[Samba] RequireSecuritySignature=1 and public share with guest not working

Rowland Penny rowlandpenny at googlemail.com
Mon Mar 16 07:16:59 MDT 2015


On 16/03/15 12:14, Olszewski, Raphael wrote:
>
> Hi Rowland
> The client is stopping communication, not the server. With error 1240.
> And since it is working with the client setting 
> RequireSecuritySignature=0 without any problem, ' hosts allow' cannot 
> be either the problem nor the solution.
>
> So – setting RequireSecuritySignature=1 at the client needs a 
> corresponding setting at the server – I guess.
> But even explicit settings on samba side like those are not helping:
>
>          security = user
>          auth methods = guest
>          map to guest = Bad User
>
>         client max protocol = SMB3
>
>         client min protocol = SMB2
>
>         client signing = required
>
>         server signing = required
>
>
> Greetz Raphael
> ___________________________________________
> -----Ursprüngliche Nachricht-----
> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Gesendet: Montag, 16. März 2015 11:10
> An: samba at lists.samba.org
> Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with 
> guest not working
>
> On 16/03/15 09:52, Olszewski, Raphael wrote:
> >
> > Due to security reasons smb signing has to be activated and this share
> > between linux and windows is now dead.
> >
> > And I do not find the correct settings to do a public share in this
> > szenario.
> >
> > It has to be public, because the linux is’nt allowed to join the
> > domain and on the other way, the win-clients cannot leave their domains.
> >
> > And I think, just signing smb-messages should not speek against a
> > public share, since those signed smb messages just make me shure, no
> > man in the middle is manipulating my smb-messages.
> >
> > Gruß Raphael
> > ___________________________________________
> > -----Ursprüngliche Nachricht-----
> > Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> > Gesendet: Montag, 16. März 2015 10:39
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with
> > guest not working
> >
> > On 16/03/15 09:29, Olszewski, Raphael wrote:
> > >
> > > Hi Rowland
> > >
> > > In former time there was „security=share“, now i have to use
> > > “RequireSecuritySignature=1” on client side.
> > > Documentation for SMB signing says, this is only possible with
> > > “security=user”, not with share.
> > >
> > > So I switched to security=user, configured guest-access to the
> > > public share and activated this RequireSecuritySignature=1
> > >
> > > And then – with RequireSecuritySignature=1 – the client cannot
> > > access this share anymore. Just changing to
> > > RequireSecuritySignature=0 the share is working.
> > >
> > > The client says: error 1240
> > >
> > > The Server sees only “connection reset”
> > >
> > > All I need is a _public share together with smb signing_ and
> > > RequireSecuritySignature=1
> > >
> >
> > WHY???
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
> So you need to make sure that the request to connect comes from a 
> member of your domain ?
>
> I take it that the members of said domain have an ipaddress, in which 
> case adding some thing like:
>
> 'hosts allow = 192.168.0.0/24'
>
> Would only allow connection from hosts with the ipaddress 192.168.0.X
>
> You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN'
>
> see 'man smb.conf' for more info.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

I think you are missing my point, from the brief search I did, the whole 
world seems to think that you need to set 'RequireSecuritySignature=0' , 
so why do you *need* to set it to '1' ?

If it is to ensure that only users on certain machines can connect, then 
'hosts allow' should give you the same result.

Rowland



More information about the samba mailing list