samba - Apr 2024 - Bad SMB2 (sign_algo_id=1) signature for message

> It's still interesting to find the cause though.
> Thank you Denis for this hint, - this is the most close so far.
Thank you Denis for great insight! This log could be reproduced now :) [1]

Three key points are, SMB Multichannel ioctl query network information,
SMB signing, and guest account without password. Logs on my environment:

samba log:
[2024/04/09 11:40:44.175958,  0]
../../libcli/smb/smb2_signing.c:722(smb2_signing_check_pdu)
  Bad SMB2 (sign_algo_id=1) signature for message
[2024/04/09 11:40:44.176101,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 63 10 23 AF 17 E6 F9 B7   ED AA 43 F9 8A 66 D3 B1   c.#..... ..C..f..
[2024/04/09 11:40:44.176134,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 96 AE 0E 9F 58 70 5B 50   96 CC 3E 6A CF 14 FF 31   ....Xp[P
..>j...1
[2024/04/09 11:50:44.533099,  0]
../../libcli/smb/smb2_signing.c:722(smb2_signing_check_pdu)
  Bad SMB2 (sign_algo_id=1) signature for message
[2024/04/09 11:50:44.533205,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 61 99 25 B6 69 1C BF 69   34 91 32 A0 34 FB 16 9C   a.%.i..i 4.2.4...
[2024/04/09 11:50:44.533227,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 0D 1A 14 72 04 E2 D4 32   BC B6 32 E6 8E 55 9D C5   ...r...2 ..2..U..
  
wireshark:
2171	14:17:50.4	SMB			Negotiate Protocol Request
2173	14:17:50.4	SMB2		00000000000000000000000000000000	Negotiate Protocol
Response
2174	14:17:50.4	SMB2		00000000000000000000000000000000	Negotiate Protocol
Request
2175	14:17:50.4	SMB2		00000000000000000000000000000000	Negotiate Protocol
Response
2176	14:17:50.4	SMB2		00000000000000000000000000000000	Session Setup Request,
NTLMSSP_NEGOTIATE
2177	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Session Setup
Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
2178	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Session Setup
Request, NTLMSSP_AUTH, User: JONES-123\nobody
2179	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Session Setup
Response
2180	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Tree Connect
Request Tree: \\${IP}\tmp
2181	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Tree Connect
Response
2195	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Create Request
File: Desktop.ini
2196	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Create Response,
Error: STATUS_OBJECT_NAME_NOT_FOUND
2197	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Create Request
File: AutoRun.inf
2198	14:17:50.4	SMB2	nobody	00000000000000000000000000000000	Create Response,
Error: STATUS_OBJECT_NAME_NOT_FOUND
32716	14:20:49.6	SMB2	nobody	9f564aa7f2a2d83d7b3e85fc03bcbc91	Ioctl Request
FSCTL_QUERY_NETWORK_INTERFACE_INFO
32719	14:20:49.6	SMB2	nobody	3319358928e475b1f59b9359f8f91c77	Ioctl Response,
Error: STATUS_ACCESS_DENIED
226178	14:30:49.9	SMB2	nobody	759a242577d7cda8dd4a2888f6e79578	Ioctl Request
FSCTL_QUERY_NETWORK_INTERFACE_INFO
226182	14:30:49.9	SMB2	nobody	1cd3596497d8928bccbec8e3c70baabc	Ioctl Response,
Error: STATUS_ACCESS_DENIED
368940	14:40:50.3	SMB2	nobody	cb2d942473aecc7ace27bd3700f9d679	Ioctl Request
FSCTL_QUERY_NETWORK_INTERFACE_INFO
368943	14:40:50.3	SMB2	nobody	ef75e7f887f13ae6b7554737858c45d3	Ioctl Response,
Error: STATUS_ACCESS_DENIED

event viewer:
Error	2024/4/9 AM 11:40:43	SMBClient	31013	None
Error	2024/4/9 AM 11:50:44	SMBClient	31013	None

