Olszewski, Raphael
2015-Mar-12 17:16 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
Hello I have an samba server with a public share. It was configured with security=share. Now I have to tight security with setting those flags in the windows client: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] EnablePlainTextPassword=0 EnableSecuritySignature=1 RequireSecuritySignature=1 Since this change the public share is not working anymore. I found that smb signing requires security=user So I tried with this and it is not working too. My config is [global] security = user auth methods = guest map to guest = Bad User log file = /var/log/samba/log.%m client max protocol = SMB3 client min protocol = SMB2 client signing = required server signing = required [pub] path = /fs1/smb_test_signing read only = No create mask = 0777 directory mask = 0777 guest only = Yes The user coming from Windows to samba is NOT configured and user nobody as guest should be the used at the end to write or read on the filesystem I already updated from 3.6.3 and have now installed sernet-samba-4.1.17-11.suse111.x86_64 (SLES11 SP3) The Clients are Win7-client joined to foreign domains while debugging I see on samba-server-side (stripped): [2015/03/12 15:44:01.506174, 6, pid=421, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2658(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Thu Mar 12 09:58:57 2015 [2015/03/12 15:44:01.506728, 1, pid=421, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &global_blob: struct smbXsrv_session_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000002 (2) info : union smbXsrv_session_globalU(case 0) info0: struct smbXsrv_session_global0 session_global_id : 0xfeda2f8e (4275711886) session_wire_id : 0x00000000feda2f8e (4275711886) creation_time : Thu Mar 12 03:44:01 PM 2015 CET expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_session_info_seqnum : 0x00000001 (1) auth_session_info: struct auth_session_info security_token: struct security_token num_sids : 0x00000008 (8) sids: ARRAY(8) sids : S-1-5-21-1006455019-4192495585-3927419034-501 sids : S-1-5-21-1006455019-4192495585-3927419034-514 sids : S-1-22-2-65533 sids : S-1-22-2-65534 sids : S-1-1-0 sids : S-1-5-2 sids : S-1-5-32-546 sids : S-1-22-1-65534 privilege_mask : 0x0000000000000000 (0) rights_mask : 0x00000000 (0) unix_token: struct security_unix_token uid : 0x000000000000fffe (65534) gid : 0x000000000000fffd (65533) ngroups : 0x00000002 (2) groups: ARRAY(2) groups : 0x000000000000fffd (65533) groups : 0x000000000000fffe (65534) info: struct auth_user_info account_name : 'nobody' domain_name : 'SMB' authenticated : 0x00 (0) unix_info: struct auth_user_info_unix unix_name : 'nobody' torture : NULL credentials : NULL connection_dialect : 0x0210 (528) signing_required : 0x00 (0) encryption_required : 0x00 (0) num_channels : 0x00000001 (1) [2015/03/12 15:44:01.514273, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2494(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[8] dyn[yes:9] at ../source3/smbd/smb2_sesssetup.c:168 [2015/03/12 15:44:01.514343, 50, pid=421, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Destroying timer event 0x7fee588a5570 "smbd_smb2_request_pending_timer" [2015/03/12 15:44:01.514397, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:874(smb2_set_operation_credit) smb2_set_operation_credit: requested 31, charge 1, granted 31, current possible/max 512/512, total granted/max/low/range 31/8192/4/31 [2015/03/12 15:44:01.515362, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:1002(smbd_server_connection_terminate_ex) smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3304 [2015/03/12 15:44:01.515495, 4, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/03/12 15:44:01.515551, 5, pid=421, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) Wondering about expiration_time : Thu Jan 1 01:00:00 AM 1970 CET signing_required : 0x00 (0) encryption_required : 0x00 (0) And then smb2_server.c:1002(smbd_server_connection_terminate_ex) smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3304 The Client shows ReasonCode: 0x80004005 When I change registry to RequireSecuritySignature=0, I can access How I have to configure the smb-server to have a real public share for windows7-clients not being configured especially (domain, computer-account, user, ...) Do I understand Security-signature wrong? Is this scenario possible without being the samba server joined to the domain? (What I wanted) Raphael
