[Samba] RequireSecuritySignature=1 and public share with guest not working
Olszewski, Raphael
r.olszewski at ssc-services.de
Tue Mar 17 03:02:51 MDT 2015
Hi Rowland
i've made the config exactly like you sent.
Doing testparm gives me
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[pub]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
netbios name = ME
server string = Samba Server %v
map to guest = Bad User
log file = /var/log/samba/log.%m
client min protocol = SMB2
client signing = required
server signing = required
idmap config * : backend = tdb
guest ok = Yes
[pub]
path = /fs1/smb_test_signing_fuso
read only = No
create mask = 0777
directory mask = 0777
So - writing mandatory to the config shows required in the testparm output.
And even "server siging = required"/ "idmap config * : backend = tdb "was NOT in the smb.conf - since I used your config.
Same with "security = user"
And pub has in smb.conf "browsable =yes"/" writable = yes"
Even a config like
client signing = mandatory
server signing = required
shows with testparm
client signing = required
server signing = required
That shows me: testparm is interpreting the conf and shows me, what it is using really.
BUT - even with your config I get exactly the same picture as in my countless tries before:
RequireSecuritySignature=0 (old value) => share is working
RequireSecuritySignature=1 (needed value) => share is NOT working, and I get the client-error 1240 or 0x80004005 (the only change is this flag from 0 to 1)
To clarify: on client side i ONLY change this value RequireSecuritySignature to 1. Nothing else. Just a client-reboot is neccesary after this change to be active.
I think, it is problem with smb signing, not with the share config.
Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Montag, 16. März 2015 16:32
An: samba at lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
On 16/03/15 15:00, Olszewski, Raphael wrote:
>
> Hi Rowland
> sorry for not being clear.
>
> In my first post I already wrote:
>
> Now I have to tight security with setting those flags in the windows
> client:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstatio
> n\Parameters]
>
> EnablePlainTextPassword=0
>
> EnableSecuritySignature=1
>
> RequireSecuritySignature=1
> . . .
> when I change registry to RequireSecuritySignature=0, everything works like expected.
>
> If setting is still RequireSecuritySignature=0 - everything is working
> with the changed samba config.
> But - i'am forced to change from RequireSecuritySignature=0 to
> RequireSecuritySignature=1
> If changing the client to RequireSecuritySignature=1 the same public
> share with guest access is not working anymore.
>
>
> Greetz, Raphael
> ___________________________________________
> -----Ursprüngliche Nachricht-----
>
OK, I have had a look at the portion of smb.conf you posted and you posted this:
security = user
auth methods = guest
map to guest = Bad User
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required
Try this:
security = user
map to guest = Bad User
client min protocol = SMB2
client signing = mandatory
server signing = mandatory
The changes: You do not need the 'auth methods' for a public server, with samba 4 the 'client max protocol' defaults to 'SMB3' , 'required'
is not option for 'client signing' or 'server signing' according to 'man smb.conf', the three options are 'auto, mandatory and disabled'.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list