samba - Nov 2013 - win7 domain pc to standalone samba server

I'm trying to map a network drive using my workplace's Win7 laptop to a
fileserver at home. The Win7 laptop is joined to the work domain.  The
fileserver is my own standalone fileserver, not joined to any domain, and is
configured to be accessible to everyone without authentcation.

I'm not able to get this to work, with varying error messages from Windows
("The account is not authorized to login from this station", etc). 
This message made me look into client/server signing settings.  But when I tried
to enable signing, I'm not even able to map the share using smbclient on my
own fileserver.

So, my questions are:
1.  How to map a network share on a standalone samba server from a computer that
is joined to domain.

2.  Can a standalone samba server implement smb signing?  Or maybe there's
something wrong with my configuration because my smbclient can't even talk
to samba.


Samba (4.0.6+dfsg) is configured thus:
[global]
        workgroup = HOME
        server role = standalone server
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        server signing = if_required
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb

[shares]
        path = /shares
        read only = No
        guest ok = Yes


When I try to map this share using smbclient, I get these:

$ smbclient -N  //localhost/shares -S required -d 10
[snipped]
smb_signing_sign_pdu: sent SMB signature of
[0000] 42 53 52 53 50 59 4C 20                            BSRSPYL  
smb_signing_activate: user_session_key
[0000] 21 53 41 A7 EB 74 5B 55   37 58 31 34 89 5E 55 10   !SA..t[U 7X14.^U.
smb_signing_activate: NULL response_data
smb_signing_md5: sequence number 1
smb_signing_check_pdu: BAD SIG: wanted SMB signature of
[0000] 7D 4C 0A 44 B2 8E F0 1E                            }L.D.... 
smb_signing_check_pdu: BAD SIG: got SMB signature of
[0000] 42 53 52 53 50 59 4C 20                            BSRSPYL  
smb_signing_md5: sequence number 4294967292
smb_signing_md5: sequence number 4294967293
smb_signing_md5: sequence number 4294967294
smb_signing_md5: sequence number 4294967295
smb_signing_md5: sequence number 0
smb_signing_md5: sequence number 1
smb_signing_md5: sequence number 2
smb_signing_md5: sequence number 3
smb_signing_md5: sequence number 4
smb_signing_md5: sequence number 5
smb_signing_good: BAD SIG: seq 1
SPNEGO login failed: Access denied
[snipped]

If I set "server signing=mandatory" and use "smbclient -N
//localhost/shares -S on -d 10", I get

smb_signing_sign_pdu: sent SMB signature of
[0000] 42 53 52 53 50 59 4C 20                            BSRSPYL  
smb_signing_activate: user_session_key
[0000] B7 FD 5B E4 15 E3 7C 97   03 FB 4B 8D C0 20 44 52   ..[...|. ..K.. DR
smb_signing_activate: NULL response_data
smb_signing_md5: sequence number 1
smb_signing_check_pdu: BAD SIG: wanted SMB signature of
[0000] A1 A1 1B 1B 4D 32 32 EA                            ....M22. 
smb_signing_check_pdu: BAD SIG: got SMB signature of
[0000] 42 53 52 53 50 59 4C 20                            BSRSPYL  
smb_signing_md5: sequence number 4294967292
smb_signing_md5: sequence number 4294967293
smb_signing_md5: sequence number 4294967294
smb_signing_md5: sequence number 4294967295
smb_signing_md5: sequence number 0
smb_signing_md5: sequence number 1
smb_signing_md5: sequence number 2
smb_signing_md5: sequence number 3
smb_signing_md5: sequence number 4
smb_signing_md5: sequence number 5
smb_signing_good: signing negotiated but not required and peer isn't sending
correct signatures. Turning off.

Can anyone shed light please?

1. Can I implement smb signing on standalone samba server and client?  

2. Is it possible for a domain-joined pc to map a network share on a standalone
samba server, with smb signing?
>From a bit of cursory reading, I thought that smb signing just uses the
negotiated session key to create a hmac for the packets, and that it doesn't
actually reqiure either party to be authenticated as members of the same domain.
--------------------------------------------
On Wed, 11/6/13, Mike Kakowski <kmikey90 at yahoo.com> wrote:

 I'm trying to map a network drive
 using my workplace's Win7 laptop to a fileserver at home.
 The Win7 laptop is joined to the work domain.? The
 fileserver is my own standalone fileserver, not joined to
 any domain, and is configured to be accessible to everyone
 without authentcation.? 
 
 I'm not able to get this to work, with varying error
 messages from Windows ("The account is not authorized to
 login from this station", etc).? This message made me
 look into client/server signing settings.? But when I
 tried to enable signing, I'm not even able to map the share
 using smbclient on my own fileserver.
 
