Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] RequireSecuritySignature=1 and public share with guest not working
1,592 views
Skip to first unread message
Olszewski, Raphael
Mar 12, 2015, 1:30:05 PM3/12/15
to
Hello
I have an samba server with a public share. It was configured with security=share.
Now I have to tight security with setting those flags in the windows client:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
EnablePlainTextPassword=0
EnableSecuritySignature=1
RequireSecuritySignature=1
Since this change the public share is not working anymore. I found that smb signing requires security=user
So I tried with this and it is not working too.
My config is
[global]
security = user
auth methods = guest
map to guest = Bad User
log file = /var/log/samba/log.%m
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required
[pub]
path = /fs1/smb_test_signing
read only = No
create mask = 0777
directory mask = 0777
guest only = Yes
The user coming from Windows to samba is NOT configured and user nobody as guest should be the used at the end to write or read on the filesystem
I already updated from 3.6.3 and have now installed sernet-samba-4.1.17-11.suse111.x86_64 (SLES11 SP3)
The Clients are Win7-client joined to foreign domains
while debugging I see on samba-server-side (stripped):
[2015/03/12 15:44:01.506174, 6, pid=421, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2658(lp_file_list_changed)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Thu Mar 12 09:58:57 2015
[2015/03/12 15:44:01.506728, 1, pid=421, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug)
&global_blob: struct smbXsrv_session_globalB
version : SMBXSRV_VERSION_0 (0)
seqnum : 0x00000002 (2)
info : union smbXsrv_session_globalU(case 0)
info0: struct smbXsrv_session_global0
session_global_id : 0xfeda2f8e (4275711886)
session_wire_id : 0x00000000feda2f8e (4275711886)
creation_time : Thu Mar 12 03:44:01 PM 2015 CET
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
auth_session_info_seqnum : 0x00000001 (1)
auth_session_info: struct auth_session_info
security_token: struct security_token
num_sids : 0x00000008 (8)
sids: ARRAY(8)
sids : S-1-5-21-1006455019-4192495585-3927419034-501
sids : S-1-5-21-1006455019-4192495585-3927419034-514
sids : S-1-22-2-65533
sids : S-1-22-2-65534
sids : S-1-1-0
sids : S-1-5-2
sids : S-1-5-32-546
sids : S-1-22-1-65534
privilege_mask : 0x0000000000000000 (0)
rights_mask : 0x00000000 (0)
unix_token: struct security_unix_token
uid : 0x000000000000fffe (65534)
gid : 0x000000000000fffd (65533)
ngroups : 0x00000002 (2)
groups: ARRAY(2)
groups : 0x000000000000fffd (65533)
groups : 0x000000000000fffe (65534)
info: struct auth_user_info
account_name : 'nobody'
domain_name : 'SMB'
authenticated : 0x00 (0)
unix_info: struct auth_user_info_unix
unix_name : 'nobody'
torture : NULL
credentials : NULL
connection_dialect : 0x0210 (528)
signing_required : 0x00 (0)
encryption_required : 0x00 (0)
num_channels : 0x00000001 (1)
[2015/03/12 15:44:01.514273, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2494(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[8] dyn[yes:9] at ../source3/smbd/smb2_sesssetup.c:168
[2015/03/12 15:44:01.514343, 50, pid=421, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug)
s3_tevent: Destroying timer event 0x7fee588a5570 "smbd_smb2_request_pending_timer"
[2015/03/12 15:44:01.514397, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:874(smb2_set_operation_credit)
smb2_set_operation_credit: requested 31, charge 1, granted 31, current possible/max 512/512, total granted/max/low/range 31/8192/4/31
[2015/03/12 15:44:01.515362, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:1002(smbd_server_connection_terminate_ex)
smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3304
[2015/03/12 15:44:01.515495, 4, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2015/03/12 15:44:01.515551, 5, pid=421, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
Wondering about
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
signing_required : 0x00 (0)
encryption_required : 0x00 (0)
And then
smb2_server.c:1002(smbd_server_connection_terminate_ex) smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3304
The Client shows ReasonCode: 0x80004005
When I change registry to RequireSecuritySignature=0, I can access
How I have to configure the smb-server to have a real public share for windows7-clients not being configured especially (domain, computer-account, user, ...)
Do I understand Security-signature wrong?
Is this scenario possible without being the samba server joined to the domain? (What I wanted)
Raphael
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I have an samba server with a public share. It was configured with security=share.
Now I have to tight security with setting those flags in the windows client:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
EnablePlainTextPassword=0
EnableSecuritySignature=1
RequireSecuritySignature=1
Since this change the public share is not working anymore. I found that smb signing requires security=user
So I tried with this and it is not working too.