L.P.H. van Belle
2015-Mar-13 08:08 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
Hai, Try these settings in global settings. ####### Authentication ####### ## stand alone everything open. security = user guest ok = yes map to guest = bad password add these to the share. guest ok = yes Sets samba open without pasword prompt. I use it at home for my kodi server. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: r.olszewski at ssc-services.de >[mailto:samba-bounces at lists.samba.org] Namens Olszewski, Raphael >Verzonden: donderdag 12 maart 2015 18:17 >Aan: samba at lists.samba.org >Onderwerp: [Samba] RequireSecuritySignature=1 and public share >with guest not working > >Hello >I have an samba server with a public share. It was configured >with security=share. >Now I have to tight security with setting those flags in the >windows client: >[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWor >kstation\Parameters] >EnablePlainTextPassword=0 >EnableSecuritySignature=1 >RequireSecuritySignature=1 > >Since this change the public share is not working anymore. I >found that smb signing requires security=user >So I tried with this and it is not working too. > >My config is > >[global] > security = user > auth methods = guest > map to guest = Bad User > log file = /var/log/samba/log.%m > client max protocol = SMB3 > client min protocol = SMB2 > client signing = required > server signing = required >[pub] > path = /fs1/smb_test_signing > read only = No > create mask = 0777 > directory mask = 0777 > guest only = Yes > >The user coming from Windows to samba is NOT configured and >user nobody as guest should be the used at the end to write or >read on the filesystem > >I already updated from 3.6.3 and have now installed >sernet-samba-4.1.17-11.suse111.x86_64 (SLES11 SP3) >The Clients are Win7-client joined to foreign domains > >while debugging I see on samba-server-side (stripped): > >[2015/03/12 15:44:01.506174, 6, pid=421, effective(0, 0), >real(0, 0)] ../source3/param/loadparm.c:2658(lp_file_list_changed) > lp_file_list_changed() > file /etc/samba/smb.conf -> /etc/samba/smb.conf last >mod_time: Thu Mar 12 09:58:57 2015 >[2015/03/12 15:44:01.506728, 1, pid=421, effective(0, 0), >real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) > &global_blob: struct smbXsrv_session_globalB > version : SMBXSRV_VERSION_0 (0) > seqnum : 0x00000002 (2) > info : union >smbXsrv_session_globalU(case 0) > info0: struct smbXsrv_session_global0 > session_global_id : 0xfeda2f8e (4275711886) > session_wire_id : >0x00000000feda2f8e (4275711886) > creation_time : Thu Mar 12 >03:44:01 PM 2015 CET > expiration_time : Thu Jan 1 >01:00:00 AM 1970 CET > auth_session_info_seqnum : 0x00000001 (1) > auth_session_info: struct auth_session_info > security_token: struct security_token > num_sids : >0x00000008 (8) > sids: ARRAY(8) > sids >: S-1-5-21-1006455019-4192495585-3927419034-501 > sids >: S-1-5-21-1006455019-4192495585-3927419034-514 > sids >: S-1-22-2-65533 > sids >: S-1-22-2-65534 > sids >: S-1-1-0 > sids >: S-1-5-2 > sids >: S-1-5-32-546 > sids >: S-1-22-1-65534 > privilege_mask : >0x0000000000000000 (0) > rights_mask : >0x00000000 (0) > unix_token: struct security_unix_token > uid : >0x000000000000fffe (65534) > gid : >0x000000000000fffd (65533) > ngroups : >0x00000002 (2) > groups: ARRAY(2) > groups >: 0x000000000000fffd (65533) > groups >: 0x000000000000fffe (65534) > info: struct auth_user_info > account_name >: 'nobody' > domain_name : 'SMB' > authenticated : 0x00 (0) > unix_info: struct auth_user_info_unix > unix_name >: 'nobody' > torture : NULL > credentials : NULL > connection_dialect : 0x0210 (528) > signing_required : 0x00 (0) > encryption_required : 0x00 (0) > num_channels : 0x00000001 (1) >[2015/03/12 15:44:01.514273, 10, pid=421, effective(0, 0), >real(0, 0)] >../source3/smbd/smb2_server.c:2494(smbd_smb2_request_done_ex) > smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] >body[8] dyn[yes:9] at ../source3/smbd/smb2_sesssetup.c:168 >[2015/03/12 15:44:01.514343, 50, pid=421, effective(0, 0), >real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) > s3_tevent: Destroying timer event 0x7fee588a5570 >"smbd_smb2_request_pending_timer" >[2015/03/12 15:44:01.514397, 10, pid=421, effective(0, 0), >real(0, 0)] >../source3/smbd/smb2_server.c:874(smb2_set_operation_credit) > smb2_set_operation_credit: requested 31, charge 1, granted >31, current possible/max 512/512, total granted/max/low/range >31/8192/4/31 >[2015/03/12 15:44:01.515362, 10, pid=421, effective(0, 0), >real(0, 0)] >../source3/smbd/smb2_server.c:1002(smbd_server_connection_terminate_ex) > smbd_server_connection_terminate_ex: >reason[NT_STATUS_CONNECTION_RESET] at >../source3/smbd/smb2_server.c:3304 >[2015/03/12 15:44:01.515495, 4, pid=421, effective(0, 0), >real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >[2015/03/12 15:44:01.515551, 5, pid=421, effective(0, 0), >real(0, 0)] >../libcli/security/security_token.c:53(security_token_debug) > Security token: (NULL) > >Wondering about >expiration_time : Thu Jan 1 01:00:00 AM 1970 CET >signing_required : 0x00 (0) >encryption_required : 0x00 (0) >And then >smb2_server.c:1002(smbd_server_connection_terminate_ex) >smbd_server_connection_terminate_ex: >reason[NT_STATUS_CONNECTION_RESET] at >../source3/smbd/smb2_server.c:3304 > >The Client shows ReasonCode: 0x80004005 >When I change registry to RequireSecuritySignature=0, I can access > >How I have to configure the smb-server to have a real public >share for windows7-clients not being configured especially >(domain, computer-account, user, ...) >Do I understand Security-signature wrong? >Is this scenario possible without being the samba server >joined to the domain? (What I wanted) > >Raphael >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Olszewski, Raphael
2015-Mar-13 09:42 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
Hi I tried exactly your type of config. With "RequireSecuritySignature=0" the anon access is working like expected. As soon, as I set "RequireSecuritySignature=1" it is not working anymore. So it seem to be not the problem to configure the guest-access. But seems the problem with requiring the signing. Thought it can be fixed with the right config, but did not find a working combination. Do i have to setup certificates for the signing? Or how the messages will be signed? My guess is, that the signing isn't working like expected ... Gru? Raphael ___________________________________________ -----Urspr?ngliche Nachricht----- Von: L.P.H. van Belle [mailto:belle at bazuin.nl] Gesendet: Freitag, 13. M?rz 2015 09:08 Hai, Try these settings in global settings. ####### Authentication ####### ## stand alone everything open. ?? security = user ?? guest ok = yes ?? map to guest = bad password add these to the share. guest ok = yes Sets samba open without pasword prompt. I use it at home for my kodi server. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: r.olszewski at ssc-services.de >[mailto:samba-bounces at lists.samba.org] Namens Olszewski, Raphael >Verzonden: donderdag 12 maart 2015 18:17 > >Hello >I have an samba server with a public share. It was configured with >security=share. >Now I have to tight security with setting those flags in the windows >client: >[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWor >kstation\Parameters] >EnablePlainTextPassword=0 >EnableSecuritySignature=1 >RequireSecuritySignature=1 >..> >The Client shows ReasonCode: 0x80004005 When I change registry to >RequireSecuritySignature=0, I can access > >How I have to configure the smb-server to have a real public share for >windows7-clients not being configured especially (domain, >computer-account, user, ...) Do I understand Security-signature wrong? >Is this scenario possible without being the samba server joined to the >domain? (What I wanted) > >Raphael-- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-Mar-13 10:21 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