 So, my questions are:
 1.? How to map a network share on a standalone samba
 server from a computer that is joined to domain.? 
 
 2.? Can a standalone samba server implement smb
 signing?? Or maybe there's something wrong with my
 configuration because my smbclient can't even talk to
 samba.
 
 
 Samba (4.0.6+dfsg) is configured thus:
 [global]
 ? ? ? ? workgroup = HOME
 ? ? ? ? server role = standalone server
 ? ? ? ? map to guest = Bad User
 ? ? ? ? obey pam restrictions = Yes
 ? ? ? ? pam password change = Yes
 ? ? ? ? passwd program = /usr/bin/passwd
 %u
 ? ? ? ? passwd chat  *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:*
 %n\n *password\supdated\ssuccessfully* .
 ? ? ? ? unix password sync = Yes
 ? ? ? ? syslog = 0
 ? ? ? ? log file  /var/log/samba/log.%m
 ? ? ? ? max log size = 1000
 ? ? ? ? client signing = if_required
 ? ? ? ? server signing = if_required
 ? ? ? ? usershare allow guests = Yes
 ? ? ? ? panic action  /usr/share/samba/panic-action %d
 ? ? ? ? idmap config * : backend = tdb
 
 [shares]
 ? ? ? ? path = /shares
 ? ? ? ? read only = No
 ? ? ? ? guest ok = Yes
 
 
 When I try to map this share using smbclient, I get these:
 
 $ smbclient -N? //localhost/shares -S required -d 10
 [snipped]
 smb_signing_sign_pdu: sent SMB signature of
 [0000] 42 53 52 53 50 59 4C 20? ? ? ?
 ? ? ? ? ? ? ? ?
 ? ? BSRSPYL? 
 smb_signing_activate: user_session_key
 [0000] 21 53 41 A7 EB 74 5B 55???37 58 31 34
 89 5E 55 10???!SA..t[U 7X14.^U.
 smb_signing_activate: NULL response_data
 smb_signing_md5: sequence number 1
 smb_signing_check_pdu: BAD SIG: wanted SMB signature of
 [0000] 7D 4C 0A 44 B2 8E F0 1E? ? ? ?
 ? ? ? ? ? ? ? ?
 ? ? }L.D.... 
 smb_signing_check_pdu: BAD SIG: got SMB signature of
 [0000] 42 53 52 53 50 59 4C 20? ? ? ?
 ? ? ? ? ? ? ? ?
 ? ? BSRSPYL? 
 smb_signing_md5: sequence number 4294967292
 smb_signing_md5: sequence number 4294967293
 smb_signing_md5: sequence number 4294967294
 smb_signing_md5: sequence number 4294967295
 smb_signing_md5: sequence number 0
 smb_signing_md5: sequence number 1
 smb_signing_md5: sequence number 2
 smb_signing_md5: sequence number 3
 smb_signing_md5: sequence number 4
 smb_signing_md5: sequence number 5
 smb_signing_good: BAD SIG: seq 1
 SPNEGO login failed: Access denied
 [snipped]
 
 If I set "server signing=mandatory" and use "smbclient -N
 //localhost/shares -S on -d 10", I get
 
 smb_signing_sign_pdu: sent SMB signature of
 [0000] 42 53 52 53 50 59 4C 20? ? ? ?
 ? ? ? ? ? ? ? ?
 ? ? BSRSPYL? 
 smb_signing_activate: user_session_key
 [0000] B7 FD 5B E4 15 E3 7C 97???03 FB 4B 8D
 C0 20 44 52???..[...|. ..K.. DR
 smb_signing_activate: NULL response_data
 smb_signing_md5: sequence number 1
 smb_signing_check_pdu: BAD SIG: wanted SMB signature of
 [0000] A1 A1 1B 1B 4D 32 32 EA? ? ? ?
 ? ? ? ? ? ? ? ?
 ? ? ....M22. 
 smb_signing_check_pdu: BAD SIG: got SMB signature of
 [0000] 42 53 52 53 50 59 4C 20? ? ? ?
 ? ? ? ? ? ? ? ?
 ? ? BSRSPYL? 
 smb_signing_md5: sequence number 4294967292
 smb_signing_md5: sequence number 4294967293
 smb_signing_md5: sequence number 4294967294
 smb_signing_md5: sequence number 4294967295
 smb_signing_md5: sequence number 0
 smb_signing_md5: sequence number 1
 smb_signing_md5: sequence number 2
 smb_signing_md5: sequence number 3
 smb_signing_md5: sequence number 4
 smb_signing_md5: sequence number 5
 smb_signing_good: signing negotiated but not required and
 peer isn't sending correct signatures. Turning off.
 
 
 
 -- 
 To unsubscribe from this list go to the following URL and
 read the
 instructions:? https://lists.samba.org/mailman/options/samba