Hello to all, I configured a samba Server as followed: --------------- [global] bind interfaces only = Yes client signing = required disable netbios = Yes interfaces = 192.168.56.45 realm = EXAMPLE.NET security = ADS server min protocol = SMB3 server signing = required smb ports = 445 template shell = /bin/bash winbind refresh tickets = Yes winbind use default domain = Yes workgroup = EXAMPLE idmap config example : range = 1000000 - 1999999 idmap config example : backend = rid idmap config * : range = 10000 - 19999 idmap config * : backend = tdb inherit acls = Yes vfs objects = acl_xattr --------------- So server- ad client-signing is required. If I test with nmap I see: ---------------- nmap --script smb2-security-mode 192.168.56.45 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 18:20 CEST Nmap scan report for 192.168.56.45 Host is up (0.00010s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 445/tcp open microsoft-ds MAC Address: 08:00:27:40:0A:20 (Oracle VirtualBox virtual NIC) Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds ---------------- I expected that signing is shown as required? What do I have to do, that signing is required? Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20250528/a729eeea/OpenPGP_signature.sig>
On Wed, 28 May 2025 18:25:50 +0200 Stefan Kania via samba <samba at lists.samba.org> wrote:> Hello to all, > > I configured a samba Server as followed: > --------------- > [global] > bind interfaces only = Yes > client signing = required > disable netbios = Yes > interfaces = 192.168.56.45 > realm = EXAMPLE.NET > security = ADS > server min protocol = SMB3 > server signing = required > smb ports = 445 > template shell = /bin/bash > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = EXAMPLE > idmap config example : range = 1000000 - 1999999 > idmap config example : backend = rid > idmap config * : range = 10000 - 19999 > idmap config * : backend = tdb > inherit acls = Yes > vfs objects = acl_xattr > --------------- > > So server- ad client-signing is required. If I test with nmap I see: > ---------------- > nmap --script smb2-security-mode 192.168.56.45 > Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 18:20 CEST > Nmap scan report for 192.168.56.45 > Host is up (0.00010s latency). > Not shown: 998 closed tcp ports (reset) > PORT STATE SERVICE > 22/tcp open ssh > 445/tcp open microsoft-ds > MAC Address: 08:00:27:40:0A:20 (Oracle VirtualBox virtual NIC) > > Host script results: > | smb2-security-mode: > | 3:1:1: > |_ Message signing enabled but not required > > Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds > ---------------- > I expected that signing is shown as required? > What do I have to do, that signing is required?ER, read 'man smb.conf' where 'server signing' shows that 'required' is not a valid value. Rowland
On Wednesday, 28 May 2025 18:25:50 Central European Summer Time Stefan Kania via samba wrote:> Hello to all, > > I configured a samba Server as followed: > --------------- > [global] > bind interfaces only = Yes > client signing = required > disable netbios = Yes > interfaces = 192.168.56.45 > realm = EXAMPLE.NET > security = ADS > server min protocol = SMB3 > server signing = required > smb ports = 445 > template shell = /bin/bash > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = EXAMPLE > idmap config example : range = 1000000 - 1999999 > idmap config example : backend = rid > idmap config * : range = 10000 - 19999 > idmap config * : backend = tdb > inherit acls = Yes > vfs objects = acl_xattr > ---------------when setting 'server min protocol' the best is to be specific, as 'SMB3' is an alias which might change. Currently it means SMB3_11. server min protocol = SMB3_00 Since SMB2 singing is mandatory by the protocol definition. It doesn't really matter what you set with 'server singing'. The value is ignored. Andreas -- Andreas Schneider asn at samba.org Samba Team www.samba.org GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D