[Samba] RequireSecuritySignature=1 and public share with guest not working

Olszewski, Raphael r.olszewski at ssc-services.de
Mon Mar 16 06:14:22 MDT 2015 

Hi Rowland
The client is stopping communication, not the server. With error 1240.
And since it is working with the client setting RequireSecuritySignature=0 without any problem, ' hosts allow' cannot be either the problem nor the solution.


So - setting RequireSecuritySignature=1 at the client needs a corresponding setting at the server - I guess.
But even explicit settings on samba side like those are not helping:

        security = user

        auth methods = guest

        map to guest = Bad User
        client max protocol = SMB3
        client min protocol = SMB2
        client signing = required
        server signing = required

Greetz Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Montag, 16. März 2015 11:10
An: samba at lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working

On 16/03/15 09:52, Olszewski, Raphael wrote:
>
> Due to security reasons smb signing has to be activated and this share
> between linux and windows is now dead.
>
> And I do not find the correct settings to do a public share in this
> szenario.
>
> It has to be public, because the linux is'nt allowed to join the
> domain and on the other way, the win-clients cannot leave their domains.
>
> And I think, just signing smb-messages should not speek against a
> public share, since those signed smb messages just make me shure, no
> man in the middle is manipulating my smb-messages.
>
> Gruß Raphael
> ___________________________________________
> -----Ursprüngliche Nachricht-----
> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Gesendet: Montag, 16. März 2015 10:39
> An: samba at lists.samba.org
> Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with
> guest not working
>
> On 16/03/15 09:29, Olszewski, Raphael wrote:
> >
> > Hi Rowland
> >
> > In former time there was "security=share", now i have to use
> > "RequireSecuritySignature=1" on client side.
> > Documentation for SMB signing says, this is only possible with
> > "security=user", not with share.
> >
> > So I switched to security=user, configured guest-access to the
> > public share and activated this RequireSecuritySignature=1
> >
> > And then - with RequireSecuritySignature=1 - the client cannot
> > access this share anymore. Just changing to
> > RequireSecuritySignature=0 the share is working.
> >
> > The client says: error 1240
> >
> > The Server sees only "connection reset"
> >
> > All I need is a _public share together with smb signing_ and
> > RequireSecuritySignature=1
> >
>
> WHY???
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

So you need to make sure that the request to connect comes from a member of your domain ?

I take it that the members of said domain have an ipaddress, in which case adding some thing like:

'hosts allow = 192.168.0.0/24'

Would only allow connection from hosts with the ipaddress 192.168.0.X

You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN'

see 'man smb.conf' for more info.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list