My config is
[global]
security = user
auth methods = guest
map to guest = Bad User
log file = /var/log/samba/log.%m
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required
[pub]
path = /fs1/smb_test_signing
read only = No
create mask = 0777
directory mask = 0777
guest only = Yes
The user coming from Windows to samba is NOT configured and user nobody as guest should be the used at the end to write or read on the filesystem
I already updated from 3.6.3 and have now installed sernet-samba-4.1.17-11.suse111.x86_64 (SLES11 SP3)
The Clients are Win7-client joined to foreign domains
while debugging I see on samba-server-side (stripped):
[2015/03/12 15:44:01.506174, 6, pid=421, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2658(lp_file_list_changed)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Thu Mar 12 09:58:57 2015
[2015/03/12 15:44:01.506728, 1, pid=421, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug)
&global_blob: struct smbXsrv_session_globalB
version : SMBXSRV_VERSION_0 (0)
seqnum : 0x00000002 (2)
info : union smbXsrv_session_globalU(case 0)
info0: struct smbXsrv_session_global0
session_global_id : 0xfeda2f8e (4275711886)
session_wire_id : 0x00000000feda2f8e (4275711886)
creation_time : Thu Mar 12 03:44:01 PM 2015 CET
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
auth_session_info_seqnum : 0x00000001 (1)
auth_session_info: struct auth_session_info
security_token: struct security_token
num_sids : 0x00000008 (8)
sids: ARRAY(8)
sids : S-1-5-21-1006455019-4192495585-3927419034-501
sids : S-1-5-21-1006455019-4192495585-3927419034-514
sids : S-1-22-2-65533
sids : S-1-22-2-65534
sids : S-1-1-0
sids : S-1-5-2
sids : S-1-5-32-546
sids : S-1-22-1-65534
privilege_mask : 0x0000000000000000 (0)
rights_mask : 0x00000000 (0)
unix_token: struct security_unix_token
uid : 0x000000000000fffe (65534)
gid : 0x000000000000fffd (65533)
ngroups : 0x00000002 (2)
groups: ARRAY(2)
groups : 0x000000000000fffd (65533)
groups : 0x000000000000fffe (65534)
info: struct auth_user_info
account_name : 'nobody'
domain_name : 'SMB'
authenticated : 0x00 (0)
unix_info: struct auth_user_info_unix
unix_name : 'nobody'
torture : NULL
credentials : NULL
connection_dialect : 0x0210 (528)
signing_required : 0x00 (0)
encryption_required : 0x00 (0)
num_channels : 0x00000001 (1)
[2015/03/12 15:44:01.514273, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2494(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[8] dyn[yes:9] at ../source3/smbd/smb2_sesssetup.c:168
[2015/03/12 15:44:01.514343, 50, pid=421, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug)
s3_tevent: Destroying timer event 0x7fee588a5570 "smbd_smb2_request_pending_timer"
[2015/03/12 15:44:01.514397, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:874(smb2_set_operation_credit)
smb2_set_operation_credit: requested 31, charge 1, granted 31, current possible/max 512/512, total granted/max/low/range 31/8192/4/31
[2015/03/12 15:44:01.515362, 10, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:1002(smbd_server_connection_terminate_ex)
smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3304
[2015/03/12 15:44:01.515495, 4, pid=421, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2015/03/12 15:44:01.515551, 5, pid=421, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
Wondering about
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
signing_required : 0x00 (0)
encryption_required : 0x00 (0)
And then
smb2_server.c:1002(smbd_server_connection_terminate_ex) smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3304
The Client shows ReasonCode: 0x80004005
When I change registry to RequireSecuritySignature=0, I can access
How I have to configure the smb-server to have a real public share for windows7-clients not being configured especially (domain, computer-account, user, ...)
Do I understand Security-signature wrong?
Is this scenario possible without being the samba server joined to the domain? (What I wanted)
Raphael
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
Mar 13, 2015, 4:10:04 AM3/13/15
to
Hai,
Try these settings in global settings.
####### Authentication #######
## stand alone everything open.
security = user
guest ok = yes
map to guest = bad password
add these to the share.
guest ok = yes
Sets samba open without pasword prompt.
I use it at home for my kodi server.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: r.ols...@ssc-services.de
>[mailto:samba-...@lists.samba.org] Namens Olszewski, Raphael
>Verzonden: donderdag 12 maart 2015 18:17
>Aan: sa...@lists.samba.org
>Onderwerp: [Samba] RequireSecuritySignature=1 and public share
>with guest not working
Try these settings in global settings.
####### Authentication #######
## stand alone everything open.
security = user
guest ok = yes
map to guest = bad password
add these to the share.
guest ok = yes
Sets samba open without pasword prompt.
I use it at home for my kodi server.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: r.ols...@ssc-services.de
>[mailto:samba-...@lists.samba.org] Namens Olszewski, Raphael
>Verzonden: donderdag 12 maart 2015 18:17
>Aan: sa...@lists.samba.org
>Onderwerp: [Samba] RequireSecuritySignature=1 and public share
>with guest not working
Olszewski, Raphael
Mar 13, 2015, 5:50:02 AM3/13/15
to
Hi
I tried exactly your type of config.
With "RequireSecuritySignature=0" the anon access is working like expected.
As soon, as I set "RequireSecuritySignature=1" it is not working anymore.
So it seem to be not the problem to configure the guest-access. But seems the problem with requiring the signing.
Thought it can be fixed with the right config, but did not find a working combination.
Do i have to setup certificates for the signing?
Or how the messages will be signed?
My guess is, that the signing isn't working like expected ...
Gruß Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: L.P.H. van Belle [mailto:be...@bazuin.nl]
Gesendet: Freitag, 13. März 2015 09:08
Hai,
Try these settings in global settings.
####### Authentication #######
## stand alone everything open.
security = user
guest ok = yes
map to guest = bad password
add these to the share.
guest ok = yes
Sets samba open without pasword prompt.
