samba - Aug 2021 - Server Mandatory SMB Signing Not Working

We have just implemented the requirement for SMB signing to be mandatory. I
have made the required changes to smb.conf but it is not working. Windows
clients requiring SMB signing as mandatory can not connect. If we remove
that requirement, the client can connect. We are running SAMBA 4.10.6 on
AIX 7.1 TL5. Below is the pertinent information from  /etc/samba/smb.conf:

 [global]
        workgroup = INMAR
        netbios name = SERVERA
        interfaces = xx.xxx.xx.xx
#       security = SHARE
        map to guest = Bad Password
        null passwords = Yes
#       log level = 5
        username map = /usr/local/lib/users.map
        log file = /var/samba/log/log.%m
        name resolve order = wins host  bcast
        unix extensions = No
        wins server = xx.xxx.xxx.xxx
        socket address = xx.xxx.xxx.xx
        client min protocol = SMB2
        server signing = mandatory
        client signing = mandatory

[files]
        comment = flat files
        path = /data/unload/flat_files
        read only = No
        guest ok = Yes
        wide links = Yes

*I have obfuscated the IP addresses for security reasons.

Clients are able to connect as long as they do not require SMB Signing.

I have confirmed that I successfully restarted samba after I made the
change to smb.conf by doing
ps -ef | grep smbd (noted samba PID)
smbd restart
ps -ef | grep smbd (noted that samba PID changed from above)

I have also run Testparm against smb.conf and there were no errors found.

I have verified that the smb.conf file I am changing is the one being used
by smbd daemon
/opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf


What setting am I missing or could be disabling the server signing mandatory
option?

Thanks,
Phil

-- 

*Philip Cunio*

Data Center Director, Inmar Technology Solutions


*phil.cunio at inmar.com <phil.cunio at Inmar.com>*
635 Vine Street, Winston-Salem, NC 27101
p: 336-631-2934

*www.inmar.com <https://www.inmar.com/>  | LinkedIn
<https://www.linkedin.com/company/inmar>  | Facebook
<https://www.facebook.com/CollectiveBias/?ref=br_rs>  | Twitter
<https://twitter.com/HollyPavlika>*

<https://www.linkedin.com/company/inmar>
<https://www.facebook.com/inmarinc>
<https://twitter.com/inmarinc>


*Please consider the environment before printing this email.*

-- 


********************************************



?

*Inmar Confidentiality 
Note*:? This e-mail and any attachments are confidential and intended to be 
viewed and used solely by the intended recipient.? If you are not the 
intended recipient, be aware that any disclosure, dissemination, 
distribution, copying or use of this e-mail or any attachment is 
prohibited.? If you received this e-mail in error, please notify us 
immediately by returning it to the sender and delete this copy and all 
attachments from your system and destroy any printed copies.? Thank you for 
your cooperation.



?

*Notice of Protected Rights*:? The removal of any 
copyright, trademark, or proprietary legend contained in this e-mail or any 
attachment is prohibited without the express, written permission of Inmar, 
Inc.? Furthermore, the intended recipient must maintain all copyright 
notices, trademarks, and proprietary legends within this e-mail and any 
attachments in their original form and location if the e-mail or any 
attachments are reproduced, printed or distributed.

?

********************************************

On Sun, 2021-08-08 at 19:08 -0400, Philip Cunio via samba
wrote:
> We have just implemented the requirement for SMB signing to be
> mandatory. I
> 
> have made the required changes to smb.conf but it is not working.
> Windows
> 
> clients requiring SMB signing as mandatory can not connect. If we
> remove
> 
> that requirement, the client can connect. We are running SAMBA 4.10.6
> on
> 
> AIX 7.1 TL5. Below is the pertinent information from 
> /etc/samba/smb.conf:
> 
> 
> 
>  [global]
>         map to guest = Bad Password
This is the issue.  If we map to guest, then there is no authentication
handshake to build SMB signing onto (this isn't certificate based -
like HTTPS which allows anonymous browsing, it is all derived from the
password as the shared secret).

You will need fully authenticated shares to get SMB signing. 

I trust this clarifies things,

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

We have just made the required changes to implement SMB Signing. We are
now using LDAP/Kerberos to authenticate users.
We joined the SAMBA server to the domain via net ads join .... command.
Everything works except that the add user script feature doesn't seem to
work consistently. I can manually add users to the local AIX machine
with the same script and the user can then map their drives. However, SAMBA
does not do it automatically per design. Below is the Global section from
my smb.conf. Any assistance would be
greatly appreciated. I have obfuscated portions for security

[global]
        workgroup = INM
        realm = INMAR.COM
        interfaces = 99.999.999.999
        netbios name = AAAAAA
        netbios aliases = BBBBBB
        security = ADS
        add user script = /usr/sbin/smbusradd -g usr -G usr %u
        log file = /var/samba/log/log.%m
        log level = 3  passdb:5  auth:5
        wins server = xxxxxxx.inmar.com
        password server =  xxxxxxx.inmar.com
        socket address =  99.999.999.999
        server min protocol = SMB2
        server signing = mandatory
        create mask = 0666

On Sun, Aug 8, 2021 at 7:08 PM Philip Cunio <phil.cunio at inmar.com>
wrote:
> We have just implemented the requirement for SMB signing to be mandatory.
> I have made the required changes to smb.conf but it is not working. Windows
> clients requiring SMB signing as mandatory can not connect. If we remove
> that requirement, the client can connect. We are running SAMBA 4.10.6 on
> AIX 7.1 TL5. Below is the pertinent information from  /etc/samba/smb.conf:
>
>  [global]
>         workgroup = INMAR
>         netbios name = SERVERA
>         interfaces = xx.xxx.xx.xx
> #       security = SHARE
>         map to guest = Bad Password
>         null passwords = Yes
> #       log level = 5
>         username map = /usr/local/lib/users.map
>         log file = /var/samba/log/log.%m
>         name resolve order = wins host  bcast
>         unix extensions = No
>         wins server = xx.xxx.xxx.xxx
>         socket address = xx.xxx.xxx.xx
>         client min protocol = SMB2
>         server signing = mandatory
>         client signing = mandatory
>
> [files]
>         comment = flat files
>         path = /data/unload/flat_files
>         read only = No
>         guest ok = Yes
>         wide links = Yes
>
> *I have obfuscated the IP addresses for security reasons.
>
> Clients are able to connect as long as they do not require SMB Signing.
>
> I have confirmed that I successfully restarted samba after I made the
> change to smb.conf by doing
> ps -ef | grep smbd (noted samba PID)
> smbd restart
> ps -ef | grep smbd (noted that samba PID changed from above)
>
> I have also run Testparm against smb.conf and there were no errors found.
>
> I have verified that the smb.conf file I am changing is the one being used
> by smbd daemon
> /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
>
>
> What setting am I missing or could be disabling the server signing >
mandatory option?
>
> Thanks,
> Phil
>
> --
>
> *Philip Cunio*
>
> Data Center Director, Inmar Technology Solutions
>
>
> *phil.cunio at inmar.com <phil.cunio at Inmar.com>*
> 635 Vine Street, Winston-Salem, NC 27101
> p: 336-631-2934
>
> *www.inmar.com <https://www.inmar.com/>  | LinkedIn
> <https://www.linkedin.com/company/inmar>  | Facebook
> <https://www.facebook.com/CollectiveBias/?ref=br_rs>  | Twitter
> <https://twitter.com/HollyPavlika>*
>
> <https://www.linkedin.com/company/inmar>
> <https://www.facebook.com/inmarinc>
<https://twitter.com/inmarinc>
>
>
> *Please consider the environment before printing this email.*
>
>
>
-- 


********************************************



?

*Inmar Confidentiality 
Note*:? This e-mail and any attachments are confidential and intended to be 
viewed and used solely by the intended recipient.? If you are not the 
intended recipient, be aware that any disclosure, dissemination, 
distribution, copying or use of this e-mail or any attachment is 
prohibited.? If you received this e-mail in error, please notify us 
immediately by returning it to the sender and delete this copy and all 
attachments from your system and destroy any printed copies.? Thank you for 
your cooperation.



?

*Notice of Protected Rights*:? The removal of any 
copyright, trademark, or proprietary legend contained in this e-mail or any 
attachment is prohibited without the express, written permission of Inmar, 
Inc.? Furthermore, the intended recipient must maintain all copyright 
notices, trademarks, and proprietary legends within this e-mail and any 
attachments in their original form and location if the e-mail or any 
attachments are reproduced, printed or distributed.

?

********************************************