[Samba] RequireSecuritySignature=1 and public share with guest not working

Olszewski, Raphael r.olszewski at ssc-services.de
Mon Mar 16 09:00:31 MDT 2015


Hi Rowland
sorry for not being clear.

In my first post I already wrote:


Now I have to tight security with setting those flags in the windows client:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
EnablePlainTextPassword=0
EnableSecuritySignature=1

RequireSecuritySignature=1
. . .
when I change registry to RequireSecuritySignature=0, everything works like expected.


If setting is still RequireSecuritySignature=0 - everything is working with the changed samba config.
But - i'am forced to change  from RequireSecuritySignature=0  to RequireSecuritySignature=1
If changing the client to RequireSecuritySignature=1 the same public share with guest access is not working anymore.

Greetz, Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Montag, 16. März 2015 14:17
An: samba at lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working

On 16/03/15 12:14, Olszewski, Raphael wrote:
>
> Hi Rowland
> The client is stopping communication, not the server. With error 1240.
> And since it is working with the client setting
> RequireSecuritySignature=0 without any problem, ' hosts allow' cannot
> be either the problem nor the solution.
>
> So - setting RequireSecuritySignature=1 at the client needs a
> corresponding setting at the server - I guess.
> But even explicit settings on samba side like those are not helping:
>
>          security = user
>          auth methods = guest
>          map to guest = Bad User
>
>         client max protocol = SMB3
>
>         client min protocol = SMB2
>
>         client signing = required
>
>         server signing = required
>
>
> Greetz Raphael
> ___________________________________________
> -----Ursprüngliche Nachricht-----
> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Gesendet: Montag, 16. März 2015 11:10
> An: samba at lists.samba.org
> Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with
> guest not working
>
> On 16/03/15 09:52, Olszewski, Raphael wrote:
> >
> > Due to security reasons smb signing has to be activated and this
> > share between linux and windows is now dead.
> >
> > And I do not find the correct settings to do a public share in this
> > szenario.
> >
> > It has to be public, because the linux is'nt allowed to join the
> > domain and on the other way, the win-clients cannot leave their domains.
> >
> > And I think, just signing smb-messages should not speek against a
> > public share, since those signed smb messages just make me shure, no
> > man in the middle is manipulating my smb-messages.
> >
> > Gruß Raphael
> > ___________________________________________
> > -----Ursprüngliche Nachricht-----
> > Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> > Gesendet: Montag, 16. März 2015 10:39
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] RequireSecuritySignature=1 and public share
> > with guest not working
> >
> > On 16/03/15 09:29, Olszewski, Raphael wrote:
> > >
> > > Hi Rowland
> > >
> > > In former time there was "security=share", now i have to use
> > > "RequireSecuritySignature=1" on client side.
> > > Documentation for SMB signing says, this is only possible with
> > > "security=user", not with share.
> > >
> > > So I switched to security=user, configured guest-access to the
> > > public share and activated this RequireSecuritySignature=1
> > >
> > > And then - with RequireSecuritySignature=1 - the client cannot
> > > access this share anymore. Just changing to
> > > RequireSecuritySignature=0 the share is working.
> > >
> > > The client says: error 1240
> > >
> > > The Server sees only "connection reset"
> > >
> > > All I need is a _public share together with smb signing_ and
> > > RequireSecuritySignature=1
> > >
> >
> > WHY???
> >
> > Rowland
>
> So you need to make sure that the request to connect comes from a
> member of your domain ?
>
> I take it that the members of said domain have an ipaddress, in which
> case adding some thing like:
>
> 'hosts allow = 192.168.0.0/24'
>
> Would only allow connection from hosts with the ipaddress 192.168.0.X
>
> You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN'
>
> see 'man smb.conf' for more info.
>
> Rowland


I think you are missing my point, from the brief search I did, the whole world seems to think that you need to set 'RequireSecuritySignature=0' , so why do you *need* to set it to '1' ?

If it is to ensure that only users on certain machines can connect, then 'hosts allow' should give you the same result.

Rowland



More information about the samba mailing list