ali-reza.fahimi at schneider-electric.com
2015-Jan-05 16:31 UTC
[Samba] Mandatory Server Signing with Windows 7
When I enable server signing in Samba (server signing = mandatory), I can still join a Window 7 machine to the domain but I am no longer able to log on into the domain using a domain user. Is this normal? I am using Samba 3.6.3 on Linux 12.04. Is there anything that needs to be configured on the Windows machine? Thanks, Ali
I am fairly certain you do not want server signing = mandatory https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains On 01/05/15 11:31, ali-reza.fahimi at schneider-electric.com wrote:> > > When I enable server signing in Samba (server signing = mandatory), I can > still join a Window 7 machine to the domain but I am no longer able to log > on into the domain using a domain user. Is this normal? I am using Samba > 3.6.3 on Linux 12.04. Is there anything that needs to be configured on the > Windows machine? > > Thanks, > Ali
I have not tried with a Samba 4.x DC. As far as I know Samba 4.x does not have this limitation. On 01/06/15 04:10, ali-reza.fahimi at schneider-electric.com wrote:> > Does this mean that we cannot use mandatory server signing in Samba 3? > What about the later versions? The problem is that lack of server > signing is considered a security hole. > > > Inactive hide details for Gaiseric Vandal ---01/05/2015 05:52:53 > PM---I am fairly certain you do not want server signing = mandGaiseric > Vandal ---01/05/2015 05:52:53 PM---I am fairly certain you do not want > server signing = mandatory https://wiki.samba.org/index.php/Regi > > De : Gaiseric Vandal <gaiseric.vandal at gmail.com> > A : samba at lists.samba.org, > Date : 01/05/2015 05:52 PM > Objet : Re: [Samba] Mandatory Server Signing with Windows 7 > Envoy? par : samba-bounces at lists.samba.org > > ------------------------------------------------------------------------ > > > > I am fairly certain you do not want server signing = mandatory > > > https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains > > > > > > On 01/05/15 11:31, ali-reza.fahimi at schneider-electric.com wrote: > > > > > > When I enable server signing in Samba (server signing = mandatory), > I can > > still join a Window 7 machine to the domain but I am no longer able > to log > > on into the domain using a domain user. Is this normal? I am using Samba > > 3.6.3 on Linux 12.04. Is there anything that needs to be configured > on the > > Windows machine? > > > > Thanks, > > Ali > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > ______________________________________________________________________ >
The wiki page settings control a netlogon security setting. I guess the "server signing" parameter applies to all the other traffic. But my guess - and it is only a guess- is that requiring server signing is causing the netlogon process to break since it does not support signing. The e-mail chain you reference does not make it clear if the samba instance is a domain controller or a standalone server. You may want to increase logging level and look through the samba logs. On 01/08/15 07:39, ali-reza.fahimi at schneider-electric.com wrote:> > In this mailing chain, Volker states that in order to enable server > signing, I simply need to set server signing = mandatory. > I do not understand why I cannot use it? > > https://lists.samba.org/archive/samba/2010-November/159265.html > > > Inactive hide details for Gaiseric Vandal ---01/06/2015 11:46:05 > PM---I have not tried with a Samba 4.x DC. As far as I know SaGaiseric > Vandal ---01/06/2015 11:46:05 PM---I have not tried with a Samba 4.x > DC. As far as I know Samba 4.x does not have this limitation. > > De : Gaiseric Vandal <gaiseric.vandal at gmail.com> > A : Ali-Reza FAHIMI/FRLAT01/Schneider/SEI at ATD, Samba > <samba at lists.samba.org>, > Date : 01/06/2015 11:46 PM > Objet : Re: [Samba] Mandatory Server Signing with Windows 7 > Envoy? par : samba-bounces at lists.samba.org > > ------------------------------------------------------------------------ > > > > I have not tried with a Samba 4.x DC. As far as I know Samba 4.x does > not have this limitation. > > > On 01/06/15 04:10, ali-reza.fahimi at schneider-electric.com wrote: > > > > Does this mean that we cannot use mandatory server signing in Samba 3? > > What about the later versions? The problem is that lack of server > > signing is considered a security hole. > > > > > > Inactive hide details for Gaiseric Vandal ---01/05/2015 05:52:53 > > PM---I am fairly certain you do not want server signing = mandGaiseric > > Vandal ---01/05/2015 05:52:53 PM---I am fairly certain you do not want > > server signing = mandatory https://wiki.samba.org/index.php/Regi > > > > De : Gaiseric Vandal <gaiseric.vandal at gmail.com> > > A : samba at lists.samba.org, > > Date : 01/05/2015 05:52 PM > > Objet : Re: [Samba] Mandatory Server Signing with Windows 7 > > Envoy? par : samba-bounces at lists.samba.org > > > > ------------------------------------------------------------------------ > > > > > > > > I am fairly certain you do not want server signing = mandatory > > > > > > https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains > > > > > > > > > > > > On 01/05/15 11:31, ali-reza.fahimi at schneider-electric.com wrote: > > > > > > > > > When I enable server signing in Samba (server signing = mandatory), > > I can > > > still join a Window 7 machine to the domain but I am no longer able > > to log > > > on into the domain using a domain user. Is this normal? I am using > Samba > > > 3.6.3 on Linux 12.04. Is there anything that needs to be configured > > on the > > > Windows machine? > > > > > > Thanks, > > > Ali > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > ______________________________________________________________________ > > This email has been scanned by the Symantec Email Security.cloud > service. > > ______________________________________________________________________ > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > ______________________________________________________________________ >
Seemingly Similar Threads
- Mandatory Server Signing with Windows 7
- Mandatory Server Signing with Windows 7
- Fwd: Not able to join windows 10 clients to samba 3.6.23 NT4 Style PDC
- Fwd: Not able to join windows 10 clients to samba 3.6.23 NT4 Style PDC
- Fwd: Not able to join windows 10 clients to samba 3.6.23 NT4 Style PDC