I use it at home for my kodi server.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: r.ols...@ssc-services.de
>[mailto:samba-...@lists.samba.org] Namens Olszewski, Raphael
>Verzonden: donderdag 12 maart 2015 18:17
>
I tried exactly your type of config.
With "RequireSecuritySignature=0" the anon access is working like expected.
As soon, as I set "RequireSecuritySignature=1" it is not working anymore.
So it seem to be not the problem to configure the guest-access. But seems the problem with requiring the signing.
Thought it can be fixed with the right config, but did not find a working combination.
Do i have to setup certificates for the signing?
Or how the messages will be signed?
My guess is, that the signing isn't working like expected ...
Gruß Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: L.P.H. van Belle [mailto:be...@bazuin.nl]
Gesendet: Freitag, 13. März 2015 09:08
Hai,
Try these settings in global settings.
####### Authentication #######
## stand alone everything open.
security = user
guest ok = yes
map to guest = bad password
add these to the share.
guest ok = yes
Sets samba open without pasword prompt.
I use it at home for my kodi server.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: r.ols...@ssc-services.de
>[mailto:samba-...@lists.samba.org] Namens Olszewski, Raphael
>Verzonden: donderdag 12 maart 2015 18:17
>
>Hello
>I have an samba server with a public share. It was configured with
>security=share.
>Now I have to tight security with setting those flags in the windows
>client:
>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWor
>kstation\Parameters]
>EnablePlainTextPassword=0
>EnableSecuritySignature=1
>RequireSecuritySignature=1
>
..
>I have an samba server with a public share. It was configured with
>security=share.
>Now I have to tight security with setting those flags in the windows
>client:
>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWor
>kstation\Parameters]
>EnablePlainTextPassword=0
>EnableSecuritySignature=1
>RequireSecuritySignature=1
>
L.P.H. van Belle
Mar 13, 2015, 6:30:03 AM3/13/15
to
strange i did not change anything in my windows 7 64bit.
This is my full setup pretty basic.
Ubuntu 14.04.2 LTS, Trusty Tahr, with sernet samba 4.1.17-9
I do have 1 user for samba.
pdbedit -L
xbmc:5000:MediaUser
[global]
workgroup = PRIVE
server string = %h server
dns proxy = yes
; name resolve order = lmhosts host wins bcast
#### Networking ####
# interfaces = 127.0.0.0/8 eth0
# bind interfaces only = yes
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
## stand alone everything open.
security = user
guest ok = yes
map to guest = bad password
####
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
########## Printing ##########
#---- disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#======================= Share Definitions =======================
[homes]
comment = Home Directorie
browseable = no
read only = yes
valid users = %S
[backups]
comment = Backups Share
path = /media/diverse/backups
force user = xbmc
read only = no
guest ok = yes
>-----Oorspronkelijk bericht-----
>Van: r.ols...@ssc-services.de
>[mailto:samba-...@lists.samba.org] Namens Olszewski, Raphael
>Verzonden: vrijdag 13 maart 2015 10:42
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] RequireSecuritySignature=1 and public
This is my full setup pretty basic.
Ubuntu 14.04.2 LTS, Trusty Tahr, with sernet samba 4.1.17-9
I do have 1 user for samba.
pdbedit -L
xbmc:5000:MediaUser
[global]
workgroup = PRIVE
server string = %h server
dns proxy = yes
; name resolve order = lmhosts host wins bcast
#### Networking ####
# interfaces = 127.0.0.0/8 eth0
# bind interfaces only = yes
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
## stand alone everything open.
security = user
guest ok = yes
map to guest = bad password
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
########## Printing ##########
#---- disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#======================= Share Definitions =======================
[homes]
comment = Home Directorie
browseable = no
read only = yes
valid users = %S
[backups]
comment = Backups Share
path = /media/diverse/backups
force user = xbmc
read only = no
guest ok = yes
>-----Oorspronkelijk bericht-----
>Van: r.ols...@ssc-services.de
>[mailto:samba-...@lists.samba.org] Namens Olszewski, Raphael
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] RequireSecuritySignature=1 and public
>share with guest not working
>
>
Olszewski, Raphael
Mar 13, 2015, 11:00:04 AM3/13/15
to
Hi Louis
I explicitly have to change on win7-client the parameter [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
from RequireSecuritySignature=0 => RequireSecuritySignature=1
and then I have the problem.
Before everything is working.
All solutions in the wide web just tell me to set RequireSecuritySignature=0, but this is NOT the solution for me since I have to activate RequireSecuritySignature=1
My question originally is: Why it is failing then? Or what I have to do, that this is working with RequireSecuritySignature=1?
Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: L.P.H. van Belle [mailto:be...@bazuin.nl]
Gesendet: Freitag, 13. März 2015 11:22
An: sa...@lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
I explicitly have to change on win7-client the parameter [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
from RequireSecuritySignature=0 => RequireSecuritySignature=1
and then I have the problem.
Before everything is working.
All solutions in the wide web just tell me to set RequireSecuritySignature=0, but this is NOT the solution for me since I have to activate RequireSecuritySignature=1
My question originally is: Why it is failing then? Or what I have to do, that this is working with RequireSecuritySignature=1?
Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: L.P.H. van Belle [mailto:be...@bazuin.nl]
An: sa...@lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
L.P.H. van Belle
Mar 13, 2015, 11:30:06 AM3/13/15
to
check the output of :
echo "\n" | testparm -vv | grep signing
and
echo "\n" | testparm -vv | grep protocol
for my the default is :
client max protocol = NT1
but i dont use signing.
but i "think" you need to set the client signing = manadatory
and
client max protocol = SMB2
( from man smb.conf )
but if anyone know this better on the list, please correct me.
Im not sure in this one, never used it..
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: r.ols...@ssc-services.de
>[mailto:samba-...@lists.samba.org] Namens Olszewski, Raphael
>Verzonden: vrijdag 13 maart 2015 15:57
echo "\n" | testparm -vv | grep signing
and
echo "\n" | testparm -vv | grep protocol
for my the default is :
client max protocol = NT1
but i dont use signing.
but i "think" you need to set the client signing = manadatory
and
client max protocol = SMB2
( from man smb.conf )
but if anyone know this better on the list, please correct me.
Im not sure in this one, never used it..
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: r.ols...@ssc-services.de
>[mailto:samba-...@lists.samba.org] Namens Olszewski, Raphael
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] RequireSecuritySignature=1 and public
>share with guest not working
>
>Onderwerp: Re: [Samba] RequireSecuritySignature=1 and public
>share with guest not working
>
Olszewski, Raphael
Mar 16, 2015, 4:00:05 AM3/16/15
to
Hi Louis
Thank you!
As i wrote in my first post, i tried even with these settings:
It seems for that the client is stopping communication since the Win7-client expects something from samba.
net use t: \\samba\pub<file:///\\samba\pub>
systemerror 1240
MS knowledgebase article speek about enable plain text passwords. But this is wrong since I do not change this password-setting, just require signing.
Is somebody out there, who knows, how to setup samba for using RequireSecuritySignature=1 on Windows Clients?
Greetz Raphael
An: sa...@lists.samba.org
Cc: Olszewski, Raphael
Betreff: RE: [Samba] RequireSecuritySignature=1 and public share with guest not working
Thank you!
As i wrote in my first post, i tried even with these settings:
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required
But it was not working - as soon I use RequireSecuritySignature=1 on the client.
client min protocol = SMB2
client signing = required
server signing = required
It seems for that the client is stopping communication since the Win7-client expects something from samba.
net use t: \\samba\pub<file:///\\samba\pub>
systemerror 1240
MS knowledgebase article speek about enable plain text passwords. But this is wrong since I do not change this password-setting, just require signing.
Is somebody out there, who knows, how to setup samba for using RequireSecuritySignature=1 on Windows Clients?
Greetz Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: L.P.H. van Belle [mailto:be...@bazuin.nl]
Gesendet: Freitag, 13. März 2015 16:21
-----Ursprüngliche Nachricht-----
Von: L.P.H. van Belle [mailto:be...@bazuin.nl]
An: sa...@lists.samba.org
Cc: Olszewski, Raphael
Betreff: RE: [Samba] RequireSecuritySignature=1 and public share with guest not working
Rowland Penny
Mar 16, 2015, 5:10:03 AM3/16/15
to
anybody the machine doesn't know to connect, you want to allow only
users from some machines to connect, is this correct ?
If so, have you investigated the 'hosts allow' parameter ?
Rowland
Olszewski, Raphael
Mar 16, 2015, 5:40:05 AM3/16/15
to
Hi Rowland
In former time there was "security=share", now i have to use "RequireSecuritySignature=1" on client side.
Documentation for SMB signing says, this is only possible with "security=user", not with share.
So I switched to security=user, configured guest-access to the public share and activated this RequireSecuritySignature=1
And then - with RequireSecuritySignature=1 - the client cannot access this share anymore. Just changing to RequireSecuritySignature=0 the share is working.
The client says: error 1240
The Server sees only "connection reset"
All I need is a public share together with smb signing and RequireSecuritySignature=1
Gruß Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
Gesendet: Montag, 16. März 2015 10:05
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
In former time there was "security=share", now i have to use "RequireSecuritySignature=1" on client side.
Documentation for SMB signing says, this is only possible with "security=user", not with share.
So I switched to security=user, configured guest-access to the public share and activated this RequireSecuritySignature=1
And then - with RequireSecuritySignature=1 - the client cannot access this share anymore. Just changing to RequireSecuritySignature=0 the share is working.
The client says: error 1240
The Server sees only "connection reset"
All I need is a public share together with smb signing and RequireSecuritySignature=1
Gruß Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
Gesendet: Montag, 16. März 2015 10:05
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
Rowland Penny
Mar 16, 2015, 5:40:05 AM3/16/15
to
On 16/03/15 09:29, Olszewski, Raphael wrote:
>
> Hi Rowland
>
> In former time there was „security=share“, now i have to use
> “RequireSecuritySignature=1” on client side.
> Documentation for SMB signing says, this is only possible with
> “security=user”, not with share.
>
> So I switched to security=user, configured guest-access to the public
> share and activated this RequireSecuritySignature=1
>
> And then – with RequireSecuritySignature=1 – the client cannot access
>
> Hi Rowland
>
> In former time there was „security=share“, now i have to use
> “RequireSecuritySignature=1” on client side.
