ids-philip
asked on
Samba Server Signing prevents Client Access
I have Samba 3.6.25-45 running with the following configuration. The read-only public share should be available to all users without any username/password authentication. The Samba server will not be added to a domain. Client machines might or might not be part of a domain.
If "server signing = disabled", clients can connect to the [test] share. If "server signing = enabled" or "server signing = mandatory" the client can no longer connect. In Windows, they get error "The specified name is no longer available". The machine log has an entry of "auth/auth.c:319(check_ntl m_password ) check_ntlm_password: Authentication for user [userX] -> [userX] FAILED with error NT_STATUS_NO_SUCH_USER".
I tried to overcome this with "nobody = *" in smbusers file but this forces a user/pass login prompt which is not desired.
# ########################## ########## ########## ########## ########## ##########
[global]
workgroup = GROUP
server string = Samba Server Version %v
passdb backend = smbpasswd
security = user
map to guest = Bad User
username map = /etc/samba/smbusers
smb passwd file = /etc/samba/smbpasswd
guest account = nobody
domain master = no
local master = yes
encrypt passwords = yes
server signing = disabled
client signing = required
load printers = no
log level = 2
max log size = 50
log file = /var/log/samba/%m.log
# ########################## ########## ########## ########## ########## ##########
[test]
path = /tmp/test
case sensitive = no
read only = yes
guest ok = yes
If "server signing = disabled", clients can connect to the [test] share. If "server signing = enabled" or "server signing = mandatory" the client can no longer connect. In Windows, they get error "The specified name is no longer available". The machine log has an entry of "auth/auth.c:319(check_ntl
I tried to overcome this with "nobody = *" in smbusers file but this forces a user/pass login prompt which is not desired.
# ##########################
[global]
workgroup = GROUP
server string = Samba Server Version %v
passdb backend = smbpasswd
security = user
map to guest = Bad User
username map = /etc/samba/smbusers
smb passwd file = /etc/samba/smbpasswd
guest account = nobody
domain master = no
local master = yes
encrypt passwords = yes
server signing = disabled
client signing = required
load printers = no
log level = 2
max log size = 50
log file = /var/log/samba/%m.log
# ##########################
[test]
path = /tmp/test
case sensitive = no
read only = yes
guest ok = yes
ASKER
Sorry for the delay - will try this setting change. Though I saw some SAMBA documentation that client signing = required is the same as (mandatory)(true)(1)(yes).
ASKER
I checked the client's registry and the "always" option was already disabled. In fact here are both of the related settings:
MICROSOFT NETWORK CLIENT:
Digitally Sign communications (always): DISABLED
Digitally Sign communications (if server agrees): ENABLED
I made the other change as well (client signing = mandatory) but still not getting what is needed.
MICROSOFT NETWORK CLIENT:
Digitally Sign communications (always): DISABLED
Digitally Sign communications (if server agrees): ENABLED
I made the other change as well (client signing = mandatory) but still not getting what is needed.
what is logged in log-smb* ?
There is no such samba release on samba.org. Please clarify your distribution version and FULL PACKAGE VERSION.
There is no such samba release on samba.org. Please clarify your distribution version and FULL PACKAGE VERSION.
