Olszewski, Raphael
2015-Mar-16 09:52 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
Due to security reasons smb signing has to be activated and this share between linux and windows is now dead. And I do not find the correct settings to do a public share in this szenario. It has to be public, because the linux is'nt allowed to join the domain and on the other way, the win-clients cannot leave their domains. And I think, just signing smb-messages should not speek against a public share, since those signed smb messages just make me shure, no man in the middle is manipulating my smb-messages. Gru? Raphael ___________________________________________ -----Urspr?ngliche Nachricht----- Von: Rowland Penny [mailto:rowlandpenny at googlemail.com] Gesendet: Montag, 16. M?rz 2015 10:39 An: samba at lists.samba.org Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working On 16/03/15 09:29, Olszewski, Raphael wrote:> > Hi Rowland > > In former time there was "security=share", now i have to use > "RequireSecuritySignature=1" on client side. > Documentation for SMB signing says, this is only possible with > "security=user", not with share. > > So I switched to security=user, configured guest-access to the public > share and activated this RequireSecuritySignature=1 > > And then - with RequireSecuritySignature=1 - the client cannot access > this share anymore. Just changing to RequireSecuritySignature=0 the > share is working. > > The client says: error 1240 > > The Server sees only "connection reset" > > All I need is a _public share together with smb signing_ and > RequireSecuritySignature=1 >WHY??? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Mar-16 10:09 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
On 16/03/15 09:52, Olszewski, Raphael wrote:> > Due to security reasons smb signing has to be activated and this share > between linux and windows is now dead. > > And I do not find the correct settings to do a public share in this > szenario. > > It has to be public, because the linux is?nt allowed to join the > domain and on the other way, the win-clients cannot leave their domains. > > And I think, just signing smb-messages should not speek against a > public share, since those signed smb messages just make me shure, no > man in the middle is manipulating my smb-messages. > > Gru? Raphael > ___________________________________________ > -----Urspr?ngliche Nachricht----- > Von: Rowland Penny [mailto:rowlandpenny at googlemail.com] > Gesendet: Montag, 16. M?rz 2015 10:39 > An: samba at lists.samba.org > Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with > guest not working > > On 16/03/15 09:29, Olszewski, Raphael wrote: > > > > Hi Rowland > > > > In former time there was ?security=share?, now i have to use > > ?RequireSecuritySignature=1? on client side. > > Documentation for SMB signing says, this is only possible with > > ?security=user?, not with share. > > > > So I switched to security=user, configured guest-access to the public > > share and activated this RequireSecuritySignature=1 > > > > And then ? with RequireSecuritySignature=1 ? the client cannot access > > this share anymore. Just changing to RequireSecuritySignature=0 the > > share is working. > > > > The client says: error 1240 > > > > The Server sees only ?connection reset? > > > > All I need is a _public share together with smb signing_ and > > RequireSecuritySignature=1 > > > > WHY??? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >So you need to make sure that the request to connect comes from a member of your domain ? I take it that the members of said domain have an ipaddress, in which case adding some thing like: 'hosts allow = 192.168.0.0/24' Would only allow connection from hosts with the ipaddress 192.168.0.X You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN' see 'man smb.conf' for more info. Rowland
Olszewski, Raphael
2015-Mar-16 12:14 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
Hi Rowland The client is stopping communication, not the server. With error 1240. And since it is working with the client setting RequireSecuritySignature=0 without any problem, ' hosts allow' cannot be either the problem nor the solution. So - setting RequireSecuritySignature=1 at the client needs a corresponding setting at the server - I guess. But even explicit settings on samba side like those are not helping: security = user auth methods = guest map to guest = Bad User client max protocol = SMB3 client min protocol = SMB2 client signing = required server signing = required Greetz Raphael ___________________________________________ -----Urspr?ngliche Nachricht----- Von: Rowland Penny [mailto:rowlandpenny at googlemail.com] Gesendet: Montag, 16. M?rz 2015 11:10 An: samba at lists.samba.org Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working On 16/03/15 09:52, Olszewski, Raphael wrote:> > Due to security reasons smb signing has to be activated and this share > between linux and windows is now dead. > > And I do not find the correct settings to do a public share in this > szenario. > > It has to be public, because the linux is'nt allowed to join the > domain and on the other way, the win-clients cannot leave their domains. > > And I think, just signing smb-messages should not speek against a > public share, since those signed smb messages just make me shure, no > man in the middle is manipulating my smb-messages. > > Gru? Raphael > ___________________________________________ > -----Urspr?ngliche Nachricht----- > Von: Rowland Penny [mailto:rowlandpenny at googlemail.com] > Gesendet: Montag, 16. M?rz 2015 10:39 > An: samba at lists.samba.org > Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with > guest not working > > On 16/03/15 09:29, Olszewski, Raphael wrote: > > > > Hi Rowland > > > > In former time there was "security=share", now i have to use > > "RequireSecuritySignature=1" on client side. > > Documentation for SMB signing says, this is only possible with > > "security=user", not with share. > > > > So I switched to security=user, configured guest-access to the > > public share and activated this RequireSecuritySignature=1 > > > > And then - with RequireSecuritySignature=1 - the client cannot > > access this share anymore. Just changing to > > RequireSecuritySignature=0 the share is working. > > > > The client says: error 1240 > > > > The Server sees only "connection reset" > > > > All I need is a _public share together with smb signing_ and > > RequireSecuritySignature=1 > > > > WHY??? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >So you need to make sure that the request to connect comes from a member of your domain ? I take it that the members of said domain have an ipaddress, in which case adding some thing like: 'hosts allow = 192.168.0.0/24' Would only allow connection from hosts with the ipaddress 192.168.0.X You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN' see 'man smb.conf' for more info. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working