> Documentation for SMB signing says, this is only possible with
> “security=user”, not with share.
>
> So I switched to security=user, configured guest-access to the public
> share and activated this RequireSecuritySignature=1
>
> this share anymore. Just changing to RequireSecuritySignature=0 the
> share is working.
>
> The client says: error 1240
>
> The Server sees only “connection reset”
>
> All I need is a _public share together with smb signing_ and
> share is working.
>
> The client says: error 1240
>
> The Server sees only “connection reset”
>
> RequireSecuritySignature=1
>
WHY???
Olszewski, Raphael
Mar 16, 2015, 6:00:04 AM3/16/15
to
Due to security reasons smb signing has to be activated and this share between linux and windows is now dead.
And I do not find the correct settings to do a public share in this szenario.
It has to be public, because the linux is'nt allowed to join the domain and on the other way, the win-clients cannot leave their domains.
And I think, just signing smb-messages should not speek against a public share, since those signed smb messages just make me shure, no man in the middle is manipulating my smb-messages.
Gruß Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
Gesendet: Montag, 16. März 2015 10:39
An: sa...@lists.samba.org
And I do not find the correct settings to do a public share in this szenario.
It has to be public, because the linux is'nt allowed to join the domain and on the other way, the win-clients cannot leave their domains.
And I think, just signing smb-messages should not speek against a public share, since those signed smb messages just make me shure, no man in the middle is manipulating my smb-messages.
Gruß Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
An: sa...@lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
On 16/03/15 09:29, Olszewski, Raphael wrote:
>
> Hi Rowland
>
> In former time there was "security=share", now i have to use
> "RequireSecuritySignature=1" on client side.
> Documentation for SMB signing says, this is only possible with
> "security=user", not with share.
>
> So I switched to security=user, configured guest-access to the public
> share and activated this RequireSecuritySignature=1
>
> And then - with RequireSecuritySignature=1 - the client cannot access
>
> Hi Rowland
>
> In former time there was "security=share", now i have to use
> "RequireSecuritySignature=1" on client side.
> Documentation for SMB signing says, this is only possible with
> "security=user", not with share.
>
> So I switched to security=user, configured guest-access to the public
> share and activated this RequireSecuritySignature=1
>
Rowland Penny
Mar 16, 2015, 6:20:03 AM3/16/15
to
> > this share anymore. Just changing to RequireSecuritySignature=0 the
> > share is working.
> >
> > The client says: error 1240
> >
> > The Server sees only “connection reset”
> >
> > All I need is a _public share together with smb signing_ and
> > RequireSecuritySignature=1
> >
>
> WHY???
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
So you need to make sure that the request to connect comes from a member
> > share is working.
> >
> > The client says: error 1240
> >
> > The Server sees only “connection reset”
> >
> > All I need is a _public share together with smb signing_ and
> > RequireSecuritySignature=1
> >
>
> WHY???
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
of your domain ?
I take it that the members of said domain have an ipaddress, in which
case adding some thing like:
'hosts allow = 192.168.0.0/24'
Would only allow connection from hosts with the ipaddress 192.168.0.X
You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN'
see 'man smb.conf' for more info.
Olszewski, Raphael
Mar 16, 2015, 8:20:04 AM3/16/15
to
Hi Rowland
The client is stopping communication, not the server. With error 1240.
And since it is working with the client setting RequireSecuritySignature=0 without any problem, ' hosts allow' cannot be either the problem nor the solution.
So - setting RequireSecuritySignature=1 at the client needs a corresponding setting at the server - I guess.
But even explicit settings on samba side like those are not helping:
security = user
auth methods = guest
map to guest = Bad User
> > And then - with RequireSecuritySignature=1 - the client cannot
The client is stopping communication, not the server. With error 1240.
And since it is working with the client setting RequireSecuritySignature=0 without any problem, ' hosts allow' cannot be either the problem nor the solution.
So - setting RequireSecuritySignature=1 at the client needs a corresponding setting at the server - I guess.
But even explicit settings on samba side like those are not helping:
security = user
auth methods = guest
map to guest = Bad User
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required
Greetz Raphael
client min protocol = SMB2
client signing = required
server signing = required
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
Gesendet: Montag, 16. März 2015 11:10
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
Rowland Penny
Mar 16, 2015, 9:20:04 AM3/16/15
to
On 16/03/15 12:14, Olszewski, Raphael wrote:
>
> Hi Rowland
>
> Hi Rowland
> The client is stopping communication, not the server. With error 1240.
> And since it is working with the client setting
> RequireSecuritySignature=0 without any problem, ' hosts allow' cannot
> be either the problem nor the solution.
>
> So – setting RequireSecuritySignature=1 at the client needs a
> And since it is working with the client setting
> RequireSecuritySignature=0 without any problem, ' hosts allow' cannot
> be either the problem nor the solution.
>
> corresponding setting at the server – I guess.
> > > access this share anymore. Just changing to
> > > RequireSecuritySignature=0 the share is working.
> > >
> > > The client says: error 1240
> > >
> > > The Server sees only “connection reset”
> > >
> > > All I need is a _public share together with smb signing_ and
> > > RequireSecuritySignature=1
> > >
> >
> > WHY???
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
> So you need to make sure that the request to connect comes from a
> member of your domain ?
