.514397, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:874(smb2_set_operation_credit)
  smb2_set_operation_credit: requested 31, charge 1, granted 31, current possible/max 512/512, total granted/max/low/range 31/8192/4/31
[2015/03/12 15:44:01.515362, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:1002(smbd_server_connection_terminate_ex)
  smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3304
[2015/03/12 15:44:01.515495,  4, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2015/03/12 15:44:01.515551,  5, pid=421, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)

Wondering about
expiration_time          : Thu Jan  1 01:00:00 AM 1970 CET
signing_required         : 0x00 (0)
encryption_required      : 0x00 (0)
And then
smb2_server.c:1002(smbd_server_connection_terminate_ex)  smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3304

The Client shows ReasonCode: 0x80004005
When I change registry to RequireSecuritySignature=0, I can access

How I have to configure the smb-server to have a real public share for windows7-clients not being configured especially (domain, computer-account, user, ...)
Do I understand Security-signature wrong?
Is this scenario possible without being the samba server joined to the domain? (What I wanted)

Raphael


More information about the samba mailing list