Hello to all,
I configured a samba Server as followed:
---------------
[global]
bind interfaces only = Yes
client signing = required
disable netbios = Yes
interfaces = 192.168.56.45
realm = EXAMPLE.NET
security = ADS
server min protocol = SMB3
server signing = required
smb ports = 445
template shell = /bin/bash
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = EXAMPLE
idmap config example : range = 1000000 - 1999999
idmap config example : backend = rid
idmap config * : range = 10000 - 19999
idmap config * : backend = tdb
inherit acls = Yes
vfs objects = acl_xattr
---------------
So server- ad client-signing is required. If I test with nmap I see:
----------------
nmap --script smb2-security-mode 192.168.56.45
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 18:20 CEST
Nmap scan report for 192.168.56.45
Host is up (0.00010s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
445/tcp open microsoft-ds
MAC Address: 08:00:27:40:0A:20 (Oracle VirtualBox virtual NIC)
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
----------------
I expected that signing is shown as required?
What do I have to do, that signing is required?
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20250528/a729eeea/OpenPGP_signature.sig>
On Wed, 28 May 2025 18:25:50 +0200 Stefan Kania via samba <samba at lists.samba.org> wrote:> Hello to all, > > I configured a samba Server as followed: > --------------- > [global] > bind interfaces only = Yes > client signing = required > disable netbios = Yes > interfaces = 192.168.56.45 > realm = EXAMPLE.NET > security = ADS > server min protocol = SMB3 > server signing = required > smb ports = 445 > template shell = /bin/bash > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = EXAMPLE > idmap config example : range = 1000000 - 1999999 > idmap config example : backend = rid > idmap config * : range = 10000 - 19999 > idmap config * : backend = tdb > inherit acls = Yes > vfs objects = acl_xattr > --------------- > > So server- ad client-signing is required. If I test with nmap I see: > ---------------- > nmap --script smb2-security-mode 192.168.56.45 > Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 18:20 CEST > Nmap scan report for 192.168.56.45 > Host is up (0.00010s latency). > Not shown: 998 closed tcp ports (reset) > PORT STATE SERVICE > 22/tcp open ssh > 445/tcp open microsoft-ds > MAC Address: 08:00:27:40:0A:20 (Oracle VirtualBox virtual NIC) > > Host script results: > | smb2-security-mode: > | 3:1:1: > |_ Message signing enabled but not required > > Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds > ---------------- > I expected that signing is shown as required? > What do I have to do, that signing is required?ER, read 'man smb.conf' where 'server signing' shows that 'required' is not a valid value. Rowland
On Wednesday, 28 May 2025 18:25:50 Central European Summer Time Stefan Kania via samba wrote:> Hello to all, > > I configured a samba Server as followed: > --------------- > [global] > bind interfaces only = Yes > client signing = required > disable netbios = Yes > interfaces = 192.168.56.45 > realm = EXAMPLE.NET > security = ADS > server min protocol = SMB3 > server signing = required > smb ports = 445 > template shell = /bin/bash > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = EXAMPLE > idmap config example : range = 1000000 - 1999999 > idmap config example : backend = rid > idmap config * : range = 10000 - 19999 > idmap config * : backend = tdb > inherit acls = Yes > vfs objects = acl_xattr > ---------------when setting 'server min protocol' the best is to be specific, as 'SMB3' is an alias which might change. Currently it means SMB3_11. server min protocol = SMB3_00 Since SMB2 singing is mandatory by the protocol definition. It doesn't really matter what you set with 'server singing'. The value is ignored. Andreas -- Andreas Schneider asn at samba.org Samba Team www.samba.org GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D