[Samba] RequireSecuritySignature=1 and public share with guest not working
L.P.H. van Belle
belle at bazuin.nl
Fri Mar 13 02:08:06 MDT 2015
Hai,
Try these settings in global settings.
####### Authentication #######
## stand alone everything open.
security = user
guest ok = yes
map to guest = bad password
add these to the share.
guest ok = yes
Sets samba open without pasword prompt.
I use it at home for my kodi server.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: r.olszewski at ssc-services.de
>[mailto:samba-bounces at lists.samba.org] Namens Olszewski, Raphael
>Verzonden: donderdag 12 maart 2015 18:17
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] RequireSecuritySignature=1 and public share
>with guest not working
>
>Hello
>I have an samba server with a public share. It was configured
>with security=share.
>Now I have to tight security with setting those flags in the
>windows client:
>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWor
>kstation\Parameters]
>EnablePlainTextPassword=0
>EnableSecuritySignature=1
>RequireSecuritySignature=1
>
>Since this change the public share is not working anymore. I
>found that smb signing requires security=user
>So I tried with this and it is not working too.
>
>My config is
>
>[global]
> security = user
> auth methods = guest
> map to guest = Bad User
> log file = /var/log/samba/log.%m
> client max protocol = SMB3
> client min protocol = SMB2
> client signing = required
> server signing = required
>[pub]
> path = /fs1/smb_test_signing
> read only = No
> create mask = 0777
> directory mask = 0777
> guest only = Yes
>
>The user coming from Windows to samba is NOT configured and
>user nobody as guest should be the used at the end to write or
>read on the filesystem
>
>I already updated from 3.6.3 and have now installed
>sernet-samba-4.1.17-11.suse111.x86_64 (SLES11 SP3)
>The Clients are Win7-client joined to foreign domains
>
>while debugging I see on samba-server-side (stripped):
>
>[2015/03/12 15:44:01.506174, 6, pid=421, effective(0, 0),
>real(0, 0)] ../source3/param/loadparm.c:2658(lp_file_list_changed)
> lp_file_list_changed()
> file /etc/samba/smb.conf -> /etc/samba/smb.conf last
>mod_time: Thu Mar 12 09:58:57 2015
>[2015/03/12 15:44:01.506728, 1, pid=421, effective(0, 0),
>real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug)
> &global_blob: struct smbXsrv_session_globalB
> version : SMBXSRV_VERSION_0 (0)
> seqnum : 0x00000002 (2)
> info : union
>smbXsrv_session_globalU(case 0)
> info0: struct smbXsrv_session_global0
> session_global_id : 0xfeda2f8e (4275711886)
> session_wire_id :
>0x00000000feda2f8e (4275711886)
> creation_time : Thu Mar 12
>03:44:01 PM 2015 CET
> expiration_time : Thu Jan 1
>01:00:00 AM 1970 CET
> auth_session_info_seqnum : 0x00000001 (1)
> auth_session_info: struct auth_session_info
> security_token: struct security_token
> num_sids :
>0x00000008 (8)
> sids: ARRAY(8)
> sids
>: S-1-5-21-1006455019-4192495585-3927419034-501
> sids
>: S-1-5-21-1006455019-4192495585-3927419034-514
> sids
>: S-1-22-2-65533
> sids
>: S-1-22-2-65534
> sids
>: S-1-1-0
> sids
>: S-1-5-2
> sids
>: S-1-5-32-546
> sids
>: S-1-22-1-65534
> privilege_mask :
>0x0000000000000000 (0)
> rights_mask :
>0x00000000 (0)
> unix_token: struct security_unix_token
> uid :
>0x000000000000fffe (65534)
> gid :
>0x000000000000fffd (65533)
> ngroups :
>0x00000002 (2)
> groups: ARRAY(2)
> groups
>: 0x000000000000fffd (65533)
> groups
>: 0x000000000000fffe (65534)
> info: struct auth_user_info
> account_name
>: 'nobody'
> domain_name : 'SMB'
> authenticated : 0x00 (0)
> unix_info: struct auth_user_info_unix
> unix_name
>: 'nobody'
> torture : NULL
> credentials : NULL
> connection_dialect : 0x0210 (528)
> signing_required : 0x00 (0)
> encryption_required : 0x00 (0)
> num_channels : 0x00000001 (1)
>[2015/03/12 15:44:01.514273, 10, pid=421, effective(0, 0),
>real(0, 0)]
>../source3/smbd/smb2_server.c:2494(smbd_smb2_request_done_ex)
> smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK]
>body[8] dyn[yes:9] at ../source3/smbd/smb2_sesssetup.c:168
>[2015/03/12 15:44:01.514343, 50, pid=421, effective(0, 0),
>real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug)
> s3_tevent: Destroying timer event 0x7fee588a5570
>"smbd_smb2_request_pending_timer"
>[2015/03/12 15:44:01.514397, 10, pid=421, effective(0, 0),
>real(0, 0)]
>../source3/smbd/smb2_server.c:874(smb2_set_operation_credit)
> smb2_set_operation_credit: requested 31, charge 1, granted
>31, current possible/max 512/512, total granted/max/low/range
>31/8192/4/31
>[2015/03/12 15:44:01.515362, 10, pid=421, effective(0, 0),
>real(0, 0)]
>../source3/smbd/smb2_server.c:1002(smbd_server_connection_terminate_ex)
> smbd_server_connection_terminate_ex:
>reason[NT_STATUS_CONNECTION_RESET] at
>../source3/smbd/smb2_server.c:3304
>[2015/03/12 15:44:01.515495, 4, pid=421, effective(0, 0),
>real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>[2015/03/12 15:44:01.515551, 5, pid=421, effective(0, 0),
>real(0, 0)]
>../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
>
>Wondering about
>expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
>signing_required : 0x00 (0)
>encryption_required : 0x00 (0)
>And then
>smb2_server.c:1002(smbd_server_connection_terminate_ex)
>smbd_server_connection_terminate_ex:
>reason[NT_STATUS_CONNECTION_RESET] at
>../source3/smbd/smb2_server.c:3304
>
>The Client shows ReasonCode: 0x80004005
>When I change registry to RequireSecuritySignature=0, I can access
>
>How I have to configure the smb-server to have a real public
>share for windows7-clients not being configured especially
>(domain, computer-account, user, ...)
>Do I understand Security-signature wrong?
>Is this scenario possible without being the samba server
>joined to the domain? (What I wanted)
>
>Raphael
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list