It is about: when SMB Multichannel is turn-on, windows smb client would 
send ioctl request to query network interface information of smb server, 
this pair of ioctl request/response requires SMB Signing been turn-on too. 
SMB Signing (signature) relies on session key[2], which is derived from the 
account's password. But, if credential between client/server is a guest 
account without password, we might fail to validate signature.
>  Another message appeared in the log after 4.13=>4.17 upgrade:
>  ...
>  Seems to be happening every 10 minutes.
Above is mentioned by this old thread[4] now it looks fair :), samba-4.15 
starts to enable SMB Multichannel as default, so samba-4.13 might not have 
this log. And for maintenance, windows smb client might periodically send 
ioctl to query server's network info every 10 minutes in my environment.
> Here, it works most of the time, - connections works, files gets
> read, directories followed etc. So the question is, - why it
> (the whole thing, samba and clients) has no issues whatsoever,
> while in some cases it has problems with signing like the logged
> example? This machine is serving many 100s of connections, and
> while amount of this noize in logs is significant, it definitely
> is in minority of cases only. From the same machines for which
> samba don't log anything most of the time, too.
'Bad signature' failed on ioctl to query server's network
interfaces,
is quite like this case: SMB Multichannel is turn-off and it is okay, 
still one single connection/channel is available for read/write/traversal 
files and folders, just like before we do not have SMB Multichannel. So 
clients are not suffered and everything works fine though log is triggered.

SMB Multichannel is a useful feature, it a pity that guest account without
password could not deploy this new feature, perhaps use an alternate 
account with password as Denis mentioned :)

'ioctl command to query network info' requires SMB Signing been turn-on
looks like not mentioned in [MS-SMB2] spec document, though through 
wireshark caputures it did force client to sign the request packet, will 
ask dochelp for help later to make sure (iirc SambaXP/SDC/SNIA conference 
Obaid's talk seems mentioned it)

[1] steps:
1. ws2012r2 uses command to map a netdisk connected to samba server, by 
using a guest account without passwrd, like this:
net use u: \\${IP}\tmp "" /user:nobody

2. samba server checks sambs session:
Samba version 4.15.13-Ubuntu
PID     Username     Group        Machine                                  
Protocol Version  Encryption           Signing
----------------------------------------------------------------------------------------------------------------------------------------
568638  nobody       nogroup      ${IP} (ipv4:${IP}:50189)    SMB3_02          
-                    -

3. wait 10 minutes and see.

Environment
smb client: Windows Server 2012 R2
smb server: Samba 4.15.13-Ubuntu, Ubuntu 22.04.4
smb.conf:
[global]
log file = /var/log/samba/log.%m
map to guest = bad user
guest account = nobody

[tmp]
path = /samba_tmp
browsable = yes
guest ok = yes
read only = yes

[2]
https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-signing-overview#security-considerations-in-smb2-and-smb3
https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-and-guest-authentication/ba-p/3846679

[3]
https://wiki.samba.org/index.php/Samba_4.15_Features_added/changed#%22server_multi_channel_support%22_no_longer_experimental

[4]
https://lists.samba.org/archive/samba/2023-February/244093.html

--

Regards,
Jones Syue | ???
QNAP Systems, Inc.

Ohh my bad, following is the correct wireshark captures to match samba
log and event viewer logs:

