samba - Apr 2024 - Bad SMB2 (sign_algo_id=1) signature for message

Hi Michael,

Le 01/04/2024 ? 13:09, Michael Tokarev via samba a
?crit?:
> 01.04.2024 13:56, Jones Syue ???:
>>> I can't say for sure but I *think* each time the client is
windows
>>> server 2012.
>>
>> Looks good :) If run this script[1] to test multiple dialects, found 
>> only
>> SMB3_00 and SMB3_02 has this "(sign_algo_id=1)", and per
doc[2] it could
>> be happend with ws2012 and ws2012r2.
>
> This *is* 2012 r2.? The protocol version it negotiates is shown by 
> smbstatus
> on samba server, it is SMB3_02.? More modern workstations negotiate 
> SMB3_11.
>
>> Perhaps some kind of services, like antivirus scan LAN, or printer 
>> access,
>> access attempts to samba server via guest or anonymous account 
>> trigger this
>> log, not quite sure just a preliminary guess :)
>
> There's no antivirus running on these machines.? At least we tried to 
> disable
> everything.
>
> The access *is* anonymous, always, this is a read-only anonymous share 
> with
> a big application used by multiple users.? It has public=yes, 
> map_to_guest=invalid_user.
>
> I can't say when exactly this error is logged.
SMBv2 signing requires to have a shared secret, and I guess that 
anonymous access don't provide that shared secret for signing / encryption.

 From [1] "Guest logons don't support standard security features such
as
signing and encryption." on SMB2.

So I guess you should use a account with a password on the client 
machine to avoid this message.

Cheers,

Denis

[1] 
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default

>
>> Is 'Event Viewer' of windows server 2012 could see similar
event about
>> bad/invalid signature too?
>
> Somehow I forgot to look there.? Let's see..
>
> /mjt
>

02.04.2024 12:53, Denis CARDON via samba wrote:
> Hi Michael,
> Le 01/04/2024 ? 13:09, Michael Tokarev via samba a ?crit?:
>> The access *is* anonymous, always, this is a read-only anonymous share
with
>> a big application used by multiple users.? It has public=yes,
map_to_guest=invalid_user.
>>
>> I can't say when exactly this error is logged.
> 
> SMBv2 signing requires to have a shared secret, and I guess that anonymous
access don't provide that shared secret for signing / encryption.
> 
>  From [1] "Guest logons don't support standard security features
such as signing and encryption." on SMB2.
> 
> So I guess you should use a account with a password on the client machine
to avoid this message.
The thing is that this is an anonymous server with no accounts.
We're moving slowly to using domain member for this file server
(another machine which gives other interesting messages in logs).

Here, it works most of the time, - connections works, files gets
read, directories followed etc.  So the question is, - why it
(the whole thing, samba and clients) has no issues whatsoever,
while in some cases it has problems with signing like the logged
example?  This machine is serving many 100s of connections, and
while amount of this noize in logs is significant, it definitely
is in minority of cases only.  From the same machines for which
samba don't log anything most of the time, too.
> [1]
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
We had to explicitly enable guest access on clients.
>>> Is 'Event Viewer' of windows server 2012 could see similar
event about
>>> bad/invalid signature too?
>>
>> Somehow I forgot to look there.? Let's see..
Unfortunately there's nothing relevant in the server logs, not
even remotely relevant.

Hopefully this will stop when moving to domain-member setup.
It's still interesting to find the cause though.

Thank you Denis for this hint, - this is the most close so far.

/mjt