[Samba] server signing = mandatory/required broken in 4.17.5 ?

Jens Viebig jsurf at gmx.de
Fri Jul 7 11:01:18 UTC 2023 

We are using samba on RedHat 8.8. The latest samba version available for
RHEL8 is samba 4.17.5

Since samba is updated to 4.17.5 from 4.16.4 the "server signing =
mandatory" config option seems to be broken.

Nessus scans reports a vulnerability on server signing not required:
SMB Signing not required
VULNERABILITY MEDIUM
PLUGIN ID57608
Description

Signing is not required on the remote SMB server. An unauthenticated,
remote attacker can exploit this to conduct man-in-the-middle attacks
against the SMB server.

Our smb.conf looks like this:

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = SAMBA
        security = user
        passdb backend = tdbsam
        server signing = mandatory
        map to guest = Never
        restrict anonymous = 2
[someshare]
        comment = This is a share for some share
        path = /var/someshare
        read only = no
        writable = yes
        public = no
        guest ok = no
        guest only = no
        valid users = someuser
        browsable = yes
        force user = someotheruser
        force group = someothergroup
        browseable = yes

Testing the configuration with testparm, gives this output:
testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
        restrict anonymous = 2
        security = USER
        server signing = required
        workgroup = SAMBA
        idmap config * : backend = tdb


[someshare]
        comment = This is a share for SDC Ingest
        force group = someothergroup
        force user = someotheruser
        path = /var/someshare
        read only = No
        valid users = someuser

We also tried to change "server signing = mandatory" to "server signing =
required" in the original config without effect.
When downgrading to 4.16.4 nessus reports a clean scan, when upgrading to
4.17.5 again, the vulnerability shows up again

Is this a known issue in 4.17.5 ?
Would an upgrade to a later version help (unfortunately currently
unavailable for RHEL8) ?
Is there any known change from 4.16 to 4.17 that could explain this issue ?

Thanks

More information about the samba mailing list