Jeremy Allison
2020-Dec-10 17:42 UTC
[Samba] 4.13.2 guest access denied with "Bad SMB2 signature"
On Thu, Dec 03, 2020 at 10:39:37AM -0700, Steve Leung via samba wrote:> >Hi all, > >Guest access to file shares in Samba 4.13.2 seems to be broken. The >logs report a "Bad SMB2 signature" error, and the client sees an >"access denied" error. This looks like a regression IMO, but I'd like >to check that I'm not doing something wrong. > >Clients tested: >- AndSMB app on Android >- Windows 10 laptop > >I've trimmed my smb.conf down to the essentials for a standalone >server, based on:Correct me if I'm wrong, but doesn't guest access prohibit signing and encryption ? https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default Note: "Guest logons do not support standard security features such as signing and encryption. Therefore, guest logons are vulnerable to man-in-the-middle attacks that can expose sensitive data on the network. Windows disables insecure (nonsecure) guest logons by default. Microsoft recommends that you do not enable insecure guest logons."
Steve Leung
2020-Dec-10 18:19 UTC
[Samba] 4.13.2 guest access denied with "Bad SMB2 signature"
On 2020-12-10 10:42 a.m., Jeremy Allison wrote:> On Thu, Dec 03, 2020 at 10:39:37AM -0700, Steve Leung via samba wrote: >> >> Guest access to file shares in Samba 4.13.2 seems to be broken.? The >> logs report a "Bad SMB2 signature" error, and the client sees an >> "access denied" error.? This looks like a regression IMO, but I'd like >> to check that I'm not doing something wrong. > > Correct me if I'm wrong, but doesn't guest access prohibit > signing and encryption ? > > https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-defaultThat does sound correct, and I'd agree that there are many situations where guest access is a Bad Idea. But it's still a documented (and presumably supported?) Samba configuration that has worked in the past - if that's changing then it should be made explicit. For myself, it's something I can work around without much fuss, but I'm just concerned that I've stumbled upon a regression. Steve