>
> I take it that the members of said domain have an ipaddress, in which
> case adding some thing like:
>
> 'hosts allow = 192.168.0.0/24'
>
> Would only allow connection from hosts with the ipaddress 192.168.0.X
>
> You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN'
>
> see 'man smb.conf' for more info.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
I think you are missing my point, from the brief search I did, the whole
> > > RequireSecuritySignature=0 the share is working.
> > >
> > > The client says: error 1240
> > >
> > > The Server sees only “connection reset”
> > >
> > > All I need is a _public share together with smb signing_ and
> > > RequireSecuritySignature=1
> > >
> >
> > WHY???
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
> So you need to make sure that the request to connect comes from a
> member of your domain ?
>
> I take it that the members of said domain have an ipaddress, in which
> case adding some thing like:
>
> 'hosts allow = 192.168.0.0/24'
>
> Would only allow connection from hosts with the ipaddress 192.168.0.X
>
> You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN'
>
> see 'man smb.conf' for more info.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
world seems to think that you need to set 'RequireSecuritySignature=0' ,
so why do you *need* to set it to '1' ?
If it is to ensure that only users on certain machines can connect, then
'hosts allow' should give you the same result.
Olszewski, Raphael
Mar 16, 2015, 11:10:04 AM3/16/15
to
Hi Rowland
sorry for not being clear.
In my first post I already wrote:
Now I have to tight security with setting those flags in the windows client:
when I change registry to RequireSecuritySignature=0, everything works like expected.
If setting is still RequireSecuritySignature=0 - everything is working with the changed samba config.
But - i'am forced to change from RequireSecuritySignature=0 to RequireSecuritySignature=1
If changing the client to RequireSecuritySignature=1 the same public share with guest access is not working anymore.
Greetz, Raphael
> corresponding setting at the server - I guess.
> > > And then - with RequireSecuritySignature=1 - the client cannot
sorry for not being clear.
In my first post I already wrote:
Now I have to tight security with setting those flags in the windows client:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
EnablePlainTextPassword=0
EnableSecuritySignature=1
RequireSecuritySignature=1
. . .
EnablePlainTextPassword=0
EnableSecuritySignature=1
RequireSecuritySignature=1
when I change registry to RequireSecuritySignature=0, everything works like expected.
If setting is still RequireSecuritySignature=0 - everything is working with the changed samba config.
But - i'am forced to change from RequireSecuritySignature=0 to RequireSecuritySignature=1
If changing the client to RequireSecuritySignature=1 the same public share with guest access is not working anymore.
Greetz, Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
Gesendet: Montag, 16. März 2015 14:17
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
An: sa...@lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
On 16/03/15 12:14, Olszewski, Raphael wrote:
>
> Hi Rowland
> The client is stopping communication, not the server. With error 1240.
> And since it is working with the client setting
> RequireSecuritySignature=0 without any problem, ' hosts allow' cannot
> be either the problem nor the solution.
>
> So - setting RequireSecuritySignature=1 at the client needs a
>
> Hi Rowland
> The client is stopping communication, not the server. With error 1240.
> And since it is working with the client setting
> RequireSecuritySignature=0 without any problem, ' hosts allow' cannot
> be either the problem nor the solution.
>
> corresponding setting at the server - I guess.
> > > access this share anymore. Just changing to
> > > RequireSecuritySignature=0 the share is working.
> > >
> > > The client says: error 1240
> > >
> > > The Server sees only "connection reset"
> > >
> > > All I need is a _public share together with smb signing_ and
> > > RequireSecuritySignature=1
> > >
> >
> > WHY???
> >
> > Rowland
>
> > > RequireSecuritySignature=0 the share is working.
> > >
> > > The client says: error 1240
> > >
> > > The Server sees only "connection reset"
> > >
> > > All I need is a _public share together with smb signing_ and
> > > RequireSecuritySignature=1
> > >
> >
> > WHY???
> >
> > Rowland
>
> So you need to make sure that the request to connect comes from a
> member of your domain ?
>
> I take it that the members of said domain have an ipaddress, in which
> case adding some thing like:
>
> 'hosts allow = 192.168.0.0/24'
>
> Would only allow connection from hosts with the ipaddress 192.168.0.X
>
> You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN'
>
> see 'man smb.conf' for more info.
>
> Rowland
> member of your domain ?
>
> I take it that the members of said domain have an ipaddress, in which
> case adding some thing like:
>
> 'hosts allow = 192.168.0.0/24'
>
> Would only allow connection from hosts with the ipaddress 192.168.0.X
>
> You could, if you are using a NIS domain, use 'hosts allow = @DOMAIN'
>
> see 'man smb.conf' for more info.
>
> Rowland
Rowland Penny
Mar 16, 2015, 11:40:06 AM3/16/15
to
On 16/03/15 15:00, Olszewski, Raphael wrote:
>
> Hi Rowland
>
> Hi Rowland
> sorry for not being clear.
>
> In my first post I already wrote:
>
> Now I have to tight security with setting those flags in the windows
> client:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
>
> EnablePlainTextPassword=0
>
> EnableSecuritySignature=1
>
> RequireSecuritySignature=1
> . . .
> when I change registry to RequireSecuritySignature=0, everything works like expected.