ASKER
Oracle Enterprise Linux 5u11
Samba v3.6.25 (from Sernet RPM)
Also testing on Samba v3.0.33-3.40.el5_10
The machine log contains:
2016/04/29 09:21:17, 2] auth/auth.c:check_ntlm_pas sword(319)
check_ntlm_password: Authentication for user [test-user] -> [nobody] FAILED with error NT_STATUS_LOGON_FAILURE
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new _vc_sessio n(1212)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new _vc_sessio n(1212)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] auth/auth.c:check_ntlm_pas sword(319)
check_ntlm_password: Authentication for user [test-user] -> [nobody] FAILED with error NT_STATUS_LOGON_FAILURE
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new _vc_sessio n(1212)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new _vc_sessio n(1212)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] auth/auth.c:check_ntlm_pas sword(319)
check_ntlm_password: Authentication for user [test-user] -> [nobody] FAILED with error NT_STATUS_LOGON_FAILURE
[2016/04/29 09:21:27, 0] lib/util_sock.c:read_data( 540)
read_data: read failure for 4 bytes to client 172.16.21.113. Error = Connection reset by peer
The smbd.log shows nothing after the startup messages:
[2016/04/29 09:21:13, 2] lib/interface.c:add_interf ace(81)
added interface ip=172.16.21.151 bcast=172.16.21.255 nmask=255.255.255.0
[2016/04/29 09:21:13, 2] lib/interface.c:add_interf ace(81)
added interface ip=172.16.42.128 bcast=172.16.42.255 nmask=255.255.255.0
[2016/04/29 09:21:13, 2] lib/interface.c:add_interf ace(81)
added interface ip=10.10.10.10 bcast=10.10.10.11 nmask=255.255.255.252
[2016/04/29 09:21:13, 2] lib/tallocmsg.c:register_m sg_pool_us age(105)
Registered MSG_REQ_POOL_USAGE
[2016/04/29 09:21:13, 2] lib/dmallocmsg.c:register_ dmalloc_ms gs(75)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2016/04/29 09:21:13, 2] smbd/server.c:open_sockets _smbd(466)
waiting for a connection
Samba v3.6.25 (from Sernet RPM)
Also testing on Samba v3.0.33-3.40.el5_10
The machine log contains:
2016/04/29 09:21:17, 2] auth/auth.c:check_ntlm_pas
check_ntlm_password: Authentication for user [test-user] -> [nobody] FAILED with error NT_STATUS_LOGON_FAILURE
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] auth/auth.c:check_ntlm_pas
check_ntlm_password: Authentication for user [test-user] -> [nobody] FAILED with error NT_STATUS_LOGON_FAILURE
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] smbd/sesssetup.c:setup_new
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2016/04/29 09:21:17, 2] auth/auth.c:check_ntlm_pas
check_ntlm_password: Authentication for user [test-user] -> [nobody] FAILED with error NT_STATUS_LOGON_FAILURE
[2016/04/29 09:21:27, 0] lib/util_sock.c:read_data(
read_data: read failure for 4 bytes to client 172.16.21.113. Error = Connection reset by peer
The smbd.log shows nothing after the startup messages:
[2016/04/29 09:21:13, 2] lib/interface.c:add_interf
added interface ip=172.16.21.151 bcast=172.16.21.255 nmask=255.255.255.0
[2016/04/29 09:21:13, 2] lib/interface.c:add_interf
added interface ip=172.16.42.128 bcast=172.16.42.255 nmask=255.255.255.0
[2016/04/29 09:21:13, 2] lib/interface.c:add_interf
added interface ip=10.10.10.10 bcast=10.10.10.11 nmask=255.255.255.252
[2016/04/29 09:21:13, 2] lib/tallocmsg.c:register_m
Registered MSG_REQ_POOL_USAGE
[2016/04/29 09:21:13, 2] lib/dmallocmsg.c:register_
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2016/04/29 09:21:13, 2] smbd/server.c:open_sockets
waiting for a connection
samba3x-3.6.23-9.0.1.el5_1 1 is one with signing support.
Given EOL is in less than a year I would be putting more effort in replacement.
Given EOL is in less than a year I would be putting more effort in replacement.
ASKER
Am searching for and will install that version to see if it has any affect. Given the objectives, will my current smb.conf file work, or does it need changes?
smb.conf will work, tdb files will unlikely migrate over.
it is just yum install with public-yum repositories configured.
it is just yum install with public-yum repositories configured.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Open in new window
Try set client options to 'disabled' if you haven't and "review the SMB Signing Effective Behavior" below.
Security Settings -> Local Policies -> Security Options
Set "Microsoft network client: Digitally sign communications (always)"
to "Disabled"
https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/