Jeremy Allison
2020-Dec-10 18:25 UTC
[Samba] 4.13.2 guest access denied with "Bad SMB2 signature"
On Thu, Dec 10, 2020 at 11:19:24AM -0700, Steve Leung via samba wrote:>On 2020-12-10 10:42 a.m., Jeremy Allison wrote: >>On Thu, Dec 03, 2020 at 10:39:37AM -0700, Steve Leung via samba wrote: >>> >>>Guest access to file shares in Samba 4.13.2 seems to be broken.? >>>The logs report a "Bad SMB2 signature" error, and the client sees >>>an "access denied" error.? This looks like a regression IMO, but >>>I'd like to check that I'm not doing something wrong. >> >>Correct me if I'm wrong, but doesn't guest access prohibit >>signing and encryption ? >> >>https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default > >That does sound correct, and I'd agree that there are many situations >where guest access is a Bad Idea. > >But it's still a documented (and presumably supported?) Samba >configuration that has worked in the past - if that's changing then it >should be made explicit. > >For myself, it's something I can work around without much fuss, but >I'm just concerned that I've stumbled upon a regression.I think if it worked in the past it may have been an accident. There's no session key that can be used for signing I think.
Rowland penny
2020-Dec-10 18:35 UTC
[Samba] 4.13.2 guest access denied with "Bad SMB2 signature"
On 10/12/2020 18:25, Jeremy Allison via samba wrote:> On Thu, Dec 10, 2020 at 11:19:24AM -0700, Steve Leung via samba wrote: >> On 2020-12-10 10:42 a.m., Jeremy Allison wrote: >>> On Thu, Dec 03, 2020 at 10:39:37AM -0700, Steve Leung via samba wrote: >>>> >>>> Guest access to file shares in Samba 4.13.2 seems to be broken.? >>>> The logs report a "Bad SMB2 signature" error, and the client sees >>>> an "access denied" error.? This looks like a regression IMO, but >>>> I'd like to check that I'm not doing something wrong. >>> >>> Correct me if I'm wrong, but doesn't guest access prohibit >>> signing and encryption ? >>> >>> https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default >>> >> >> That does sound correct, and I'd agree that there are many situations >> where guest access is a Bad Idea. >> >> But it's still a documented (and presumably supported?) Samba >> configuration that has worked in the past - if that's changing then >> it should be made explicit. >> >> For myself, it's something I can work around without much fuss, but >> I'm just concerned that I've stumbled upon a regression. > > I think if it worked in the past it may have been an accident. > > There's no session key that can be used for > signing I think. >?Stop me if I am wrong but doesn't 'windows guest' != 'Samba guest' and the Samba guest works on the principal of 'I do not know who you are and don't care about your password' so the unknown user gets mapped to the Samba guest user (usually 'nobody') and is then allowed access to any 'guest' shares. If this worked before, then it may be a bug, but it all depends on just how the OP is connecting to the share, who as etc. Rowland