[Samba] Server Mandatory SMB Signing Not Working

Philip Cunio phil.cunio at inmar.com
Sun Nov 14 15:17:06 UTC 2021

We have just made the required changes to implement SMB Signing. We are
now using LDAP/Kerberos to authenticate users.
We joined the SAMBA server to the domain via net ads join .... command.
Everything works except that the add user script feature doesn't seem to
work consistently. I can manually add users to the local AIX machine
with the same script and the user can then map their drives. However, SAMBA
does not do it automatically per design. Below is the Global section from
my smb.conf. Any assistance would be
greatly appreciated. I have obfuscated portions for security

        workgroup = INM
        realm = INMAR.COM
        interfaces = 99.999.999.999
        netbios name = AAAAAA
        netbios aliases = BBBBBB
        security = ADS
        add user script = /usr/sbin/smbusradd -g usr -G usr %u
        log file = /var/samba/log/log.%m
        log level = 3  passdb:5  auth:5
        wins server = xxxxxxx.inmar.com
        password server =  xxxxxxx.inmar.com
        socket address =  99.999.999.999
        server min protocol = SMB2
        server signing = mandatory
        create mask = 0666

On Sun, Aug 8, 2021 at 7:08 PM Philip Cunio <phil.cunio at inmar.com> wrote:

> We have just implemented the requirement for SMB signing to be mandatory.
> I have made the required changes to smb.conf but it is not working. Windows
> clients requiring SMB signing as mandatory can not connect. If we remove
> that requirement, the client can connect. We are running SAMBA 4.10.6 on
> AIX 7.1 TL5. Below is the pertinent information from  /etc/samba/smb.conf:
>  [global]
>         workgroup = INMAR
>         netbios name = SERVERA
>         interfaces = xx.xxx.xx.xx
> #       security = SHARE
>         map to guest = Bad Password
>         null passwords = Yes
> #       log level = 5
>         username map = /usr/local/lib/users.map
>         log file = /var/samba/log/log.%m
>         name resolve order = wins host  bcast
>         unix extensions = No
>         wins server = xx.xxx.xxx.xxx
>         socket address = xx.xxx.xxx.xx
>         client min protocol = SMB2
>         server signing = mandatory
>         client signing = mandatory
> [files]
>         comment = flat files
>         path = /data/unload/flat_files
>         read only = No
>         guest ok = Yes
>         wide links = Yes
> *I have obfuscated the IP addresses for security reasons.
> Clients are able to connect as long as they do not require SMB Signing.
> I have confirmed that I successfully restarted samba after I made the
> change to smb.conf by doing
> ps -ef | grep smbd (noted samba PID)
> smbd restart
> ps -ef | grep smbd (noted that samba PID changed from above)
> I have also run Testparm against smb.conf and there were no errors found.
> I have verified that the smb.conf file I am changing is the one being used
> by smbd daemon
> /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
> What setting am I missing or could be disabling the server signing =
> mandatory option?
> Thanks,
> Phil
> --
> *Philip Cunio*
> Data Center Director, Inmar Technology Solutions
> *phil.cunio at inmar.com <phil.cunio at Inmar.com>*
> 635 Vine Street, Winston-Salem, NC 27101
> p: 336-631-2934
> *www.inmar.com <https://www.inmar.com/>  | LinkedIn
> <https://www.linkedin.com/company/inmar>  | Facebook
> <https://www.facebook.com/CollectiveBias/?ref=br_rs>  | Twitter
> <https://twitter.com/HollyPavlika>*
> <https://www.linkedin.com/company/inmar>
> <https://www.facebook.com/inmarinc> <https://twitter.com/inmarinc>
> *Please consider the environment before printing this email.*




*Inmar Confidentiality 
Note*:  This e-mail and any attachments are confidential and intended to be 
viewed and used solely by the intended recipient.  If you are not the 
intended recipient, be aware that any disclosure, dissemination, 
distribution, copying or use of this e-mail or any attachment is 
prohibited.  If you received this e-mail in error, please notify us 
immediately by returning it to the sender and delete this copy and all 
attachments from your system and destroy any printed copies.  Thank you for 
your cooperation.


*Notice of Protected Rights*:  The removal of any 
copyright, trademark, or proprietary legend contained in this e-mail or any 
attachment is prohibited without the express, written permission of Inmar, 
Inc.  Furthermore, the intended recipient must maintain all copyright 
notices, trademarks, and proprietary legends within this e-mail and any 
attachments in their original form and location if the e-mail or any 
attachments are reproduced, printed or distributed.



More information about the samba mailing list