>
> If setting is still RequireSecuritySignature=0 – everything is working
>
> In my first post I already wrote:
>
> Now I have to tight security with setting those flags in the windows
> client:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
>
> EnablePlainTextPassword=0
>
> EnableSecuritySignature=1
>
> RequireSecuritySignature=1
> . . .
> when I change registry to RequireSecuritySignature=0, everything works like expected.
>
> with the changed samba config.
> But - i’am forced to change from RequireSecuritySignature=0 to
> RequireSecuritySignature=1
> If changing the client to RequireSecuritySignature=1 the same public
> share with guest access is not working anymore.
>
>
> Greetz, Raphael
> ___________________________________________
> -----Ursprüngliche Nachricht-----
>
OK, I have had a look at the portion of smb.conf you posted and you
> But - i’am forced to change from RequireSecuritySignature=0 to
> RequireSecuritySignature=1
> If changing the client to RequireSecuritySignature=1 the same public
> share with guest access is not working anymore.
>
>
> Greetz, Raphael
> ___________________________________________
> -----Ursprüngliche Nachricht-----
>
posted this:
security = user
auth methods = guest
map to guest = Bad User
client max protocol = SMB3
client min protocol = SMB2
client signing = required
server signing = required
security = user
map to guest = Bad User
client min protocol = SMB2
client signing = mandatory
server signing = mandatory
The changes: You do not need the 'auth methods' for a public server,
with samba 4 the 'client max protocol' defaults to 'SMB3' , 'required'
is not option for 'client signing' or 'server signing' according to 'man
smb.conf', the three options are 'auto, mandatory and disabled'.
Olszewski, Raphael
Mar 17, 2015, 5:10:04 AM3/17/15
to
Hi Rowland
i've made the config exactly like you sent.
Doing testparm gives me
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[pub]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
netbios name = ME
server string = Samba Server %v
map to guest = Bad User
log file = /var/log/samba/log.%m
client min protocol = SMB2
client signing = required
server signing = required
idmap config * : backend = tdb
guest ok = Yes
[pub]
path = /fs1/smb_test_signing_fuso
read only = No
create mask = 0777
directory mask = 0777
So - writing mandatory to the config shows required in the testparm output.
And even "server siging = required"/ "idmap config * : backend = tdb "was NOT in the smb.conf - since I used your config.
Same with "security = user"
And pub has in smb.conf "browsable =yes"/" writable = yes"
Even a config like
client signing = mandatory
server signing = required
shows with testparm
BUT - even with your config I get exactly the same picture as in my countless tries before:
RequireSecuritySignature=0 (old value) => share is working
RequireSecuritySignature=1 (needed value) => share is NOT working, and I get the client-error 1240 or 0x80004005 (the only change is this flag from 0 to 1)
To clarify: on client side i ONLY change this value RequireSecuritySignature to 1. Nothing else. Just a client-reboot is neccesary after this change to be active.
I think, it is problem with smb signing, not with the share config.
Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
Gesendet: Montag, 16. März 2015 16:32
i've made the config exactly like you sent.
Doing testparm gives me
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[pub]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
netbios name = ME
server string = Samba Server %v
map to guest = Bad User
client min protocol = SMB2
client signing = required
server signing = required
guest ok = Yes
[pub]
path = /fs1/smb_test_signing_fuso
read only = No
create mask = 0777
directory mask = 0777
And even "server siging = required"/ "idmap config * : backend = tdb "was NOT in the smb.conf - since I used your config.
Same with "security = user"
And pub has in smb.conf "browsable =yes"/" writable = yes"
Even a config like
client signing = mandatory
server signing = required
shows with testparm
client signing = required
server signing = required
That shows me: testparm is interpreting the conf and shows me, what it is using really.
server signing = required
BUT - even with your config I get exactly the same picture as in my countless tries before:
RequireSecuritySignature=0 (old value) => share is working
RequireSecuritySignature=1 (needed value) => share is NOT working, and I get the client-error 1240 or 0x80004005 (the only change is this flag from 0 to 1)
To clarify: on client side i ONLY change this value RequireSecuritySignature to 1. Nothing else. Just a client-reboot is neccesary after this change to be active.
I think, it is problem with smb signing, not with the share config.
Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
An: sa...@lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
On 16/03/15 15:00, Olszewski, Raphael wrote:
>
> Hi Rowland
> sorry for not being clear.
>
> In my first post I already wrote:
>
> Now I have to tight security with setting those flags in the windows
> client:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstatio
> n\Parameters]
>
> EnablePlainTextPassword=0
>
> EnableSecuritySignature=1
>
> RequireSecuritySignature=1
> . . .
> when I change registry to RequireSecuritySignature=0, everything works like expected.
>
> If setting is still RequireSecuritySignature=0 - everything is working
>
> Hi Rowland
> sorry for not being clear.
>
> In my first post I already wrote:
>
> Now I have to tight security with setting those flags in the windows
> client:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstatio
> n\Parameters]
>
> EnablePlainTextPassword=0
>
> EnableSecuritySignature=1
>
> RequireSecuritySignature=1
> . . .
> when I change registry to RequireSecuritySignature=0, everything works like expected.
>
Rowland Penny
Mar 17, 2015, 6:00:04 AM3/17/15
to
On 17/03/15 09:02, Olszewski, Raphael wrote:
>
> Hi Rowland
>
> Hi Rowland
> i’ve made the config exactly like you sent.
