[Samba] Bad SMB2 (sign_algo_id=1) signature for message

Denis CARDON dcardon at tranquil.it
Tue Apr 2 09:53:40 UTC 2024


Hi Michael,

Le 01/04/2024 à 13:09, Michael Tokarev via samba a écrit :
> 01.04.2024 13:56, Jones Syue 薛懷宗:
>>> I can't say for sure but I *think* each time the client is windows 
>>> server 2012.
>>
>> Looks good :) If run this script[1] to test multiple dialects, found 
>> only
>> SMB3_00 and SMB3_02 has this "(sign_algo_id=1)", and per doc[2] it could
>> be happend with ws2012 and ws2012r2.
>
> This *is* 2012 r2.  The protocol version it negotiates is shown by 
> smbstatus
> on samba server, it is SMB3_02.  More modern workstations negotiate 
> SMB3_11.
>
>> Perhaps some kind of services, like antivirus scan LAN, or printer 
>> access,
>> access attempts to samba server via guest or anonymous account 
>> trigger this
>> log, not quite sure just a preliminary guess :)
>
> There's no antivirus running on these machines.  At least we tried to 
> disable
> everything.
>
> The access *is* anonymous, always, this is a read-only anonymous share 
> with
> a big application used by multiple users.  It has public=yes, 
> map_to_guest=invalid_user.
>
> I can't say when exactly this error is logged.

SMBv2 signing requires to have a shared secret, and I guess that 
anonymous access don't provide that shared secret for signing / encryption.

 From [1] "Guest logons don't support standard security features such as 
signing and encryption." on SMB2.

So I guess you should use a account with a password on the client 
machine to avoid this message.

Cheers,

Denis

[1] 
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default


>
>> Is 'Event Viewer' of windows server 2012 could see similar event about
>> bad/invalid signature too?
>
> Somehow I forgot to look there.  Let's see..
>
> /mjt
>



More information about the samba mailing list