samba - Dec 2020 - 4.13.2 guest access denied with "Bad SMB2 signature"

Hi all,

Guest access to file shares in Samba 4.13.2 seems to be broken.  The 
logs report a "Bad SMB2 signature" error, and the client sees an
"access
denied" error.  This looks like a regression IMO, but I'd like to check
that I'm not doing something wrong.

Clients tested:
- AndSMB app on Android
- Windows 10 laptop

I've trimmed my smb.conf down to the essentials for a standalone server, 
based on:

 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server#Creating_a_Basic_guest_only_smb.conf_File

smb.conf:
   [global]
         map to guest = Bad User
         log file = /var/log/samba/%m
         log level = 1
         interfaces = enp0s25

   [pub]
         path = /pub
         read only = yes
         guest ok = yes
         guest only = yes

Example log with error:
   [2020/12/03 10:09:11.701342,  0] 
../../libcli/smb/smb2_signing.c:313(smb2_signing_check_pdu)
     Bad SMB2 signature for message
   [2020/12/03 10:09:11.701479,  0] ../../lib/util/util.c:682(dump_data)
     [0000] 43 33 6D E8 9F 44 78 4C   76 D1 A0 41 32 18 EF 1B   C3m..DxL 
v..A2...
   [2020/12/03 10:09:11.701571,  0] ../../lib/util/util.c:682(dump_data)
     [0000] AA 37 13 87 FB 50 A2 CE   96 F7 2C BC 78 F2 84 7E   .7...P.. 
..,.x..~


Other details:
- Distro is Arch Linux (x86-64).  Exact package samba 4.13.2-3.
- Removing "guest only" and connecting as an authenticated user works.
- I *think* this was last working as of 4.12.6, but this Samba service 
only sees occasional use, so I don't know exactly when things stopped 
working.  Downgrading might be possible for me but is a bit annoying. :)

Thanks for any assistance!  I can file a bug too if that looks warranted.

Steve

On Thu, Dec 03, 2020 at 10:39:37AM -0700, Steve Leung via samba
wrote:
>
>Hi all,
>
>Guest access to file shares in Samba 4.13.2 seems to be broken.  The 
>logs report a "Bad SMB2 signature" error, and the client sees an 
>"access denied" error.  This looks like a regression IMO, but
I'd like
>to check that I'm not doing something wrong.
>
>Clients tested:
>- AndSMB app on Android
>- Windows 10 laptop
>
>I've trimmed my smb.conf down to the essentials for a standalone 
>server, based on:
Correct me if I'm wrong, but doesn't guest access prohibit
signing and encryption ?

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default

Note:

"Guest logons do not support standard security features such as signing and
encryption.
Therefore, guest logons are vulnerable to man-in-the-middle attacks that can
expose
sensitive data on the network. Windows disables insecure (nonsecure) guest
logons
by default. Microsoft recommends that you do not enable insecure guest
logons."