Jones Syue 薛懷宗
2024-Apr-09 08:37 UTC
[Samba] Bad SMB2 (sign_algo_id=1) signature for message
> It's still interesting to find the cause though. > Thank you Denis for this hint, - this is the most close so far.Thank you Denis for great insight! This log could be reproduced now :) [1] Three key points are, SMB Multichannel ioctl query network information, SMB signing, and guest account without password. Logs on my environment: samba log: [2024/04/09 11:40:44.175958, 0] ../../libcli/smb/smb2_signing.c:722(smb2_signing_check_pdu) Bad SMB2 (sign_algo_id=1) signature for message [2024/04/09 11:40:44.176101, 0] ../../lib/util/util.c:569(dump_data) [0000] 63 10 23 AF 17 E6 F9 B7 ED AA 43 F9 8A 66 D3 B1 c.#..... ..C..f.. [2024/04/09 11:40:44.176134, 0] ../../lib/util/util.c:569(dump_data) [0000] 96 AE 0E 9F 58 70 5B 50 96 CC 3E 6A CF 14 FF 31 ....Xp[P ..>j...1 [2024/04/09 11:50:44.533099, 0] ../../libcli/smb/smb2_signing.c:722(smb2_signing_check_pdu) Bad SMB2 (sign_algo_id=1) signature for message [2024/04/09 11:50:44.533205, 0] ../../lib/util/util.c:569(dump_data) [0000] 61 99 25 B6 69 1C BF 69 34 91 32 A0 34 FB 16 9C a.%.i..i 4.2.4... [2024/04/09 11:50:44.533227, 0] ../../lib/util/util.c:569(dump_data) [0000] 0D 1A 14 72 04 E2 D4 32 BC B6 32 E6 8E 55 9D C5 ...r...2 ..2..U.. wireshark: 2171 14:17:50.4 SMB Negotiate Protocol Request 2173 14:17:50.4 SMB2 00000000000000000000000000000000 Negotiate Protocol Response 2174 14:17:50.4 SMB2 00000000000000000000000000000000 Negotiate Protocol Request 2175 14:17:50.4 SMB2 00000000000000000000000000000000 Negotiate Protocol Response 2176 14:17:50.4 SMB2 00000000000000000000000000000000 Session Setup Request, NTLMSSP_NEGOTIATE 2177 14:17:50.4 SMB2 nobody 00000000000000000000000000000000 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 2178 14:17:50.4 SMB2 nobody 00000000000000000000000000000000 Session Setup Request, NTLMSSP_AUTH, User: JONES-123\nobody 2179 14:17:50.4 SMB2 nobody 00000000000000000000000000000000 Session Setup Response 2180 14:17:50.4 SMB2 nobody 00000000000000000000000000000000 Tree Connect Request Tree: \\${IP}\tmp 2181 14:17:50.4 SMB2 nobody 00000000000000000000000000000000 Tree Connect Response 2195 14:17:50.4 SMB2 nobody 00000000000000000000000000000000 Create Request File: Desktop.ini 2196 14:17:50.4 SMB2 nobody 00000000000000000000000000000000 Create Response, Error: STATUS_OBJECT_NAME_NOT_FOUND 2197 14:17:50.4 SMB2 nobody 00000000000000000000000000000000 Create Request File: AutoRun.inf 2198 14:17:50.4 SMB2 nobody 00000000000000000000000000000000 Create Response, Error: STATUS_OBJECT_NAME_NOT_FOUND 32716 14:20:49.6 SMB2 nobody 9f564aa7f2a2d83d7b3e85fc03bcbc91 Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO 32719 14:20:49.6 SMB2 nobody 3319358928e475b1f59b9359f8f91c77 Ioctl Response, Error: STATUS_ACCESS_DENIED 226178 14:30:49.9 SMB2 nobody 759a242577d7cda8dd4a2888f6e79578 Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO 226182 14:30:49.9 SMB2 nobody 1cd3596497d8928bccbec8e3c70baabc Ioctl Response, Error: STATUS_ACCESS_DENIED 368940 14:40:50.3 SMB2 nobody cb2d942473aecc7ace27bd3700f9d679 Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO 368943 14:40:50.3 SMB2 nobody ef75e7f887f13ae6b7554737858c45d3 Ioctl Response, Error: STATUS_ACCESS_DENIED event viewer: Error 2024/4/9 AM 11:40:43 SMBClient 31013 None Error 2024/4/9 AM 11:50:44 SMBClient 31013 None It is about: when SMB Multichannel is turn-on, windows smb client would send ioctl request to query network interface information of smb server, this pair of ioctl request/response requires SMB Signing been turn-on too. SMB Signing (signature) relies on session key[2], which is derived from the account's password. But, if credential between client/server is a guest account without password, we might fail to validate signature.