[Samba] RequireSecuritySignature=1 and public share with guest not working

Rowland Penny rowlandpenny at googlemail.com
Tue Mar 17 03:52:45 MDT 2015 

On 17/03/15 09:02, Olszewski, Raphael wrote:
>
> Hi Rowland
> i’ve made the config exactly like you sent.
>
> Doing testparm gives me
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[pub]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
> Press enter to see a dump of your service definitions
>
> [global]
>
>         netbios name = ME
>
>         server string = Samba Server %v
>
>         map to guest = Bad User
>
>         log file = /var/log/samba/log.%m
>
>         client min protocol = SMB2
>
>         client signing = required
>
>         server signing = required
>
>         idmap config * : backend = tdb
>
>        guest ok = Yes
>
> [pub]
>
>         path = /fs1/smb_test_signing_fuso
>
>         read only = No
>
>         create mask = 0777
>
> directory mask = 0777
>
> So – writing mandatory to the config shows required in the testparm 
> output.
> And even „server siging = required“/ “idmap config * : backend = tdb 
> “was NOT in the smb.conf – since I used your config.
> Same with “security = user”
> And pub has in smb.conf „browsable =yes“/“writable = yes“
> Even a config like
>         client signing = mandatory
>         server signing = required
> shows with testparm
>         client signing = required
>         server signing = required
>
> That shows me: testparm is interpreting the conf and shows me, what it 
> is using really.
>
> BUT – even with your config I get exactly the same picture as in my 
> countless tries before:
> RequireSecuritySignature=0 (old value)    => share is working
> RequireSecuritySignature=1 (needed value) => share is NOT working, and 
> I get the client-error 1240 or 0x80004005 (the only change is this 
> flag from 0 to 1)
>
> To clarify: on client side i ONLY change  this value 
> RequireSecuritySignature to 1. Nothing else. Just a client-reboot is 
> neccesary after this change to be active.
>
> I think, it is problem with smb signing, not with the share config.
>
>
> Raphael
>

OK, it looks like you have discovered a couple of bugs, first the 
smb.conf manpage does not mention 'required' it says 'mandatory', yet 
testparm does say 'required', in fact, as you have found, it changes it 
to 'required'. The main bug is 'server signing' seems to be ignored, I 
think that you need to find out if windows works as you expect.

Rowland

More information about the samba mailing list