Jones Syue 薛懷宗
2024-Apr-01 10:56 UTC
[Samba] Bad SMB2 (sign_algo_id=1) signature for message
> I can't say for sure but I *think* each time the client is windows server 2012.Looks good :) If run this script[1] to test multiple dialects, found only SMB3_00 and SMB3_02 has this "(sign_algo_id=1)", and per doc[2] it could be happend with ws2012 and ws2012r2. Perhaps some kind of services, like antivirus scan LAN, or printer access, access attempts to samba server via guest or anonymous account trigger this log, not quite sure just a preliminary guess :) Is 'Event Viewer' of windows server 2012 could see similar event about bad/invalid signature too? [1] Ubuntu 22.04.4, Samba 4.15.13 for max in SMB2_10 SMB3_00 SMB3_02 SMB3_11; \ do \ echo $max; \ smbclient -U 'nobody%nobody' --option='client signing=required' -m${max} -L 127.0.0.1 2>&1 | grep sign_algo_id; \ done; And the output: Bad SMB2 (sign_algo_id=0) signature for message SMB3_00 Bad SMB2 (sign_algo_id=1) signature for message SMB3_02 Bad SMB2 (sign_algo_id=1) signature for message SMB3_11 Bad SMB2 (sign_algo_id=2) signature for message [2] https://learn.microsoft.com/en-us/archive/blogs/josebda/windows-server-2012-r2-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-smb-3-0-or-smb-3-02-are-you-using -- Regards, Jones Syue | ??? QNAP Systems, Inc.
Michael Tokarev
2024-Apr-01 11:09 UTC
[Samba] Bad SMB2 (sign_algo_id=1) signature for message
01.04.2024 13:56, Jones Syue ???:>> I can't say for sure but I *think* each time the client is windows server 2012. > > Looks good :) If run this script[1] to test multiple dialects, found only > SMB3_00 and SMB3_02 has this "(sign_algo_id=1)", and per doc[2] it could > be happend with ws2012 and ws2012r2.This *is* 2012 r2. The protocol version it negotiates is shown by smbstatus on samba server, it is SMB3_02. More modern workstations negotiate SMB3_11.> Perhaps some kind of services, like antivirus scan LAN, or printer access, > access attempts to samba server via guest or anonymous account trigger this > log, not quite sure just a preliminary guess :)There's no antivirus running on these machines. At least we tried to disable everything. The access *is* anonymous, always, this is a read-only anonymous share with a big application used by multiple users. It has public=yes, map_to_guest=invalid_user. I can't say when exactly this error is logged.> Is 'Event Viewer' of windows server 2012 could see similar event about > bad/invalid signature too?Somehow I forgot to look there. Let's see.. /mjt
Apparently Analagous Threads
- more logging: Bad SMB2 (sign_algo_id=1) signature for message
- Bad SMB2 (sign_algo_id=1) signature for message
- Bad SMB2 (sign_algo_id=1) signature for message
- Bad SMB2 (sign_algo_id=1) signature for message
- Apparent large memory leak with encryption + SMB3_00 or SMB3_02