wireshark
5895	11:38:38.5	SMB			Negotiate Protocol Request
5897	11:38:38.5	SMB2		00000000000000000000000000000000	Negotiate Protocol
Response
5898	11:38:38.5	SMB2		00000000000000000000000000000000	Negotiate Protocol
Request
5899	11:38:38.5	SMB2		00000000000000000000000000000000	Negotiate Protocol
Response
5900	11:38:38.5	SMB2		00000000000000000000000000000000	Session Setup Request,
NTLMSSP_NEGOTIATE
5901	11:38:38.5	SMB2	nobody	00000000000000000000000000000000	Session Setup
Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
5902	11:38:38.5	SMB2	nobody	00000000000000000000000000000000	Session Setup
Request, NTLMSSP_AUTH, User: \nobody
5903	11:38:38.5	SMB2	nobody	00000000000000000000000000000000	Session Setup
Response
5912	11:38:38.5	SMB2	nobody	00000000000000000000000000000000	Tree Connect
Request Tree: \\10.19.251.135\IPC$
5913	11:38:38.5	SMB2	nobody	00000000000000000000000000000000	Tree Connect
Response
5914	11:38:38.5	SMB2	nobody	00000000000000000000000000000000	Ioctl Request
FSCTL_DFS_GET_REFERRALS, File: \10.19.251.135\tmp
5915	11:38:38.5	SMB2	nobody	00000000000000000000000000000000	Ioctl Response,
Error: STATUS_NOT_FOUND
5916	11:38:38.5	SMB2	nobody	00000000000000000000000000000000	Tree Connect
Request Tree: \\10.19.251.135\tmp
5917	11:38:38.5	SMB2	nobody	00000000000000000000000000000000	Tree Connect
Response
5953	11:38:38.6	SMB2	nobody	00000000000000000000000000000000	Create Request
File: Desktop.ini
5954	11:38:38.6	SMB2	nobody	00000000000000000000000000000000	Create Response,
Error: STATUS_OBJECT_NAME_NOT_FOUND
5955	11:38:38.6	SMB2	nobody	00000000000000000000000000000000	Create Request
File: AutoRun.inf
5956	11:38:38.6	SMB2	nobody	00000000000000000000000000000000	Create Response,
Error: STATUS_OBJECT_NAME_NOT_FOUND
7526	11:38:49.2	SMB2	nobody	00000000000000000000000000000000	Tree Disconnect
Request
7527	11:38:49.2	SMB2	nobody	00000000000000000000000000000000	Tree Disconnect
Response
22453	11:40:43.8	SMB2	nobody	631023af17e6f9b7edaa43f98a66d3b1	Ioctl Request
FSCTL_QUERY_NETWORK_INTERFACE_INFO
22455	11:40:43.8	SMB2	nobody	3641111768469445f17980e07900b221	Ioctl Response,
Error: STATUS_ACCESS_DENIED
186869	11:50:44.1	SMB2	nobody	619925b6691cbf69349132a034fb169c	Ioctl Request
FSCTL_QUERY_NETWORK_INTERFACE_INFO
186874	11:50:44.1	SMB2	nobody	f8b34323fab89f88cf2926750aff336c	Ioctl Response,
Error: STATUS_ACCESS_DENIED

samba log:
[2024/04/09 11:40:44.175958,  0]
../../libcli/smb/smb2_signing.c:722(smb2_signing_check_pdu)
  Bad SMB2 (sign_algo_id=1) signature for message
[2024/04/09 11:40:44.176101,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 63 10 23 AF 17 E6 F9 B7   ED AA 43 F9 8A 66 D3 B1   c.#..... ..C..f..
[2024/04/09 11:40:44.176134,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 96 AE 0E 9F 58 70 5B 50   96 CC 3E 6A CF 14 FF 31   ....Xp[P
..>j...1
[2024/04/09 11:50:44.533099,  0]
../../libcli/smb/smb2_signing.c:722(smb2_signing_check_pdu)
  Bad SMB2 (sign_algo_id=1) signature for message
[2024/04/09 11:50:44.533205,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 61 99 25 B6 69 1C BF 69   34 91 32 A0 34 FB 16 9C   a.%.i..i 4.2.4...
[2024/04/09 11:50:44.533227,  0] ../../lib/util/util.c:569(dump_data)
  [0000] 0D 1A 14 72 04 E2 D4 32   BC B6 32 E6 8E 55 9D C5   ...r...2 ..2..U..

event viewer:
Error	2024/4/9 AM 11:40:43	SMBClient	31013	None
Error	2024/4/9 AM 11:50:44	SMBClient	31013	None

--

Regards,
Jones Syue | ???
QNAP Systems, Inc.

> 'ioctl command to query network info' requires SMB Signing been
turn-on
> looks like not mentioned in [MS-SMB2] spec document, though through
> wireshark caputures it did force client to sign the request packet, will
> ask dochelp for help later to make sure (iirc SambaXP/SDC/SNIA conference
> Obaid's talk seems mentioned it)
https://lists.samba.org/archive/cifs-protocol/2024-April/004282.html
Just for reference Microsoft will update doc [MS-SMB2] later :)

--

Regards,
Jones Syue | ???
QNAP Systems, Inc.