thr3ads.net - samba - [Samba] Bad SMB2 (sign_algo_id=1) signature for message [Apr 2024]

If this information is useful, please help other people find it:
Share via:

Michael Tokarev

2024-Apr-01 10:09 UTC

[Samba] Bad SMB2 (sign_algo_id=1) signature for message

01.04.2024 13:03, Jones Syue ???:>> [2024/03/01 15:59:00.612141,  0, pid=1778617]
libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
>>     Bad SMB2 (sign_algo_id=1) signature for message
> 
> Hello Michael,
> 
> what is the linux distro and samba version in your env, thank you :)
It does not depend on linux distro for sure.  Everything is within samba.

So far it happened with samba version 4.17, 4.18 and 4.19 (various patch
levels).

I can't say for sure but I *think* each time the client is windows server
2012.

I don't think this will help you in any way though :)

> It looks like a client-side tool could see similar output, from my env:
> $ rpcclient -U 'nobody%nobody' -c 'netshareenumall'
127.0.0.1
> Bad SMB2 (sign_algo_id=2) signature for message
> [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........
........
> [0000] 3B F0 CD 43 12 2D 1F D2   47 30 64 EE 8C 45 29 D2   ;..C.-..
G0d..E).
> Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED
Exactly the same happens when I run that command here (with sama 4.19.5).

/mjt

Jones Syue 薛懷宗

2024-Apr-01 10:56 UTC

head link

[Samba] Bad SMB2 (sign_algo_id=1) signature for message

> I can't say for sure but I *think* each time the client is windows
server 2012.
Looks good :) If run this script[1] to test multiple dialects, found only
SMB3_00 and SMB3_02 has this "(sign_algo_id=1)", and per doc[2] it
could
be happend with ws2012 and ws2012r2.

Perhaps some kind of services, like antivirus scan LAN, or printer access, 
access attempts to samba server via guest or anonymous account trigger this
log, not quite sure just a preliminary guess :) 
Is 'Event Viewer' of windows server 2012 could see similar event about 
bad/invalid signature too?

[1] Ubuntu 22.04.4, Samba 4.15.13
for max in SMB2_10 SMB3_00 SMB3_02 SMB3_11; \
do \
  echo $max; \
  smbclient -U 'nobody%nobody' --option='client
signing=required' -m${max} -L 127.0.0.1 2>&1 | grep sign_algo_id; \
done;

And the output:
Bad SMB2 (sign_algo_id=0) signature for message
SMB3_00
Bad SMB2 (sign_algo_id=1) signature for message
SMB3_02
Bad SMB2 (sign_algo_id=1) signature for message
SMB3_11
Bad SMB2 (sign_algo_id=2) signature for message

[2]
https://learn.microsoft.com/en-us/archive/blogs/josebda/windows-server-2012-r2-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-smb-3-0-or-smb-3-02-are-you-using

--

Regards,
Jones Syue | ???
QNAP Systems, Inc.

samba - Apr 2024 - Bad SMB2 (sign_algo_id=1) signature for message

[Samba] Bad SMB2 (sign_algo_id=1) signature for message

[Samba] Bad SMB2 (sign_algo_id=1) signature for message