samba - May 2025 - server signing = required

Hello to all,

I configured a samba Server as followed:
---------------
[global]
         bind interfaces only = Yes
         client signing = required
         disable netbios = Yes
         interfaces = 192.168.56.45
         realm = EXAMPLE.NET
         security = ADS
         server min protocol = SMB3
         server signing = required
         smb ports = 445
         template shell = /bin/bash
         winbind refresh tickets = Yes
         winbind use default domain = Yes
         workgroup = EXAMPLE
         idmap config example : range = 1000000 - 1999999
         idmap config example : backend = rid
         idmap config * : range = 10000 - 19999
         idmap config * : backend = tdb
         inherit acls = Yes
         vfs objects = acl_xattr
---------------

So server- ad client-signing is required. If I test with nmap I see:
----------------
nmap --script smb2-security-mode 192.168.56.45
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 18:20 CEST
Nmap scan report for 192.168.56.45
Host is up (0.00010s latency).
Not shown: 998 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
445/tcp open  microsoft-ds
MAC Address: 08:00:27:40:0A:20 (Oracle VirtualBox virtual NIC)

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
----------------
I expected that signing is shown as required?
What do I have to do, that signing is required?

Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20250528/a729eeea/OpenPGP_signature.sig>

On Wed, 28 May 2025 18:25:50 +0200
Stefan Kania via samba <samba at lists.samba.org> wrote:
> Hello to all,
> 
> I configured a samba Server as followed:
> ---------------
> [global]
>          bind interfaces only = Yes
>          client signing = required
>          disable netbios = Yes
>          interfaces = 192.168.56.45
>          realm = EXAMPLE.NET
>          security = ADS
>          server min protocol = SMB3
>          server signing = required
>          smb ports = 445
>          template shell = /bin/bash
>          winbind refresh tickets = Yes
>          winbind use default domain = Yes
>          workgroup = EXAMPLE
>          idmap config example : range = 1000000 - 1999999
>          idmap config example : backend = rid
>          idmap config * : range = 10000 - 19999
>          idmap config * : backend = tdb
>          inherit acls = Yes
>          vfs objects = acl_xattr
> ---------------
> 
> So server- ad client-signing is required. If I test with nmap I see:
> ----------------
> nmap --script smb2-security-mode 192.168.56.45
> Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 18:20 CEST
> Nmap scan report for 192.168.56.45
> Host is up (0.00010s latency).
> Not shown: 998 closed tcp ports (reset)
> PORT    STATE SERVICE
> 22/tcp  open  ssh
> 445/tcp open  microsoft-ds
> MAC Address: 08:00:27:40:0A:20 (Oracle VirtualBox virtual NIC)
> 
> Host script results:
> | smb2-security-mode:
> |   3:1:1:
> |_    Message signing enabled but not required
> 
> Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
> ----------------
> I expected that signing is shown as required?
> What do I have to do, that signing is required?
ER, read 'man smb.conf' where 'server signing' shows that
'required' is
not a valid value. 

Rowland

On Wednesday, 28 May 2025 18:25:50 Central European Summer Time Stefan Kania 
via samba wrote:
> Hello to all,
> 
> I configured a samba Server as followed:
> ---------------
> [global]
>          bind interfaces only = Yes
>          client signing = required
>          disable netbios = Yes
>          interfaces = 192.168.56.45
>          realm = EXAMPLE.NET
>          security = ADS
>          server min protocol = SMB3
>          server signing = required
>          smb ports = 445
>          template shell = /bin/bash
>          winbind refresh tickets = Yes
>          winbind use default domain = Yes
>          workgroup = EXAMPLE
>          idmap config example : range = 1000000 - 1999999
>          idmap config example : backend = rid
>          idmap config * : range = 10000 - 19999
>          idmap config * : backend = tdb
>          inherit acls = Yes
>          vfs objects = acl_xattr
> ---------------
when setting 'server min protocol' the best is to be specific, as
'SMB3' is an
alias which might change. Currently it means SMB3_11.

server min protocol = SMB3_00

Since SMB2 singing is mandatory by the protocol definition. It doesn't
really
matter what you set with 'server singing'. The value is ignored.


	Andreas




-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D