samba - Mar 2015 - RequireSecuritySignature=1 and public share with guest not working

Hi Rowland
sorry for not being clear.

In my first post I already wrote:


Now I have to tight security with setting those flags in the windows client:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
EnablePlainTextPassword=0
EnableSecuritySignature=1

RequireSecuritySignature=1
. . .
when I change registry to RequireSecuritySignature=0, everything works like
expected.


If setting is still RequireSecuritySignature=0 - everything is working with the
changed samba config.
But - i'am forced to change  from RequireSecuritySignature=0  to
RequireSecuritySignature=1
If changing the client to RequireSecuritySignature=1 the same public share with
guest access is not working anymore.

Greetz, Raphael
___________________________________________
-----Urspr?ngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Montag, 16. M?rz 2015 14:17
An: samba at lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not
working

On 16/03/15 12:14, Olszewski, Raphael wrote:
>
> Hi Rowland
> The client is stopping communication, not the server. With error 1240.
> And since it is working with the client setting
> RequireSecuritySignature=0 without any problem, ' hosts allow'
cannot
> be either the problem nor the solution.
>
> So - setting RequireSecuritySignature=1 at the client needs a
> corresponding setting at the server - I guess.
> But even explicit settings on samba side like those are not helping:
>
>          security = user
>          auth methods = guest
>          map to guest = Bad User
>
>         client max protocol = SMB3
>
>         client min protocol = SMB2
>
>         client signing = required
>
>         server signing = required
>
>
> Greetz Raphael
> ___________________________________________
> -----Urspr?ngliche Nachricht-----
> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Gesendet: Montag, 16. M?rz 2015 11:10
> An: samba at lists.samba.org
> Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with
> guest not working
>
> On 16/03/15 09:52, Olszewski, Raphael wrote:
> >
> > Due to security reasons smb signing has to be activated and this
> > share between linux and windows is now dead.
> >
> > And I do not find the correct settings to do a public share in this
> > szenario.
> >
> > It has to be public, because the linux is'nt allowed to join the
> > domain and on the other way, the win-clients cannot leave their
domains.
> >
> > And I think, just signing smb-messages should not speek against a
> > public share, since those signed smb messages just make me shure, no
> > man in the middle is manipulating my smb-messages.
> >
> > Gru? Raphael
> > ___________________________________________
> > -----Urspr?ngliche Nachricht-----
> > Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> > Gesendet: Montag, 16. M?rz 2015 10:39
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] RequireSecuritySignature=1 and public share
> > with guest not working
> >
> > On 16/03/15 09:29, Olszewski, Raphael wrote:
> > >
> > > Hi Rowland
> > >
> > > In former time there was "security=share", now i have
to use
> > > "RequireSecuritySignature=1" on client side.
> > > Documentation for SMB signing says, this is only possible with
> > > "security=user", not with share.
> > >
> > > So I switched to security=user, configured guest-access to the
> > > public share and activated this RequireSecuritySignature=1
> > >
> > > And then - with RequireSecuritySignature=1 - the client cannot
> > > access this share anymore. Just changing to
> > > RequireSecuritySignature=0 the share is working.
> > >
> > > The client says: error 1240
> > >
> > > The Server sees only "connection reset"
> > >
> > > All I need is a _public share together with smb signing_ and
> > > RequireSecuritySignature=1
> > >
> >
> > WHY???
> >
> > Rowland
>
> So you need to make sure that the request to connect comes from a
> member of your domain ?
>
> I take it that the members of said domain have an ipaddress, in which
> case adding some thing like:
>
> 'hosts allow = 192.168.0.0/24'
>
> Would only allow connection from hosts with the ipaddress 192.168.0.X
>
> You could, if you are using a NIS domain, use 'hosts allow =
@DOMAIN'
>
> see 'man smb.conf' for more info.
>
> Rowland

I think you are missing my point, from the brief search I did, the whole world
seems to think that you need to set 'RequireSecuritySignature=0' , so
why do you *need* to set it to '1' ?

If it is to ensure that only users on certain machines can connect, then
'hosts allow' should give you the same result.