> Another message appeared in the log after 4.13=>4.17 upgrade: > ... > Seems to be happening every 10 minutes.Above is mentioned by this old thread[4] now it looks fair :), samba-4.15 starts to enable SMB Multichannel as default, so samba-4.13 might not have this log. And for maintenance, windows smb client might periodically send ioctl to query server's network info every 10 minutes in my environment.> Here, it works most of the time, - connections works, files gets > read, directories followed etc. So the question is, - why it > (the whole thing, samba and clients) has no issues whatsoever, > while in some cases it has problems with signing like the logged > example? This machine is serving many 100s of connections, and > while amount of this noize in logs is significant, it definitely > is in minority of cases only. From the same machines for which > samba don't log anything most of the time, too.'Bad signature' failed on ioctl to query server's network interfaces, is quite like this case: SMB Multichannel is turn-off and it is okay, still one single connection/channel is available for read/write/traversal files and folders, just like before we do not have SMB Multichannel. So clients are not suffered and everything works fine though log is triggered. SMB Multichannel is a useful feature, it a pity that guest account without password could not deploy this new feature, perhaps use an alternate account with password as Denis mentioned :) 'ioctl command to query network info' requires SMB Signing been turn-on looks like not mentioned in [MS-SMB2] spec document, though through wireshark caputures it did force client to sign the request packet, will ask dochelp for help later to make sure (iirc SambaXP/SDC/SNIA conference Obaid's talk seems mentioned it) [1] steps: 1. ws2012r2 uses command to map a netdisk connected to samba server, by using a guest account without passwrd, like this: net use u: \\${IP}\tmp "" /user:nobody 2. samba server checks sambs session: Samba version 4.15.13-Ubuntu PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 568638 nobody nogroup ${IP} (ipv4:${IP}:50189) SMB3_02 - - 3. wait 10 minutes and see. Environment smb client: Windows Server 2012 R2 smb server: Samba 4.15.13-Ubuntu, Ubuntu 22.04.4 smb.conf: [global] log file = /var/log/samba/log.%m map to guest = bad user guest account = nobody [tmp] path = /samba_tmp browsable = yes guest ok = yes read only = yes [2] https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-signing-overview#security-considerations-in-smb2-and-smb3 https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-and-guest-authentication/ba-p/3846679 [3] https://wiki.samba.org/index.php/Samba_4.15_Features_added/changed#%22server_multi_channel_support%22_no_longer_experimental [4] https://lists.samba.org/archive/samba/2023-February/244093.html -- Regards, Jones Syue | ??? QNAP Systems, Inc.
Jones Syue 薛懷宗
2024-Apr-09 08:57 UTC
[Samba] Bad SMB2 (sign_algo_id=1) signature for message
Ohh my bad, following is the correct wireshark captures to match samba log and event viewer logs: wireshark 5895 11:38:38.5 SMB Negotiate Protocol Request 5897 11:38:38.5 SMB2 00000000000000000000000000000000 Negotiate Protocol Response 5898 11:38:38.5 SMB2 00000000000000000000000000000000 Negotiate Protocol Request 5899 11:38:38.5 SMB2 00000000000000000000000000000000 Negotiate Protocol Response 5900 11:38:38.5 SMB2 00000000000000000000000000000000 Session Setup Request, NTLMSSP_NEGOTIATE 5901 11:38:38.5 SMB2 nobody 00000000000000000000000000000000 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 5902 11:38:38.5 SMB2 nobody 