[Samba] Bad SMB2 (sign_algo_id=1) signature for message
Michael Tokarev
mjt at tls.msk.ru
Wed Apr 3 10:13:16 UTC 2024
02.04.2024 12:53, Denis CARDON via samba wrote:
> Hi Michael,
> Le 01/04/2024 à 13:09, Michael Tokarev via samba a écrit :
>> The access *is* anonymous, always, this is a read-only anonymous share with
>> a big application used by multiple users. It has public=yes, map_to_guest=invalid_user.
>>
>> I can't say when exactly this error is logged.
>
> SMBv2 signing requires to have a shared secret, and I guess that anonymous access don't provide that shared secret for signing / encryption.
>
> From [1] "Guest logons don't support standard security features such as signing and encryption." on SMB2.
>
> So I guess you should use a account with a password on the client machine to avoid this message.
The thing is that this is an anonymous server with no accounts.
We're moving slowly to using domain member for this file server
(another machine which gives other interesting messages in logs).
Here, it works most of the time, - connections works, files gets
read, directories followed etc. So the question is, - why it
(the whole thing, samba and clients) has no issues whatsoever,
while in some cases it has problems with signing like the logged
example? This machine is serving many 100s of connections, and
while amount of this noize in logs is significant, it definitely
is in minority of cases only. From the same machines for which
samba don't log anything most of the time, too.
> [1] https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
We had to explicitly enable guest access on clients.
>>> Is 'Event Viewer' of windows server 2012 could see similar event about
>>> bad/invalid signature too?
>>
>> Somehow I forgot to look there. Let's see..
Unfortunately there's nothing relevant in the server logs, not
even remotely relevant.
Hopefully this will stop when moving to domain-member setup.
It's still interesting to find the cause though.
Thank you Denis for this hint, - this is the most close so far.
/mjt
More information about the samba
mailing list