Rowland

On 16/03/15 15:00, Olszewski, Raphael wrote:
>
> Hi Rowland
> sorry for not being clear.
>
> In my first post I already wrote:
>
> Now I have to tight security with setting those flags in the windows 
> client:
>
>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
>
> EnablePlainTextPassword=0
>
> EnableSecuritySignature=1
>
> RequireSecuritySignature=1
> . . .
> when I change registry to RequireSecuritySignature=0, everything works like
expected.
>
> If setting is still RequireSecuritySignature=0 ? everything is working 
> with the changed samba config.
> But - i?am forced to change  from RequireSecuritySignature=0  to 
> RequireSecuritySignature=1
> If changing the client to RequireSecuritySignature=1 the same public 
> share with guest access is not working anymore.
>
>
> Greetz, Raphael
> ___________________________________________
> -----Urspr?ngliche Nachricht-----
>
OK, I have had a look at the portion of smb.conf you posted and you 
posted this:

security = user
auth methods = guest
map to guest = Bad User
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required

Try this:

security = user
map to guest = Bad User
client min protocol = SMB2
client signing = mandatory
server signing = mandatory

The changes: You do not need the 'auth methods' for a public server, 
with samba 4 the 'client max protocol' defaults to 'SMB3' ,
'required'
is not option for 'client signing' or 'server signing' according
to 'man
smb.conf', the three options are 'auto, mandatory and disabled'.

Rowland

Hi Rowland
i've made the config exactly like you sent.

Doing testparm gives me
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[pub]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]

        netbios name = ME

        server string = Samba Server %v

        map to guest = Bad User

        log file = /var/log/samba/log.%m

        client min protocol = SMB2

        client signing = required

        server signing = required

        idmap config * : backend = tdb

       guest ok = Yes

[pub]

        path = /fs1/smb_test_signing_fuso

        read only = No

        create mask = 0777

        directory mask = 0777

So - writing mandatory to the config shows required in the testparm output.
And even "server siging = required"/ "idmap config * : backend =
tdb "was NOT in the smb.conf - since I used your config.
Same with "security = user"
And pub has in smb.conf "browsable =yes"/" writable = yes"
Even a config like
        client signing = mandatory
        server signing = required
shows with testparm
        client signing = required
        server signing = required

That shows me: testparm is interpreting the conf and shows me, what it is using
really.

BUT - even with your config I get exactly the same picture as in my countless
tries before:
RequireSecuritySignature=0 (old value)    => share is working
RequireSecuritySignature=1 (needed value) => share is NOT working, and I get
the client-error 1240 or 0x80004005 (the only change is this flag from 0 to 1)

To clarify: on client side i ONLY change  this value RequireSecuritySignature to
1. Nothing else. Just a client-reboot is neccesary after this change to be
active.


I think, it is problem with smb signing, not with the share config.

Raphael
___________________________________________
-----Urspr?ngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Montag, 16. M?rz 2015 16:32
An: samba at lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not
working

On 16/03/15 15:00, Olszewski, Raphael wrote:
>
> Hi Rowland
> sorry for not being clear.
>
> In my first post I already wrote:
>
> Now I have to tight security with setting those flags in the windows
> client:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstatio
> n\Parameters]
>
> EnablePlainTextPassword=0
>
> EnableSecuritySignature=1
>
> RequireSecuritySignature=1
> . . .
> when I change registry to RequireSecuritySignature=0, everything works like
expected.
>
> If setting is still RequireSecuritySignature=0 - everything is working
> with the changed samba config.
> But - i'am forced to change  from RequireSecuritySignature=0  to
> RequireSecuritySignature=1
> If changing the client to RequireSecuritySignature=1 the same public
> share with guest access is not working anymore.
>
>
> Greetz, Raphael
> ___________________________________________
> -----Urspr?ngliche Nachricht-----
>
OK, I have had a look at the portion of smb.conf you posted and you posted this:

security = user
auth methods = guest
map to guest = Bad User
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required

Try this:

security = user
map to guest = Bad User
client min protocol = SMB2
client signing = mandatory
server signing = mandatory

The changes: You do not need the 'auth methods' for a public server,
with samba 4 the 'client max protocol' defaults to 'SMB3' ,
'required'
is not option for 'client signing' or 'server signing' according
to 'man smb.conf', the three options are 'auto, mandatory and
disabled'.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba