Steve Leung
2020-Dec-10 18:19 UTC
[Samba] 4.13.2 guest access denied with "Bad SMB2 signature"
On 2020-12-10 10:42 a.m., Jeremy Allison wrote:> On Thu, Dec 03, 2020 at 10:39:37AM -0700, Steve Leung via samba wrote: >> >> Guest access to file shares in Samba 4.13.2 seems to be broken.? The >> logs report a "Bad SMB2 signature" error, and the client sees an >> "access denied" error.? This looks like a regression IMO, but I'd like >> to check that I'm not doing something wrong. > > Correct me if I'm wrong, but doesn't guest access prohibit > signing and encryption ? > > https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-defaultThat does sound correct, and I'd agree that there are many situations where guest access is a Bad Idea. But it's still a documented (and presumably supported?) Samba configuration that has worked in the past - if that's changing then it should be made explicit. For myself, it's something I can work around without much fuss, but I'm just concerned that I've stumbled upon a regression. Steve
Jeremy Allison
2020-Dec-10 18:25 UTC
[Samba] 4.13.2 guest access denied with "Bad SMB2 signature"
On Thu, Dec 10, 2020 at 11:19:24AM -0700, Steve Leung via samba wrote:>On 2020-12-10 10:42 a.m., Jeremy Allison wrote: >>On Thu, Dec 03, 2020 at 10:39:37AM -0700, Steve Leung via samba wrote: >>> >>>Guest access to file shares in Samba 4.13.2 seems to be broken.? >>>The logs report a "Bad SMB2 signature" error, and the client sees >>>an "access denied" error.? This looks like a regression IMO, but >>>I'd like to check that I'm not doing something wrong. >> >>Correct me if I'm wrong, but doesn't guest access prohibit >>signing and encryption ? >> >>https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default > >That does sound correct, and I'd agree that there are many situations >where guest access is a Bad Idea. > >But it's still a documented (and presumably supported?) Samba >configuration that has worked in the past - if that's changing then it >should be made explicit. > >For myself, it's something I can work around without much fuss, but >I'm just concerned that I've stumbled upon a regression.I think if it worked in the past it may have been an accident. There's no session key that can be used for signing I think.