Olszewski, Raphael
2015-Mar-17 09:02 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
Hi Rowland
i've made the config exactly like you sent.
Doing testparm gives me
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[pub]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
netbios name = ME
server string = Samba Server %v
map to guest = Bad User
log file = /var/log/samba/log.%m
client min protocol = SMB2
client signing = required
server signing = required
idmap config * : backend = tdb
guest ok = Yes
[pub]
path = /fs1/smb_test_signing_fuso
read only = No
create mask = 0777
directory mask = 0777
So - writing mandatory to the config shows required in the testparm output.
And even "server siging = required"/ "idmap config * : backend =
tdb "was NOT in the smb.conf - since I used your config.
Same with "security = user"
And pub has in smb.conf "browsable =yes"/" writable = yes"
Even a config like
client signing = mandatory
server signing = required
shows with testparm
client signing = required
server signing = required
That shows me: testparm is interpreting the conf and shows me, what it is using
really.
BUT - even with your config I get exactly the same picture as in my countless
tries before:
RequireSecuritySignature=0 (old value) => share is working
RequireSecuritySignature=1 (needed value) => share is NOT working, and I get
the client-error 1240 or 0x80004005 (the only change is this flag from 0 to 1)
To clarify: on client side i ONLY change this value RequireSecuritySignature to
1. Nothing else. Just a client-reboot is neccesary after this change to be
active.
I think, it is problem with smb signing, not with the share config.
Raphael
___________________________________________
-----Urspr?ngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Montag, 16. M?rz 2015 16:32
An: samba at lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not
working
On 16/03/15 15:00, Olszewski, Raphael wrote:>
> Hi Rowland
> sorry for not being clear.
>
> In my first post I already wrote:
>
> Now I have to tight security with setting those flags in the windows
> client:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstatio
> n\Parameters]
>
> EnablePlainTextPassword=0
>
> EnableSecuritySignature=1
>
> RequireSecuritySignature=1
> . . .
> when I change registry to RequireSecuritySignature=0, everything works like
expected.
>
> If setting is still RequireSecuritySignature=0 - everything is working
> with the changed samba config.
> But - i'am forced to change from RequireSecuritySignature=0 to
> RequireSecuritySignature=1
> If changing the client to RequireSecuritySignature=1 the same public
> share with guest access is not working anymore.
>
>
> Greetz, Raphael
> ___________________________________________
> -----Urspr?ngliche Nachricht-----
>
OK, I have had a look at the portion of smb.conf you posted and you posted this:
security = user
auth methods = guest
map to guest = Bad User
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required
Try this:
security = user
map to guest = Bad User
client min protocol = SMB2
client signing = mandatory
server signing = mandatory
The changes: You do not need the 'auth methods' for a public server,
with samba 4 the 'client max protocol' defaults to 'SMB3' ,
'required'
is not option for 'client signing' or 'server signing' according
to 'man smb.conf', the three options are 'auto, mandatory and
disabled'.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Mar-17 09:52 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
On 17/03/15 09:02, Olszewski, Raphael wrote:> > Hi Rowland > i?ve made the config exactly like you sent. > > Doing testparm gives me > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[pub]" > Loaded services file OK. > Server role: ROLE_STANDALONE > Press enter to see a dump of your service definitions > > [global] > > netbios name = ME > > server string = Samba Server %v > > map to guest = Bad User > > log file = /var/log/samba/log.%m > > client min protocol = SMB2 > > client signing = required > > server signing = required > > idmap config * : backend = tdb > > guest ok = Yes > > [pub] > > path = /fs1/smb_test_signing_fuso > > read only = No > > create mask = 0777 > > directory mask = 0777 > > So ? writing mandatory to the config shows required in the testparm > output. > And even ?server siging = required?/ ?idmap config * : backend = tdb > ?was NOT in the smb.conf ? since I used your config. > Same with ?security = user? > And pub has in smb.conf ?browsable =yes?/?writable = yes? > Even a config like > client signing = mandatory > server signing = required > shows with testparm > client signing = required > server signing = required > > That shows me: testparm is interpreting the conf and shows me, what it > is using really. > > BUT ? even with your config I get exactly the same picture as in my > countless tries before: > RequireSecuritySignature=0 (old value) => share is working > RequireSecuritySignature=1 (needed value) => share is NOT working, and > I get the client-error 1240 or 0x80004005 (the only change is this > flag from 0 to 1) > > To clarify: on client side i ONLY change this value > RequireSecuritySignature to 1. Nothing else. Just a client-reboot is > neccesary after this change to be active. > > I think, it is problem with smb signing, not with the share config. > > > Raphael >OK, it looks like you have discovered a couple of bugs, first the smb.conf manpage does not mention 'required' it says 'mandatory', yet testparm does say 'required', in fact, as you have found, it changes it to 'required'. The main bug is 'server signing' seems to be ignored, I think that you need to find out if windows works as you expect. Rowland
Olszewski, Raphael
2015-Mar-17 14:49 UTC
[Samba] RequireSecuritySignature=1 and public share with guest not working
Rowland, thank you! I did not believe it could be a bug and was searching really hard, but did not find any correct config. So i have filed 2 bugs: https://bugzilla.samba.org/show_bug.cgi?id=11167 https://bugzilla.samba.org/show_bug.cgi?id=11168 The Windows-Client is working properly - since i have allways access to DFS-Drives served by MS-Servers with both variants of RequireSecuritySignature (0 or 1) Raphael ___________________________________________ -----Urspr?ngliche Nachricht----- Von: Rowland Penny [mailto:rowlandpenny at googlemail.com] Gesendet: Dienstag, 17. M?rz 2015 10:53 An: samba at lists.samba.org Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working On 17/03/15 09:02, Olszewski, Raphael wrote:> > Hi Rowland > i've made the config exactly like you sent. > > Doing testparm gives me > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[pub]" > Loaded services file OK. > Server role: ROLE_STANDALONE > Press enter to see a dump of your service definitions > > [global] > > netbios name = ME > > server string = Samba Server %v > > map to guest = Bad User > > log file = /var/log/samba/log.%m > > client min protocol = SMB2 > > client signing = required > > server signing = required > > idmap config * : backend = tdb > > guest ok = Yes > > [pub] > > path = /fs1/smb_test_signing_fuso > > read only = No > > create mask = 0777 > > directory mask = 0777 > > So - writing mandatory to the config shows required in the testparm > output. > And even "server siging = required"/ "idmap config * : backend = tdb > "was NOT in the smb.conf - since I used your config. > Same with "security = user" > And pub has in smb.conf "browsable =yes"/"writable = yes" Even a > config like > client signing = mandatory > server signing = required > shows with testparm > client signing = required > server signing = required > > That shows me: testparm is interpreting the conf and shows me, what it > is using really. > > BUT - even with your config I get exactly the same picture as in my > countless tries before: > RequireSecuritySignature=0 (old value) => share is working > RequireSecuritySignature=1 (needed value) => share is NOT working, and > I get the client-error 1240 or 0x80004005 (the only change is this > flag from 0 to 1) > > To clarify: on client side i ONLY change this value > RequireSecuritySignature to 1. Nothing else. Just a client-reboot is > neccesary after this change to be active. > > I think, it is problem with smb signing, not with the share config. > > > Raphael >OK, it looks like you have discovered a couple of bugs, first the smb.conf manpage does not mention 'required' it says 'mandatory', yet testparm does say 'required', in fact, as you have found, it changes it to 'required'. The main bug is 'server signing' seems to be ignored, I think that you need to find out if windows works as you expect. Rowland
Seemingly Similar Threads
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working
- RequireSecuritySignature=1 and public share with guest not working