[Samba] Low performance when using "server signing" = "mandatory"

Adam Błaszczykowski adam.blaszczykowski at gmail.com
Mon Oct 23 07:54:47 UTC 2023

I have updated my system to Debian 12 with Samba 4.17.12, but the problem
with performance still exist.
On the Samba page there is a note in the CVE-2016-2114 description:
"Note that the default for server roles other than active directory domain
controller, is "off" because of performance reasons."

Does it mean that using "server signing = required" for file server with
"server role = standalone" doesn't increase security and only cause
problems with performance ?
My Nessus security scaner reports problem with "SMB signing not required"
even on newest Debian 12 bookworm with Samba version 4.17.12:

Nessus CVE-2016-2114 description:
Signing is not required on the remote SMB server. An unauthenticated,
remote attacker can exploit this to conduct man-in-the-middle attacks
against the SMB server.

Nessus CVE-2016-2114 solution:
Enforce message signing in the host's configuration. On Windows, this is
found in the policy setting 'Microsoft network server: Digitally sign
communications (always)'. On Samba, the setting is called 'server signing'.

Best regards.
Adam Bllaszczykowski

pon., 16 paź 2023 o 16:50 Rowland Penny via samba <samba at lists.samba.org>

> On Mon, 16 Oct 2023 15:13:49 +0200
> Adam Błaszczykowski via samba <samba at lists.samba.org> wrote:
> > Hello,
> > I'm experiencing very slow read/write performance, about 20 MB/s, on
> > Samba share when I configure the "server signing" option as
> > "mandatory". Once I set "server signing" to "default", the read/write
> > performance returns to average speed about 800 MB/s.
> > I am using Samba 4.9.4 on server with Intel Xeon CPU E5-2690 0 @
> > 2.90GHz (32 threads) and 10 Gbit ethernet controller.
> > I need to set "mandatory" value for security reasons, but the
> > performance is unacceptable. How to solve this problem ?
> Hmm, you need to set a parameter for security reasons, but you are quite
> prepared to continue using a 5 year old, EOL version of Samba, a
> version that quite likely contains numerous CVE's that have been
> fixed in later versions ????
> What OS is this on ?
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list