>
> Doing testparm gives me
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[pub]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
> Press enter to see a dump of your service definitions
>
> [global]
>
> netbios name = ME
>
> server string = Samba Server %v
>
> map to guest = Bad User
>
> log file = /var/log/samba/log.%m
>
> client min protocol = SMB2
>
> client signing = required
>
> server signing = required
>
> idmap config * : backend = tdb
>
> guest ok = Yes
>
> [pub]
>
> path = /fs1/smb_test_signing_fuso
>
> read only = No
>
> create mask = 0777
>
> directory mask = 0777
>
> So – writing mandatory to the config shows required in the testparm
>
> Doing testparm gives me
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[pub]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
> Press enter to see a dump of your service definitions
>
> [global]
>
> netbios name = ME
>
> server string = Samba Server %v
>
> map to guest = Bad User
>
> log file = /var/log/samba/log.%m
>
> client min protocol = SMB2
>
> client signing = required
>
> server signing = required
>
> idmap config * : backend = tdb
>
> guest ok = Yes
>
> [pub]
>
> path = /fs1/smb_test_signing_fuso
>
> read only = No
>
> create mask = 0777
>
> directory mask = 0777
>
> output.
> And even „server siging = required“/ “idmap config * : backend = tdb
> “was NOT in the smb.conf – since I used your config.
> And even „server siging = required“/ “idmap config * : backend = tdb
> Same with “security = user”
> And pub has in smb.conf „browsable =yes“/“writable = yes“
> Even a config like
> client signing = mandatory
> server signing = required
> shows with testparm
> client signing = required
> server signing = required
>
> That shows me: testparm is interpreting the conf and shows me, what it
> is using really.
>
> BUT – even with your config I get exactly the same picture as in my
> And pub has in smb.conf „browsable =yes“/“writable = yes“
> Even a config like
> client signing = mandatory
> server signing = required
> shows with testparm
> client signing = required
> server signing = required
>
> That shows me: testparm is interpreting the conf and shows me, what it
> is using really.
>
> countless tries before:
> RequireSecuritySignature=0 (old value) => share is working
> RequireSecuritySignature=1 (needed value) => share is NOT working, and
> I get the client-error 1240 or 0x80004005 (the only change is this
> flag from 0 to 1)
>
> To clarify: on client side i ONLY change this value
> RequireSecuritySignature to 1. Nothing else. Just a client-reboot is
> neccesary after this change to be active.
>
> I think, it is problem with smb signing, not with the share config.
>
>
> Raphael
>
OK, it looks like you have discovered a couple of bugs, first the
> RequireSecuritySignature=0 (old value) => share is working
> RequireSecuritySignature=1 (needed value) => share is NOT working, and
> I get the client-error 1240 or 0x80004005 (the only change is this
> flag from 0 to 1)
>
> To clarify: on client side i ONLY change this value
> RequireSecuritySignature to 1. Nothing else. Just a client-reboot is
> neccesary after this change to be active.
>
> I think, it is problem with smb signing, not with the share config.
>
>
> Raphael
>
smb.conf manpage does not mention 'required' it says 'mandatory', yet
testparm does say 'required', in fact, as you have found, it changes it
to 'required'. The main bug is 'server signing' seems to be ignored, I
think that you need to find out if windows works as you expect.
Olszewski, Raphael
Mar 17, 2015, 11:00:03 AM3/17/15
to
Rowland, thank you!
I did not believe it could be a bug and was searching really hard, but did not find any correct config.
So i have filed 2 bugs:
https://bugzilla.samba.org/show_bug.cgi?id=11167
https://bugzilla.samba.org/show_bug.cgi?id=11168
The Windows-Client is working properly - since i have allways access to DFS-Drives served by MS-Servers with both variants of RequireSecuritySignature (0 or 1)
Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
Gesendet: Dienstag, 17. März 2015 10:53
> So - writing mandatory to the config shows required in the testparm
I did not believe it could be a bug and was searching really hard, but did not find any correct config.
So i have filed 2 bugs:
https://bugzilla.samba.org/show_bug.cgi?id=11167
https://bugzilla.samba.org/show_bug.cgi?id=11168
The Windows-Client is working properly - since i have allways access to DFS-Drives served by MS-Servers with both variants of RequireSecuritySignature (0 or 1)
Raphael
___________________________________________
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
An: sa...@lists.samba.org
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
Betreff: Re: [Samba] RequireSecuritySignature=1 and public share with guest not working
> output.
> And even "server siging = required"/ "idmap config * : backend = tdb
> "was NOT in the smb.conf - since I used your config.
> And even "server siging = required"/ "idmap config * : backend = tdb
> Same with "security = user"
> And pub has in smb.conf "browsable =yes"/"writable = yes" Even a
> config like
> client signing = mandatory
> server signing = required
> shows with testparm
> client signing = required
> server signing = required
>
> That shows me: testparm is interpreting the conf and shows me, what it
> is using really.
>
> BUT - even with your config I get exactly the same picture as in my
> And pub has in smb.conf "browsable =yes"/"writable = yes" Even a
> config like
> client signing = mandatory
> server signing = required
> shows with testparm
> client signing = required
> server signing = required
>
> That shows me: testparm is interpreting the conf and shows me, what it
> is using really.
>
0 new messages