Olszewski, Raphael
2015-Mar-12 17:16 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
Hello
I have an samba server with a public share. It was configured with
security=share.
Now I have to tight security with setting those flags in the windows client:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
EnablePlainTextPassword=0
EnableSecuritySignature=1
RequireSecuritySignature=1
Since this change the public share is not working anymore. I found that smb
signing requires security=user
So I tried with this and it is not working too.
My config is
[global]
security = user
auth methods = guest
map to guest = Bad User
log file = /var/log/samba/log.%m
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required
[pub]
path = /fs1/smb_test_signing
read only = No
create mask = 0777
directory mask = 0777
guest only = Yes
The user coming from Windows to samba is NOT configured and user nobody as guest
should be the used at the end to write or read on the filesystem
I already updated from 3.6.3 and have now installed
sernet-samba-4.1.17-11.suse111.x86_64 (SLES11 SP3)
The Clients are Win7-client joined to foreign domains
while debugging I see on samba-server-side (stripped):
[2015/03/12 15:44:01.506174, 6, pid=421, effective(0, 0), real(0, 0)]
../source3/param/loadparm.c:2658(lp_file_list_changed)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Thu Mar 12
09:58:57 2015
[2015/03/12 15:44:01.506728, 1, pid=421, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:296(ndr_print_debug)
&global_blob: struct smbXsrv_session_globalB
version : SMBXSRV_VERSION_0 (0)
seqnum : 0x00000002 (2)
info : union smbXsrv_session_globalU(case 0)
info0: struct smbXsrv_session_global0
session_global_id : 0xfeda2f8e (4275711886)
session_wire_id : 0x00000000feda2f8e (4275711886)
creation_time : Thu Mar 12 03:44:01 PM 2015 CET
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
auth_session_info_seqnum : 0x00000001 (1)
auth_session_info: struct auth_session_info
security_token: struct security_token
num_sids : 0x00000008 (8)
sids: ARRAY(8)
sids :
S-1-5-21-1006455019-4192495585-3927419034-501
sids :
S-1-5-21-1006455019-4192495585-3927419034-514
sids : S-1-22-2-65533
sids : S-1-22-2-65534
sids : S-1-1-0
sids : S-1-5-2
sids : S-1-5-32-546
sids : S-1-22-1-65534
privilege_mask : 0x0000000000000000
(0)
rights_mask : 0x00000000 (0)
unix_token: struct security_unix_token
uid : 0x000000000000fffe
(65534)
gid : 0x000000000000fffd
(65533)
ngroups : 0x00000002 (2)
groups: ARRAY(2)
groups :
0x000000000000fffd (65533)
groups :
0x000000000000fffe (65534)
info: struct auth_user_info
account_name :
'nobody'
domain_name : 'SMB'
authenticated : 0x00 (0)
unix_info: struct auth_user_info_unix
unix_name :
'nobody'
torture : NULL
credentials : NULL
connection_dialect : 0x0210 (528)
signing_required : 0x00 (0)
encryption_required : 0x00 (0)
num_channels : 0x00000001 (1)
[2015/03/12 15:44:01.514273, 10, pid=421, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:2494(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[8] dyn[yes:9] at
../source3/smbd/smb2_sesssetup.c:168
[2015/03/12 15:44:01.514343, 50, pid=421, effective(0, 0), real(0, 0)]
../lib/util/tevent_debug.c:63(samba_tevent_debug)
s3_tevent: Destroying timer event 0x7fee588a5570
"smbd_smb2_request_pending_timer"
[2015/03/12 15:44:01.514397, 10, pid=421, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:874(smb2_set_operation_credit)
smb2_set_operation_credit: requested 31, charge 1, granted 31, current
possible/max 512/512, total granted/max/low/range 31/8192/4/31
[2015/03/12 15:44:01.515362, 10, pid=421, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:1002(smbd_server_connection_terminate_ex)
smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at
../source3/smbd/smb2_server.c:3304
[2015/03/12 15:44:01.515495, 4, pid=421, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2015/03/12 15:44:01.515551, 5, pid=421, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
Wondering about
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
signing_required : 0x00 (0)
encryption_required : 0x00 (0)
And then
smb2_server.c:1002(smbd_server_connection_terminate_ex)
smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at
../source3/smbd/smb2_server.c:3304
The Client shows ReasonCode: 0x80004005
When I change registry to RequireSecuritySignature=0, I can access
How I have to configure the smb-server to have a real public share for
windows7-clients not being configured especially (domain, computer-account,
user, ...)
