[Samba] Server Mandatory SMB Signing Not Working

Philip Cunio phil.cunio at inmar.com
Sun Aug 8 23:08:41 UTC 2021

We have just implemented the requirement for SMB signing to be mandatory. I
have made the required changes to smb.conf but it is not working. Windows
clients requiring SMB signing as mandatory can not connect. If we remove
that requirement, the client can connect. We are running SAMBA 4.10.6 on
AIX 7.1 TL5. Below is the pertinent information from  /etc/samba/smb.conf:

        workgroup = INMAR
        netbios name = SERVERA
        interfaces = xx.xxx.xx.xx
#       security = SHARE
        map to guest = Bad Password
        null passwords = Yes
#       log level = 5
        username map = /usr/local/lib/users.map
        log file = /var/samba/log/log.%m
        name resolve order = wins host  bcast
        unix extensions = No
        wins server = xx.xxx.xxx.xxx
        socket address = xx.xxx.xxx.xx
        client min protocol = SMB2
        server signing = mandatory
        client signing = mandatory

        comment = flat files
        path = /data/unload/flat_files
        read only = No
        guest ok = Yes
        wide links = Yes

*I have obfuscated the IP addresses for security reasons.

Clients are able to connect as long as they do not require SMB Signing.

I have confirmed that I successfully restarted samba after I made the
change to smb.conf by doing
ps -ef | grep smbd (noted samba PID)
smbd restart
ps -ef | grep smbd (noted that samba PID changed from above)

I have also run Testparm against smb.conf and there were no errors found.

I have verified that the smb.conf file I am changing is the one being used
by smbd daemon
/opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf

What setting am I missing or could be disabling the server signing =
mandatory option?



*Philip Cunio*

Data Center Director, Inmar Technology Solutions

*phil.cunio at inmar.com <phil.cunio at Inmar.com>*
635 Vine Street, Winston-Salem, NC 27101
p: 336-631-2934

*www.inmar.com <https://www.inmar.com/>  | LinkedIn
<https://www.linkedin.com/company/inmar>  | Facebook
<https://www.facebook.com/CollectiveBias/?ref=br_rs>  | Twitter

<https://www.linkedin.com/company/inmar> <https://www.facebook.com/inmarinc>

*Please consider the environment before printing this email.*




*Inmar Confidentiality 
Note*:  This e-mail and any attachments are confidential and intended to be 
viewed and used solely by the intended recipient.  If you are not the 
intended recipient, be aware that any disclosure, dissemination, 
distribution, copying or use of this e-mail or any attachment is 
prohibited.  If you received this e-mail in error, please notify us 
immediately by returning it to the sender and delete this copy and all 
attachments from your system and destroy any printed copies.  Thank you for 
your cooperation.


*Notice of Protected Rights*:  The removal of any 
copyright, trademark, or proprietary legend contained in this e-mail or any 
attachment is prohibited without the express, written permission of Inmar, 
Inc.  Furthermore, the intended recipient must maintain all copyright 
notices, trademarks, and proprietary legends within this e-mail and any 
attachments in their original form and location if the e-mail or any 
attachments are reproduced, printed or distributed.



More information about the samba mailing list