Adrian Fita
2016-Aug-16 09:15 UTC
[Samba] Document that SMB signing does not work / is not supported without authentication
Hello everyone. I apologize in advance if what I'm talking about here is obvious to all. I don't usually deal with SMB stuff. So, recently I was asked to implement "server signing = mandatory" for a SMB service that exposes only anonymous / guest shares. At first I tried with Samba 3.6.x and a Windows 7 client, but "net use" from Windows refused to mount the SMB share, displaying the error "System error 64 has occurred.". Then I tried with Samba 4.3.x and the SMB share was mounted, but when I inspected the traffic with Wireshark, I noticed that the SMB packets were not actually signed, so Samba 4 allows mounts, but it silently ignores signing, falling back to "signing = disabled". Then I did some more digging in the SMB specification (download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/[MS-SMB2].pdf) and I found that SMB signing is performed only for authenticated sessions: -- 3.1.1.1 Global The following global data is required by both the client and server: RequireMessageSigning: A Boolean that, if set, indicates that this node requires that messages MUST be signed *if the message is sent with a user security context that is neither anonymous nor guest*. If not set, this node does not require that any messages be signed, but can still choose to do so if the other node requires it. -- I also found this comment in bugzilla.samba.org: -- bugzilla.samba.org/show_bug.cgi?id=8382 Stefan Metzmacher 2012-05-30 11:41:43 UTC Comment 21 Closing this as invalid, as *it's not possible to do signing as guest user*. -- Indeed, inspecting the traffic with Wireshark for an authenticated SMB share, the packets are signed. Now I know for sure that SMB signing can be done only for shares with authentication. I would have appreciated if I was spared the extensive digging I had to do. A small note or warning present in "server signing" and "client signing" sections of the smb.conf man page that SMB signing works only with authentication would have sufficed. The fact that SMB signing can not be done without authentication doesn't seem to be knowledge too wide-spread on the net, so I am sure that adding a small note/warning in the manuals would spare many people from wasting their time. My question is: does it make sense to create a bug in bugzilla.samba.org to request adding this note to the manual? Thanks, -- Fita Adrian
Volker Lendecke
2016-Aug-16 15:02 UTC
[Samba] Document that SMB signing does not work / is not supported without authentication
On Tue, Aug 16, 2016 at 12:15:12PM +0300, Adrian Fita via samba wrote:> My question is: does it make sense to create a bug in > bugzilla.samba.org to request adding this note to the manual?Sure. Also, feel free to send what you would like to see. Bonus points if you send a git patch :-) Volker
Possibly Parallel Threads
- Omnibus test for main effects in the face of an interaction containing the main effects.
- About object of class mle returned by user defined functions
- Omnibus test for main effects in the face ofaninteraction containing the main effects.
- list W2K shares
- tc filter match u8 problem??