Do I understand Security-signature wrong?
Is this scenario possible without being the samba server joined to the domain?
(What I wanted)
Raphael
L.P.H. van Belle
2015-Mar-13 08:08 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
Hai, Try these settings in global settings. ####### Authentication ####### ## stand alone everything open. security = user guest ok = yes map to guest = bad password add these to the share. guest ok = yes Sets samba open without pasword prompt. I use it at home for my kodi server. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: r.olszewski at ssc-services.de >[mailto:samba-bounces at lists.samba.org] Namens Olszewski, Raphael >Verzonden: donderdag 12 maart 2015 18:17 >Aan: samba at lists.samba.org >Onderwerp: [Samba] RequireSecuritySignature=1 and public share >with guest not working > >Hello >I have an samba server with a public share. It was configured >with security=share. >Now I have to tight security with setting those flags in the >windows client: >[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWor >kstation\Parameters] >EnablePlainTextPassword=0 >EnableSecuritySignature=1 >RequireSecuritySignature=1 > >Since this change the public share is not working anymore. I >found that smb signing requires security=user >So I tried with this and it is not working too. > >My config is > >[global] > security = user > auth methods = guest > map to guest = Bad User > log file = /var/log/samba/log.%m > client max protocol = SMB3 > client min protocol = SMB2 > client signing = required > server signing = required >[pub] > path = /fs1/smb_test_signing > read only = No > create mask = 0777 > directory mask = 0777 > guest only = Yes > >The user coming from Windows to samba is NOT configured and >user nobody as guest should be the used at the end to write or >read on the filesystem > >I already updated from 3.6.3 and have now installed >sernet-samba-4.1.17-11.suse111.x86_64 (SLES11 SP3) >The Clients are Win7-client joined to foreign domains > >while debugging I see on samba-server-side (stripped): > >[2015/03/12 15:44:01.506174, 6, pid=421, effective(0, 0), >real(0, 0)] ../source3/param/loadparm.c:2658(lp_file_list_changed) > lp_file_list_changed() > file /etc/samba/smb.conf -> /etc/samba/smb.conf last >mod_time: Thu Mar 12 09:58:57 2015 >[2015/03/12 15:44:01.506728, 1, pid=421, effective(0, 0), >real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) > &global_blob: struct smbXsrv_session_globalB > version : SMBXSRV_VERSION_0 (0) > seqnum : 0x00000002 (2) > info : union >smbXsrv_session_globalU(case 0) > info0: struct smbXsrv_session_global0 > session_global_id : 0xfeda2f8e (4275711886) > session_wire_id : >0x00000000feda2f8e (4275711886) > creation_time : Thu Mar 12 >03:44:01 PM 2015 CET > expiration_time : Thu Jan 1 >01:00:00 AM 1970 CET > auth_session_info_seqnum : 0x00000001 (1) > auth_session_info: struct auth_session_info > security_token: struct security_token > num_sids : >0x00000008 (8) > sids: ARRAY(8) > sids >: S-1-5-21-1006455019-4192495585-3927419034-501 > sids >: S-1-5-21-1006455019-4192495585-3927419034-514 > sids >: S-1-22-2-65533 > sids >: S-1-22-2-65534 > sids >: S-1-1-0 > sids >: S-1-5-2 > sids >: S-1-5-32-546 > sids >: S-1-22-1-65534 > privilege_mask : >0x0000000000000000 (0) > rights_mask : >0x00000000 (0) > unix_token: struct security_unix_token > uid : >0x000000000000fffe (65534) > gid : >0x000000000000fffd (65533) > ngroups : >0x00000002 (2) > groups: ARRAY(2) > groups >: 0x000000000000fffd (65533) > groups >: 0x000000000000fffe (65534) > info: struct auth_user_info > account_name >: 'nobody' > domain_name : 'SMB' > authenticated : 0x00 (0) > unix_info: struct auth_user_info_unix > unix_name >: 'nobody' > torture : NULL > credentials : NULL > connection_dialect : 0x0210 (528) > signing_required : 0x00 (0) > encryption_required : 0x00 (0) > num_channels : 0x00000001 (1) >[2015/03/12 15:44:01.514273, 10, pid=421, effective(0, 0), >real(0, 0)] >../source3/smbd/smb2_server.c:2494(smbd_smb2_request_done_ex) > smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] >body[8] dyn[yes:9] at ../source3/smbd/smb2_sesssetup.c:168 >[2015/03/12 15:44:01.514343, 50, pid=421, effective(0, 0), >real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) > s3_tevent: Destroying timer event 0x7fee588a5570 >"smbd_smb2_request_pending_timer" >[2015/03/12 15:44:01.514397, 10, pid=421, effective(0, 0), >real(0, 0)] >../source3/smbd/smb2_server.c:874(smb2_set_operation_credit) > smb2_set_operation_credit: requested 31, charge 1, granted >31, current possible/max 512/512, total granted/max/low/range >31/8192/4/31 >[2015/03/12 15:44:01.515362, 10, pid=421, effective(0, 0), >real(0, 0)] >../source3/smbd/smb2_server.c:1002(smbd_server_connection_terminate_ex) > smbd_server_connection_terminate_ex: >reason[NT_STATUS_CONNECTION_RESET] at >../source3/smbd/smb2_server.c:3304 >[2015/03/12 15:44:01.515495, 4, pid=421, effective(0, 0), >real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >[2015/03/12 15:44:01.515551, 5, pid=421, effective(0, 0), >real(0, 0)] >../libcli/security/security_token.c:53(security_token_debug) > Security token: (NULL) > >Wondering about >expiration_time : Thu Jan 1 01:00:00 AM 1970 CET >signing_required : 0x00 (0) >encryption_required : 0x00 (0) >And then >smb2_server.c:1002(smbd_server_connection_terminate_ex) >smbd_server_connection_terminate_ex: >reason[NT_STATUS_CONNECTION_RESET] at >../source3/smbd/smb2_server.c:3304 > >The Client shows ReasonCode: 0x80004005 >When I change registry to RequireSecuritySignature=0, I can access > >How I have to configure the smb-server to have a real public >share for windows7-clients not being configured especially >(domain, computer-account, user, ...) >Do I understand Security-signature wrong? >Is this scenario possible without being the samba server >joined to the domain? (What I wanted) > >Raphael >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Olszewski, Raphael
2015-Mar-13 09:42 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
Hi I tried exactly your type of config. With "RequireSecuritySignature=0" the anon access is working like expected. As soon, as I set "RequireSecuritySignature=1" it is not working anymore. So it seem to be not the problem to configure the guest-access. But seems the problem with requiring the signing. Thought it can be fixed with the right config, but did not find a working combination. Do i have to setup certificates for the signing? Or how the messages will be signed? My guess is, that the signing isn't working like expected ... Gru? Raphael ___________________________________________ -----Urspr?ngliche Nachricht----- Von: L.P.H. van Belle [mailto:belle at bazuin.nl] Gesendet: Freitag, 13. M?rz 2015 09:08 Hai, Try these settings in global settings. ####### Authentication ####### ## stand alone everything open. ?? security = user ?? guest ok = yes ?? map to guest = bad password add these to the share. guest ok = yes Sets samba open without pasword prompt. I use it at home for my kodi server. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: r.olszewski at ssc-services.de >[mailto:samba-bounces at lists.samba.org] Namens Olszewski, Raphael >Verzonden: donderdag 12 maart 2015 18:17 > >Hello >I have an samba server with a public share. It was configured with >security=share. >Now I have to tight security with setting those flags in the windows >client: >[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWor >kstation\Parameters] >EnablePlainTextPassword=0 >EnableSecuritySignature=1 >RequireSecuritySignature=1 >..> >The Client shows ReasonCode: 0x80004005 When I change registry to >RequireSecuritySignature=0, I can access > >How I have to configure the smb-server to have a real public share for >windows7-clients not being configured especially (domain, >computer-account, user, ...) Do I understand Security-signature wrong? >Is this scenario possible without being the samba server joined to the >domain? (What I wanted) > >Raphael-- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-Mar-13 10:21 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
strange i did not change anything in my windows 7 64bit.
This is my full setup pretty basic.
Ubuntu 14.04.2 LTS, Trusty Tahr, with sernet samba 4.1.17-9
I do have 1 user for samba.
pdbedit -L
xbmc:5000:MediaUser
[global]
workgroup = PRIVE
server string = %h server
dns proxy = yes
; name resolve order = lmhosts host wins bcast
#### Networking ####
# interfaces = 127.0.0.0/8 eth0
# bind interfaces only = yes
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
## stand alone everything open.
security = user
guest ok = yes
map to guest = bad password
####
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
########## Printing ##########
#---- disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#======================= Share Definitions ======================
[homes]
comment = Home Directorie
browseable = no
read only = yes
valid users = %S
[backups]
comment = Backups Share
path = /media/diverse/backups
force user = xbmc
read only = no
guest ok = yes
>-----Oorspronkelijk bericht-----
>Van: r.olszewski at ssc-services.de
>[mailto:samba-bounces at lists.samba.org] Namens Olszewski, Raphael
>Verzonden: vrijdag 13 maart 2015 10:42
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] RequireSecuritySignature=1 and public
>share with guest not working
>
>Hi
>I tried exactly your type of config.
>
>With "RequireSecuritySignature=0" the anon access is working
>like expected.
>As soon, as I set "RequireSecuritySignature=1" it is not
>working anymore.
>
>So it seem to be not the problem to configure the
>guest-access. But seems the problem with requiring the signing.
>Thought it can be fixed with the right config, but did not
>find a working combination.
>
>Do i have to setup certificates for the signing?
>Or how the messages will be signed?
>My guess is, that the signing isn't working like expected ...
>
>Gru? Raphael
>___________________________________________
>-----Urspr?ngliche Nachricht-----
>Von: L.P.H. van Belle [mailto:belle at bazuin.nl]
>Gesendet: Freitag, 13. M?rz 2015 09:08
>
>Hai,
>
>Try these settings in global settings.
>
>####### Authentication #######
>## stand alone everything open.
>?? security = user
>?? guest ok = yes
>?? map to guest = bad password
>
>add these to the share.
>guest ok = yes
>
>Sets samba open without pasword prompt.
>I use it at home for my kodi server.
>
>Greetz,
>
>Louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: r.olszewski at ssc-services.de
>>[mailto:samba-bounces at lists.samba.org] Namens Olszewski, Raphael
>>Verzonden: donderdag 12 maart 2015 18:17
>>
>>Hello
>>I have an samba server with a public share. It was configured with
>>security=share.
>>Now I have to tight security with setting those flags in the windows
>>client:
>>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWor
>>kstation\Parameters]
>>EnablePlainTextPassword=0
>>EnableSecuritySignature=1
>>RequireSecuritySignature=1
>>
>..
>>
>>The Client shows ReasonCode: 0x80004005 When I change registry to
>>RequireSecuritySignature=0, I can access
>>
>>How I have to configure the smb-server to have a real public share for
>>windows7-clients not being configured especially (domain,
>>computer-account, user, ...) Do I understand Security-signature wrong?
>>Is this scenario possible without being the samba server joined to the
>>domain? (What I wanted)
>>
>>Raphael
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:? https://lists.samba.org/mailman/options/samba
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
Maybe Matching Threads
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working