samba - Mar 2015 - RequireSecuritySignature=1 and public share with guest not working

Due to security reasons smb signing has to be activated and this share between
linux and windows is now dead.
And I do not find the correct settings to do a public share in this szenario.
It has to be public, because the linux is'nt allowed to join the domain and
on the other way, the win-clients cannot leave their domains.
And I think, just signing smb-messages should not speek against a public share,
since those signed smb messages just make me shure, no man in the middle is
manipulating my smb-messages.

Gru? Raphael
___________________________________________
-----Urspr?ngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Montag, 16. M?rz 2015 10:39
An: samba at lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not
working

On 16/03/15 09:29, Olszewski, Raphael wrote:
>
> Hi Rowland
>
> In former time there was "security=share", now i have to use
> "RequireSecuritySignature=1" on client side.
> Documentation for SMB signing says, this is only possible with
> "security=user", not with share.
>
> So I switched to security=user, configured guest-access to the public
> share and activated this RequireSecuritySignature=1
>
> And then - with RequireSecuritySignature=1 - the client cannot access
> this share anymore. Just changing to RequireSecuritySignature=0 the
> share is working.
>
> The client says: error 1240
>
> The Server sees only "connection reset"
>
> All I need is a _public share together with smb signing_ and
> RequireSecuritySignature=1
>
WHY???

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 16/03/15 09:52, Olszewski, Raphael wrote:
>
> Due to security reasons smb signing has to be activated and this share 
> between linux and windows is now dead.
>
> And I do not find the correct settings to do a public share in this 
> szenario.
>
> It has to be public, because the linux is?nt allowed to join the 
> domain and on the other way, the win-clients cannot leave their domains.
>
> And I think, just signing smb-messages should not speek against a 
> public share, since those signed smb messages just make me shure, no 
> man in the middle is manipulating my smb-messages.
>
> Gru? Raphael
> ___________________________________________
> -----Urspr?ngliche Nachricht-----
> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Gesendet: Montag, 16. M?rz 2015 10:39
> An: samba at lists.samba.org
> Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with 
> guest not working
>
> On 16/03/15 09:29, Olszewski, Raphael wrote:
> >
> > Hi Rowland
> >
> > In former time there was ?security=share?, now i have to use
> > ?RequireSecuritySignature=1? on client side.
> > Documentation for SMB signing says, this is only possible with
> > ?security=user?, not with share.
> >
> > So I switched to security=user, configured guest-access to the public
> > share and activated this RequireSecuritySignature=1
> >
> > And then ? with RequireSecuritySignature=1 ? the client cannot access
> > this share anymore. Just changing to RequireSecuritySignature=0 the
> > share is working.
> >
> > The client says: error 1240
> >
> > The Server sees only ?connection reset?
> >
> > All I need is a _public share together with smb signing_ and
> > RequireSecuritySignature=1
> >
>
> WHY???
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
So you need to make sure that the request to connect comes from a member 
of your domain ?

I take it that the members of said domain have an ipaddress, in which 
case adding some thing like:

'hosts allow = 192.168.0.0/24'

Would only allow connection from hosts with the ipaddress 192.168.0.X

You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN'

see 'man smb.conf' for more info.

Rowland

Hi Rowland
The client is stopping communication, not the server. With error 1240.
And since it is working with the client setting RequireSecuritySignature=0
without any problem, ' hosts allow' cannot be either the problem nor the
solution.


So - setting RequireSecuritySignature=1 at the client needs a corresponding
setting at the server - I guess.
But even explicit settings on samba side like those are not helping:

        security = user

        auth methods = guest

        map to guest = Bad User
        client max protocol = SMB3
        client min protocol = SMB2
        client signing = required
        server signing = required

Greetz Raphael
___________________________________________
-----Urspr?ngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Montag, 16. M?rz 2015 11:10
An: samba at lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not
working

On 16/03/15 09:52, Olszewski, Raphael wrote:
>
> Due to security reasons smb signing has to be activated and this share
> between linux and windows is now dead.
>
> And I do not find the correct settings to do a public share in this
> szenario.
>
> It has to be public, because the linux is'nt allowed to join the
> domain and on the other way, the win-clients cannot leave their domains.
>
> And I think, just signing smb-messages should not speek against a
> public share, since those signed smb messages just make me shure, no
> man in the middle is manipulating my smb-messages.
>
> Gru? Raphael
> ___________________________________________
> -----Urspr?ngliche Nachricht-----
> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Gesendet: Montag, 16. M?rz 2015 10:39
> An: samba at lists.samba.org
> Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with
> guest not working
>
> On 16/03/15 09:29, Olszewski, Raphael wrote:
> >
> > Hi Rowland
> >
> > In former time there was "security=share", now i have to use
> > "RequireSecuritySignature=1" on client side.
> > Documentation for SMB signing says, this is only possible with
> > "security=user", not with share.
> >
> > So I switched to security=user, configured guest-access to the
> > public share and activated this RequireSecuritySignature=1
> >
> > And then - with RequireSecuritySignature=1 - the client cannot
> > access this share anymore. Just changing to
> > RequireSecuritySignature=0 the share is working.
> >
> > The client says: error 1240
> >
> > The Server sees only "connection reset"
> >
> > All I need is a _public share together with smb signing_ and
> > RequireSecuritySignature=1
> >
>
> WHY???
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
So you need to make sure that the request to connect comes from a member of your
domain ?

I take it that the members of said domain have an ipaddress, in which case
adding some thing like:

'hosts allow = 192.168.0.0/24'

Would only allow connection from hosts with the ipaddress 192.168.0.X

You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN'

see 'man smb.conf' for more info.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba