samba - May 2025 - server signing = required

On Wed, 28 May 2025 18:25:50 +0200
Stefan Kania via samba <samba at lists.samba.org> wrote:
> Hello to all,
> 
> I configured a samba Server as followed:
> ---------------
> [global]
>          bind interfaces only = Yes
>          client signing = required
>          disable netbios = Yes
>          interfaces = 192.168.56.45
>          realm = EXAMPLE.NET
>          security = ADS
>          server min protocol = SMB3
>          server signing = required
>          smb ports = 445
>          template shell = /bin/bash
>          winbind refresh tickets = Yes
>          winbind use default domain = Yes
>          workgroup = EXAMPLE
>          idmap config example : range = 1000000 - 1999999
>          idmap config example : backend = rid
>          idmap config * : range = 10000 - 19999
>          idmap config * : backend = tdb
>          inherit acls = Yes
>          vfs objects = acl_xattr
> ---------------
> 
> So server- ad client-signing is required. If I test with nmap I see:
> ----------------
> nmap --script smb2-security-mode 192.168.56.45
> Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 18:20 CEST
> Nmap scan report for 192.168.56.45
> Host is up (0.00010s latency).
> Not shown: 998 closed tcp ports (reset)
> PORT    STATE SERVICE
> 22/tcp  open  ssh
> 445/tcp open  microsoft-ds
> MAC Address: 08:00:27:40:0A:20 (Oracle VirtualBox virtual NIC)
> 
> Host script results:
> | smb2-security-mode:
> |   3:1:1:
> |_    Message signing enabled but not required
> 
> Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
> ----------------
> I expected that signing is shown as required?
> What do I have to do, that signing is required?
ER, read 'man smb.conf' where 'server signing' shows that
'required' is
not a valid value. 

Rowland

Am 28.05.25 um 18:45 schrieb Rowland Penny via samba:
> ER, read 'man smb.conf' where 'server signing' shows that
'required' is
> not a valid value.
Ok I had an old howto it tells me "mandatory or required" but in the
actual manpage only mandatory is shown.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20250528/e143f864/OpenPGP_signature.sig>

Just checked If I write "server signing = mandatory" in smb.conf,
testparm will show "server signing = required"

Am 28.05.25 um 18:45 schrieb Rowland Penny via samba:
> ER, read 'man smb.conf' where 'server signing' shows that
'required' is
> not a valid value.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20250528/1d86b2b3/OpenPGP_signature.sig>