samba - Apr 2024 - Bad SMB2 (sign_algo_id=1) signature for message

02.04.2024 12:53, Denis CARDON via samba wrote:
> Hi Michael,
> Le 01/04/2024 ? 13:09, Michael Tokarev via samba a ?crit?:
>> The access *is* anonymous, always, this is a read-only anonymous share
with
>> a big application used by multiple users.? It has public=yes,
map_to_guest=invalid_user.
>>
>> I can't say when exactly this error is logged.
> 
> SMBv2 signing requires to have a shared secret, and I guess that anonymous
access don't provide that shared secret for signing / encryption.
> 
>  From [1] "Guest logons don't support standard security features
such as signing and encryption." on SMB2.
> 
> So I guess you should use a account with a password on the client machine
to avoid this message.
The thing is that this is an anonymous server with no accounts.
We're moving slowly to using domain member for this file server
(another machine which gives other interesting messages in logs).

Here, it works most of the time, - connections works, files gets
read, directories followed etc.  So the question is, - why it
(the whole thing, samba and clients) has no issues whatsoever,
while in some cases it has problems with signing like the logged
example?  This machine is serving many 100s of connections, and
while amount of this noize in logs is significant, it definitely
is in minority of cases only.  From the same machines for which
samba don't log anything most of the time, too.
> [1]
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
We had to explicitly enable guest access on clients.
>>> Is 'Event Viewer' of windows server 2012 could see similar
event about
>>> bad/invalid signature too?
>>
>> Somehow I forgot to look there.? Let's see..
Unfortunately there's nothing relevant in the server logs, not
even remotely relevant.

Hopefully this will stop when moving to domain-member setup.
It's still interesting to find the cause though.

Thank you Denis for this hint, - this is the most close so far.

/mjt

> It's still interesting to find the cause though.
> Thank you Denis for this hint, - this is the most close so far.
Thank you Denis for great insight! This log could be reproduced now :) [1]

Three key points are, SMB Multichannel ioctl query network information,
SMB signing, and guest account without password. Logs on my environment:

samba log:
[2024/04/09 11:40:44.175958,  0]
../../libcli/smb/smb2_signing.c:722(smb2_signing_check_pdu)
  Bad SMB2 (sign_algo_id=1) signature for message
[2024/04/09 11:40:44.176101,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 63 10 23 AF 17 E6 F9 B7   ED AA 43 F9 8A 66 D3 B1   c.#..... ..C..f..
[2024/04/09 11:40:44.176134,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 96 AE 0E 9F 58 70 5B 50   96 CC 3E 6A CF 14 FF 31   ....Xp[P
..>j...1
[2024/04/09 11:50:44.533099,  0]
../../libcli/smb/smb2_signing.c:722(smb2_signing_check_pdu)
  Bad SMB2 (sign_algo_id=1) signature for message
[2024/04/09 11:50:44.533205,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 61 99 25 B6 69 1C BF 69   34 91 32 A0 34 FB 16 9C   a.%.i..i 4.2.4...
[2024/04/09 11:50:44.533227,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 0D 1A 14 72 04 E2 D4 32   BC B6 32 E6 8E 55 9D C5   ...r...2 ..2..U..
  
wireshark:
2171	14:17:50.4	SMB			Negotiate Protocol Request
2173	14:17:50.4	SMB2		00000000000000000000000000000000	Negotiate Protocol
Response
2174	14:17:50.4	SMB2		00000000000000000000000000000000	Negotiate Protocol
Request
2175	14:17:50.4	SMB2		00000000000000000000000000000000	Negotiate Protocol
Response
2176	14:17:50.4	SMB2		00000000000000000000000000000000	Session Setup Request,
NTLMSSP_NEGOTIATE
2177	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Session Setup
Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
2178	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Session Setup
Request, NTLMSSP_AUTH, User: JONES-123\nobody
2179	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Session Setup
Response
2180	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Tree Connect
Request Tree: \\${IP}\tmp
2181	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Tree Connect
Response
2195	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Create Request
File: Desktop.ini
2196	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Create Response,
Error: STATUS_OBJECT_NAME_NOT_FOUND
2197	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Create Request
File: AutoRun.inf
2198	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Create Response,
Error: STATUS_OBJECT_NAME_NOT_FOUND
32716	14:20:49.6	SMB2	nobody	9f564aa7f2a2d83d7b3e85fc03bcbc91	Ioctl Request
FSCTL_QUERY_NETWORK_INTERFACE_INFO
32719	14:20:49.6	SMB2	nobody	3319358928e475b1f59b9359f8f91c77	Ioctl Response,
Error: STATUS_ACCESS_DENIED
226178	14:30:49.9	SMB2	nobody	759a242577d7cda8dd4a2888f6e79578	Ioctl Request
FSCTL_QUERY_NETWORK_INTERFACE_INFO
226182	14:30:49.9	SMB2	nobody	1cd3596497d8928bccbec8e3c70baabc	Ioctl Response,
Error: STATUS_ACCESS_DENIED
368940	14:40:50.3	SMB2	nobody	cb2d942473aecc7ace27bd3700f9d679	Ioctl Request
FSCTL_QUERY_NETWORK_INTERFACE_INFO
368943	14:40:50.3	SMB2	nobody	ef75e7f887f13ae6b7554737858c45d3	Ioctl Response,
Error: STATUS_ACCESS_DENIED

event viewer:
Error	2024/4/9 AM 11:40:43	SMBClient	31013	None
Error	2024/4/9 AM 11:50:44	SMBClient	31013	None

It is about: when SMB Multichannel is turn-on, windows smb client would 
send ioctl request to query network interface information of smb server, 
this pair of ioctl request/response requires SMB Signing been turn-on too. 
SMB Signing (signature) relies on session key[2], which is derived from the 
account's password. But, if credential between client/server is a guest 
account without password, we might fail to validate signature.
>  Another message appeared in the log after 4.13=>4.17 upgrade:
>  ...
>  Seems to be happening every 10 minutes.
Above is mentioned by this old thread[4] now it looks fair :), samba-4.15 
starts to enable SMB Multichannel as default, so samba-4.13 might not have 
this log. And for maintenance, windows smb client might periodically send 
ioctl to query server's network info every 10 minutes in my environment.
> Here, it works most of the time, - connections works, files gets
> read, directories followed etc. So the question is, - why it
> (the whole thing, samba and clients) has no issues whatsoever,
> while in some cases it has problems with signing like the logged
> example? This machine is serving many 100s of connections, and
> while amount of this noize in logs is significant, it definitely
> is in minority of cases only. From the same machines for which
> samba don't log anything most of the time, too.
'Bad signature' failed on ioctl to query server's network
interfaces,
is quite like this case: SMB Multichannel is turn-off and it is okay, 
still one single connection/channel is available for read/write/traversal 
files and folders, just like before we do not have SMB Multichannel. So 
clients are not suffered and everything works fine though log is triggered.

SMB Multichannel is a useful feature, it a pity that guest account without
password could not deploy this new feature, perhaps use an alternate 
account with password as Denis mentioned :)

'ioctl command to query network info' requires SMB Signing been turn-on
looks like not mentioned in [MS-SMB2] spec document, though through 
wireshark caputures it did force client to sign the request packet, will 
ask dochelp for help later to make sure (iirc SambaXP/SDC/SNIA conference 
Obaid's talk seems mentioned it)

[1] steps:
1. ws2012r2 uses command to map a netdisk connected to samba server, by 
using a guest account without passwrd, like this:
net use u: \\${IP}\tmp "" /user:nobody

2. samba server checks sambs session:
Samba version 4.15.13-Ubuntu
PID     Username     Group        Machine                                  
Protocol Version  Encryption           Signing
----------------------------------------------------------------------------------------------------------------------------------------
568638  nobody       nogroup      ${IP} (ipv4:${IP}:50189)    SMB3_02          
-                    -

3. wait 10 minutes and see.

Environment
smb client: Windows Server 2012 R2
smb server: Samba 4.15.13-Ubuntu, Ubuntu 22.04.4
smb.conf:
[global]
log file = /var/log/samba/log.%m
map to guest = bad user
guest account = nobody

[tmp]
path = /samba_tmp
browsable = yes
guest ok = yes
read only = yes

[2]
https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-signing-overview#security-considerations-in-smb2-and-smb3
https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-and-guest-authentication/ba-p/3846679

[3]
https://wiki.samba.org/index.php/Samba_4.15_Features_added/changed#%22server_multi_channel_support%22_no_longer_experimental

[4]
https://lists.samba.org/archive/samba/2023-February/244093.html

--

Regards,
Jones Syue | ???
QNAP Systems, Inc.