00000000000000000000000000000000 Session Setup Request, NTLMSSP_AUTH, User: \nobody 5903 11:38:38.5 SMB2 nobody 00000000000000000000000000000000 Session Setup Response 5912 11:38:38.5 SMB2 nobody 00000000000000000000000000000000 Tree Connect Request Tree: \\10.19.251.135\IPC$ 5913 11:38:38.5 SMB2 nobody 00000000000000000000000000000000 Tree Connect Response 5914 11:38:38.5 SMB2 nobody 00000000000000000000000000000000 Ioctl Request FSCTL_DFS_GET_REFERRALS, File: \10.19.251.135\tmp 5915 11:38:38.5 SMB2 nobody 00000000000000000000000000000000 Ioctl Response, Error: STATUS_NOT_FOUND 5916 11:38:38.5 SMB2 nobody 00000000000000000000000000000000 Tree Connect Request Tree: \\10.19.251.135\tmp 5917 11:38:38.5 SMB2 nobody 00000000000000000000000000000000 Tree Connect Response 5953 11:38:38.6 SMB2 nobody 00000000000000000000000000000000 Create Request File: Desktop.ini 5954 11:38:38.6 SMB2 nobody 00000000000000000000000000000000 Create Response, Error: STATUS_OBJECT_NAME_NOT_FOUND 5955 11:38:38.6 SMB2 nobody 00000000000000000000000000000000 Create Request File: AutoRun.inf 5956 11:38:38.6 SMB2 nobody 00000000000000000000000000000000 Create Response, Error: STATUS_OBJECT_NAME_NOT_FOUND 7526 11:38:49.2 SMB2 nobody 00000000000000000000000000000000 Tree Disconnect Request 7527 11:38:49.2 SMB2 nobody 00000000000000000000000000000000 Tree Disconnect Response 22453 11:40:43.8 SMB2 nobody 631023af17e6f9b7edaa43f98a66d3b1 Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO 22455 11:40:43.8 SMB2 nobody 3641111768469445f17980e07900b221 Ioctl Response, Error: STATUS_ACCESS_DENIED 186869 11:50:44.1 SMB2 nobody 619925b6691cbf69349132a034fb169c Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO 186874 11:50:44.1 SMB2 nobody f8b34323fab89f88cf2926750aff336c Ioctl Response, Error: STATUS_ACCESS_DENIED samba log: [2024/04/09 11:40:44.175958, 0] ../../libcli/smb/smb2_signing.c:722(smb2_signing_check_pdu) Bad SMB2 (sign_algo_id=1) signature for message [2024/04/09 11:40:44.176101, 0] ../../lib/util/util.c:569(dump_data) [0000] 63 10 23 AF 17 E6 F9 B7 ED AA 43 F9 8A 66 D3 B1 c.#..... ..C..f.. [2024/04/09 11:40:44.176134, 0] ../../lib/util/util.c:569(dump_data) [0000] 96 AE 0E 9F 58 70 5B 50 96 CC 3E 6A CF 14 FF 31 ....Xp[P ..>j...1 [2024/04/09 11:50:44.533099, 0] ../../libcli/smb/smb2_signing.c:722(smb2_signing_check_pdu) Bad SMB2 (sign_algo_id=1) signature for message [2024/04/09 11:50:44.533205, 0] ../../lib/util/util.c:569(dump_data) [0000] 61 99 25 B6 69 1C BF 69 34 91 32 A0 34 FB 16 9C a.%.i..i 4.2.4... [2024/04/09 11:50:44.533227, 0] ../../lib/util/util.c:569(dump_data) [0000] 0D 1A 14 72 04 E2 D4 32 BC B6 32 E6 8E 55 9D C5 ...r...2 ..2..U.. event viewer: Error 2024/4/9 AM 11:40:43 SMBClient 31013 None Error 2024/4/9 AM 11:50:44 SMBClient 31013 None -- Regards, Jones Syue | ??? QNAP Systems, Inc.
Jones Syue 薛懷宗
2024-Apr-23 01:32 UTC
[Samba] Bad SMB2 (sign_algo_id=1) signature for message
> 'ioctl command to query network info' requires SMB Signing been turn-on > looks like not mentioned in [MS-SMB2] spec document, though through > wireshark caputures it did force client to sign the request packet, will > ask dochelp for help later to make sure (iirc SambaXP/SDC/SNIA conference > Obaid's talk seems mentioned it)https://lists.samba.org/archive/cifs-protocol/2024-April/004282.html Just for reference Microsoft will update doc [MS-SMB2] later :) -- Regards, Jones Syue | ??? QNAP Systems, Inc.
Maybe Matching Threads
- Bad SMB2 (sign_algo_id=1) signature for message
- Bad SMB2 (sign_algo_id=1) signature for message
- more logging: Bad SMB2 (sign_algo_id=1) signature for message
- Bad SMB2 (sign_algo_id=1) signature for message
- SNIA 2008 Storage Developer Conference CIFS/SMB/SMB2 Plugfest