Denis CARDON
2024-Apr-02 09:53 UTC
[Samba] Bad SMB2 (sign_algo_id=1) signature for message
Hi Michael, Le 01/04/2024 ? 13:09, Michael Tokarev via samba a ?crit?:> 01.04.2024 13:56, Jones Syue ???: >>> I can't say for sure but I *think* each time the client is windows >>> server 2012. >> >> Looks good :) If run this script[1] to test multiple dialects, found >> only >> SMB3_00 and SMB3_02 has this "(sign_algo_id=1)", and per doc[2] it could >> be happend with ws2012 and ws2012r2. > > This *is* 2012 r2.? The protocol version it negotiates is shown by > smbstatus > on samba server, it is SMB3_02.? More modern workstations negotiate > SMB3_11. > >> Perhaps some kind of services, like antivirus scan LAN, or printer >> access, >> access attempts to samba server via guest or anonymous account >> trigger this >> log, not quite sure just a preliminary guess :) > > There's no antivirus running on these machines.? At least we tried to > disable > everything. > > The access *is* anonymous, always, this is a read-only anonymous share > with > a big application used by multiple users.? It has public=yes, > map_to_guest=invalid_user. > > I can't say when exactly this error is logged.SMBv2 signing requires to have a shared secret, and I guess that anonymous access don't provide that shared secret for signing / encryption. From [1] "Guest logons don't support standard security features such as signing and encryption." on SMB2. So I guess you should use a account with a password on the client machine to avoid this message. Cheers, Denis [1] https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default> >> Is 'Event Viewer' of windows server 2012 could see similar event about >> bad/invalid signature too? > > Somehow I forgot to look there.? Let's see.. > > /mjt >
Michael Tokarev
2024-Apr-03 10:13 UTC
[Samba] Bad SMB2 (sign_algo_id=1) signature for message
02.04.2024 12:53, Denis CARDON via samba wrote:> Hi Michael, > Le 01/04/2024 ? 13:09, Michael Tokarev via samba a ?crit?:>> The access *is* anonymous, always, this is a read-only anonymous share with >> a big application used by multiple users.? It has public=yes, map_to_guest=invalid_user. >> >> I can't say when exactly this error is logged. > > SMBv2 signing requires to have a shared secret, and I guess that anonymous access don't provide that shared secret for signing / encryption. > > From [1] "Guest logons don't support standard security features such as signing and encryption." on SMB2. > > So I guess you should use a account with a password on the client machine to avoid this message.The thing is that this is an anonymous server with no accounts. We're moving slowly to using domain member for this file server (another machine which gives other interesting messages in logs). Here, it works most of the time, - connections works, files gets read, directories followed etc. So the question is, - why it (the whole thing, samba and clients) has no issues whatsoever, while in some cases it has problems with signing like the logged example? This machine is serving many 100s of connections, and while amount of this noize in logs is significant, it definitely is in minority of cases only. From the same machines for which samba don't log anything most of the time, too.> [1] https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-defaultWe had to explicitly enable guest access on clients.>>> Is 'Event Viewer' of windows server 2012 could see similar event about >>> bad/invalid signature too? >> >> Somehow I forgot to look there.? Let's see..Unfortunately there's nothing relevant in the server logs, not even remotely relevant. Hopefully this will stop when moving to domain-member setup. It's still interesting to find the cause though. Thank you Denis for this hint, - this is the most close so far. /mjt