[Samba] RequireSecuritySignature=1 and public share with guest not working

Olszewski, Raphael r.olszewski at ssc-services.de
Tue Mar 17 03:02:51 MDT 2015


Hi Rowland
i've made the config exactly like you sent.

Doing testparm gives me
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[pub]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]

        netbios name = ME

        server string = Samba Server %v

        map to guest = Bad User

        log file = /var/log/samba/log.%m

        client min protocol = SMB2

        client signing = required

        server signing = required

        idmap config * : backend = tdb

       guest ok = Yes

[pub]

        path = /fs1/smb_test_signing_fuso

        read only = No

        create mask = 0777

        directory mask = 0777

So - writing mandatory to the config shows required in the testparm output.
And even "server siging = required"/ "idmap config * : backend = tdb "was NOT in the smb.conf - since I used your config.
Same with "security = user"
And pub has in smb.conf "browsable =yes"/" writable = yes"
Even a config like
        client signing = mandatory
        server signing = required
shows with testparm
        client signing = required
        server signing = required

That shows me: testparm is interpreting the conf and shows me, what it is using really.

BUT - even with your config I get exactly the same picture as in my countless tries before:
RequireSecuritySignature=0 (old value)    => share is working
RequireSecuritySignature=1 (needed value) => share is NOT working, and I get the client-error 1240 or 0x80004005 (the only change is this flag from 0 to 1)

To clarify: on client side i ONLY change  this value RequireSecuritySignature to 1. Nothing else. Just a client-reboot is neccesary after this change to be active.


I think, it is problem with smb signing, not with the share config.

Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Montag, 16. März 2015 16:32
An: samba at lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working

On 16/03/15 15:00, Olszewski, Raphael wrote:
>
> Hi Rowland
> sorry for not being clear.
>
> In my first post I already wrote:
>
> Now I have to tight security with setting those flags in the windows
> client:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstatio
> n\Parameters]
>
> EnablePlainTextPassword=0
>
> EnableSecuritySignature=1
>
> RequireSecuritySignature=1
> . . .
> when I change registry to RequireSecuritySignature=0, everything works like expected.
>
> If setting is still RequireSecuritySignature=0 - everything is working
> with the changed samba config.
> But - i'am forced to change  from RequireSecuritySignature=0  to
> RequireSecuritySignature=1
> If changing the client to RequireSecuritySignature=1 the same public
> share with guest access is not working anymore.
>
>
> Greetz, Raphael
> ___________________________________________
> -----Ursprüngliche Nachricht-----
>

OK, I have had a look at the portion of smb.conf you posted and you posted this:

security = user
auth methods = guest
map to guest = Bad User
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required

Try this:

security = user
map to guest = Bad User
client min protocol = SMB2
client signing = mandatory
server signing = mandatory

The changes: You do not need the 'auth methods' for a public server, with samba 4 the 'client max protocol' defaults to 'SMB3' , 'required'
is not option for 'client signing' or 'server signing' according to 'man smb.conf', the three options are 'auto, mandatory and disabled'.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list