[Samba] Document that SMB signing does not work / is not supported without authentication

Adrian Fita adrian.fita at gmail.com
Tue Aug 16 09:15:12 UTC 2016


Hello everyone. I apologize in advance if what I'm talking about here
is obvious to all. I don't usually deal with SMB stuff.

So, recently I was asked to implement "server signing = mandatory" for
a SMB service that exposes only anonymous / guest shares.

At first I tried with Samba 3.6.x and a Windows 7 client, but "net
use" from Windows refused to mount the SMB share, displaying the error
"System error 64 has occurred.". Then I tried with Samba 4.3.x and the
SMB share was mounted, but when I inspected the traffic with
Wireshark, I noticed that the SMB packets were not actually signed, so
Samba 4 allows mounts, but it silently ignores signing, falling back
to "signing = disabled".

Then I did some more digging in the SMB specification
(http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/[MS-SMB2].pdf)
and I found that SMB signing is performed only for authenticated
sessions:

--
3.1.1.1 Global
The following global data is required by both the client and server:
RequireMessageSigning: A Boolean that, if set, indicates that this
node requires that messages MUST be signed *if the message is sent
with a user security context that is neither anonymous nor guest*. If
not set, this node does not require that any messages be signed, but
can still choose to do so if the other node requires it.
--

I also found this comment in bugzilla.samba.org:

--
https://bugzilla.samba.org/show_bug.cgi?id=8382

Stefan Metzmacher 2012-05-30 11:41:43 UTC Comment 21
Closing this as invalid, as *it's not possible to do signing as guest user*.
--

Indeed, inspecting the traffic with Wireshark for an authenticated SMB
share, the packets are signed. Now I know for sure that SMB signing
can be done only for shares with authentication.

I would have appreciated if I was spared the extensive digging I had
to do. A small note or warning present in "server signing" and "client
signing" sections of the smb.conf man page that SMB signing works only
with authentication would have sufficed. The fact that SMB signing can
not be done without authentication doesn't seem to be knowledge too
wide-spread on the net, so I am sure that adding a small note/warning
in the manuals would spare many people from wasting their time.

My question is: does it make sense to create a bug in
bugzilla.samba.org to request adding this note to the manual?

Thanks,
--
Fita Adrian



More information about the samba mailing list