[Samba] RequireSecuritySignature=1 and public share with guest not working

Tue Mar 17 08:49:19 MDT 2015

Rowland, thank you!
I did not believe it could be a bug and was searching really hard, but did not find any correct config.
So i have filed 2 bugs:

https://bugzilla.samba.org/show_bug.cgi?id=11167

https://bugzilla.samba.org/show_bug.cgi?id=11168

The Windows-Client is working properly - since i have allways access to DFS-Drives served by MS-Servers with both variants of  RequireSecuritySignature (0 or 1)

Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Dienstag, 17. März 2015 10:53
An: samba at lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working

On 17/03/15 09:02, Olszewski, Raphael wrote:
>
> Hi Rowland
> i've made the config exactly like you sent.
>
> Doing testparm gives me
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[pub]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
> Press enter to see a dump of your service definitions
>
> [global]
>
>         netbios name = ME
>
>         server string = Samba Server %v
>
>         map to guest = Bad User
>
>         log file = /var/log/samba/log.%m
>
>         client min protocol = SMB2
>
>         client signing = required
>
>         server signing = required
>
>         idmap config * : backend = tdb
>
>        guest ok = Yes
>
> [pub]
>
>         path = /fs1/smb_test_signing_fuso
>
>         read only = No
>
>         create mask = 0777
>
> directory mask = 0777
>
> So - writing mandatory to the config shows required in the testparm
> output.
> And even "server siging = required"/ "idmap config * : backend = tdb
> "was NOT in the smb.conf - since I used your config.
> Same with "security = user"
> And pub has in smb.conf "browsable =yes"/"writable = yes" Even a
> config like
>         client signing = mandatory
>         server signing = required
> shows with testparm
>         client signing = required
>         server signing = required
>
> That shows me: testparm is interpreting the conf and shows me, what it
> is using really.
>
> BUT - even with your config I get exactly the same picture as in my
> countless tries before:
> RequireSecuritySignature=0 (old value)    => share is working
> RequireSecuritySignature=1 (needed value) => share is NOT working, and
> I get the client-error 1240 or 0x80004005 (the only change is this
> flag from 0 to 1)
>
> To clarify: on client side i ONLY change  this value
> RequireSecuritySignature to 1. Nothing else. Just a client-reboot is
> neccesary after this change to be active.
>
> I think, it is problem with smb signing, not with the share config.
>
>
> Raphael
>

OK, it looks like you have discovered a couple of bugs, first the smb.conf manpage does not mention 'required' it says 'mandatory', yet testparm does say 'required', in fact, as you have found, it changes it to 'required'. The main bug is 'server signing' seems to be ignored, I think that you need to find out if windows works as you expect.

Rowland