Link to home
Start Free TrialLog in
Avatar of ids-philip
ids-philip

asked on

Samba Server Signing prevents Client Access

I have Samba 3.6.25-45 running with the following configuration.  The read-only public share should be available to all users without any username/password authentication.  The Samba server will not be added to a domain.  Client machines might or might not be part of a domain.

If "server signing = disabled", clients can connect to the [test] share.  If "server signing = enabled" or "server signing = mandatory" the client can no longer connect.  In Windows, they get error "The specified name is no longer available".  The machine log has an entry of "auth/auth.c:319(check_ntlm_password)  check_ntlm_password:  Authentication for user [userX] -> [userX] FAILED with error NT_STATUS_NO_SUCH_USER".

I tried to overcome this with "nobody = *" in smbusers file but this forces a user/pass login prompt which is not desired.

# ############################################################################
[global]

workgroup = GROUP
server string = Samba Server Version %v

passdb backend = smbpasswd

security = user
map to guest = Bad User
username map = /etc/samba/smbusers
smb passwd file = /etc/samba/smbpasswd
guest account = nobody

domain master = no
local master = yes

encrypt passwords = yes
server signing = disabled
client signing = required

load printers = no

log level = 2
max log size = 50
log file = /var/log/samba/%m.log

# ############################################################################
[test]
   path = /tmp/test

   case sensitive = no
   read only = yes
   guest ok = yes
Avatar of Mazdajai
Mazdajai
Flag of United States of America image

Try change the following Samba:

client signing = mandatory

Open in new window


Try set client options to 'disabled' if you haven't and "review the SMB Signing Effective Behavior" below.

Security Settings -> Local Policies -> Security Options
Set "Microsoft network client: Digitally sign communications (always)"
to "Disabled"

https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/
Avatar of ids-philip
ids-philip

ASKER

Sorry for the delay - will try this setting change.    Though I saw some SAMBA documentation that client signing = required is the same as (mandatory)(true)(1)(yes).
I checked the client's registry and the "always" option was already disabled.  In fact here are both of the related settings:

MICROSOFT NETWORK CLIENT:
Digitally Sign communications (always): DISABLED
Digitally Sign communications (if server agrees): ENABLED

I made the other change as well (client signing = mandatory) but still not getting what is needed.
what is logged in log-smb* ?
There is no such samba release on samba.org. Please clarify your distribution version and FULL PACKAGE VERSION.
Oracle Enterprise Linux 5u11
Samba v3.6.25 (from Sernet RPM)
Also testing on Samba v3.0.33-3.40.el5_10

The machine log contains:
2016/04/29 09:21:17, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [test-user] -> [nobody] FAILED with error NT_STATUS_LOGON_FAILURE
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new_vc_session(1212)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new_vc_session(1212)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [test-user] -> [nobody] FAILED with error NT_STATUS_LOGON_FAILURE
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new_vc_session(1212)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new_vc_session(1212)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [test-user] -> [nobody] FAILED with error NT_STATUS_LOGON_FAILURE
[2016/04/29 09:21:27, 0] lib/util_sock.c:read_data(540)
  read_data: read failure for 4 bytes to client 172.16.21.113. Error = Connection reset by peer


The smbd.log shows nothing after the startup messages:
[2016/04/29 09:21:13, 2] lib/interface.c:add_interface(81)
  added interface ip=172.16.21.151 bcast=172.16.21.255 nmask=255.255.255.0
[2016/04/29 09:21:13, 2] lib/interface.c:add_interface(81)
  added interface ip=172.16.42.128 bcast=172.16.42.255 nmask=255.255.255.0
[2016/04/29 09:21:13, 2] lib/interface.c:add_interface(81)
  added interface ip=10.10.10.10 bcast=10.10.10.11 nmask=255.255.255.252
[2016/04/29 09:21:13, 2] lib/tallocmsg.c:register_msg_pool_usage(105)
  Registered MSG_REQ_POOL_USAGE
[2016/04/29 09:21:13, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2016/04/29 09:21:13, 2] smbd/server.c:open_sockets_smbd(466)
  waiting for a connection
samba3x-3.6.23-9.0.1.el5_11 is one with signing support.
Given EOL is in less than a year I would be putting more effort in replacement.
Am searching for and will install that version to see if it has any affect.  Given the objectives, will my current smb.conf file work, or does it need changes?
smb.conf will work, tdb files will unlikely migrate over.
it is just yum install with public-yum repositories configured.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.