strange i did not change anything in my windows 7 64bit. This is my full setup pretty basic. Ubuntu 14.04.2 LTS, Trusty Tahr, with sernet samba 4.1.17-9 I do have 1 user for samba. pdbedit -L xbmc:5000:MediaUser [global] workgroup = PRIVE server string = %h server dns proxy = yes ; name resolve order = lmhosts host wins bcast #### Networking #### # interfaces = 127.0.0.0/8 eth0 # bind interfaces only = yes #### Debugging/Accounting #### log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d ####### Authentication ####### ## stand alone everything open. security = user guest ok = yes map to guest = bad password #### encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes ########## Printing ########## #---- disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes #======================= Share Definitions ====================== [homes] comment = Home Directorie browseable = no read only = yes valid users = %S [backups] comment = Backups Share path = /media/diverse/backups force user = xbmc read only = no guest ok = yes>-----Oorspronkelijk bericht----- >Van: r.olszewski at ssc-services.de >[mailto:samba-bounces at lists.samba.org] Namens Olszewski, Raphael >Verzonden: vrijdag 13 maart 2015 10:42 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] RequireSecuritySignature=1 and public >share with guest not working > >Hi >I tried exactly your type of config. > >With "RequireSecuritySignature=0" the anon access is working >like expected. >As soon, as I set "RequireSecuritySignature=1" it is not >working anymore. > >So it seem to be not the problem to configure the >guest-access. But seems the problem with requiring the signing. >Thought it can be fixed with the right config, but did not >find a working combination. > >Do i have to setup certificates for the signing? >Or how the messages will be signed? >My guess is, that the signing isn't working like expected ... > >Gru? Raphael >___________________________________________ >-----Urspr?ngliche Nachricht----- >Von: L.P.H. van Belle [mailto:belle at bazuin.nl] >Gesendet: Freitag, 13. M?rz 2015 09:08 > >Hai, > >Try these settings in global settings. > >####### Authentication ####### >## stand alone everything open. >?? security = user >?? guest ok = yes >?? map to guest = bad password > >add these to the share. >guest ok = yes > >Sets samba open without pasword prompt. >I use it at home for my kodi server. > >Greetz, > >Louis > > >>-----Oorspronkelijk bericht----- >>Van: r.olszewski at ssc-services.de >>[mailto:samba-bounces at lists.samba.org] Namens Olszewski, Raphael >>Verzonden: donderdag 12 maart 2015 18:17 >> >>Hello >>I have an samba server with a public share. It was configured with >>security=share. >>Now I have to tight security with setting those flags in the windows >>client: >>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWor >>kstation\Parameters] >>EnablePlainTextPassword=0 >>EnableSecuritySignature=1 >>RequireSecuritySignature=1 >> >.. >> >>The Client shows ReasonCode: 0x80004005 When I change registry to >>RequireSecuritySignature=0, I can access >> >>How I have to configure the smb-server to have a real public share for >>windows7-clients not being configured especially (domain, >>computer-account, user, ...) Do I understand Security-signature wrong? >>Is this scenario possible without being the samba server joined to the >>domain? (What I wanted) >> >>Raphael > > >-- >To unsubscribe from this list go to the following URL and read the >instructions:? https://lists.samba.org/mailman/options/samba >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- RequireSecuritySignature=1 and public share with guest not working
- Computer in Samba 4.3.11 domain - logon server unavailable
- PANIC outstanding aio + key does not exist
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working