Bug 11167 - Win7-Client cannot communicate with samba public-share when registry-key set to RequireSecuritySignature=1
Summary: Win7-Client cannot communicate with samba public-share when registry-key set ...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.1.17
Hardware: x64 Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2015-03-17 14:34 UTC by Raphael Olszewski
Modified: 2015-03-30 14:51 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Olszewski 2015-03-17 14:34:50 UTC
SAMBA: sernet-samba-4.1.17-11.suse111
        security = user
        map to guest = Bad User
        guest ok = yes
        client min protocol = SMB2
        client signing = mandatory
        server signing = mandatory
        path = /fs1/smb_test_signing_fuso
        browsable =yes
        writable = yes
        guest ok = yes
        create mask = 0777
        directory mask = 0777

Using the samba public share is impossible after setting the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] at a Win7-Client to RequireSecuritySignature=1. But Using DFS-Shares is possible without problem.
As ONLY change, setting back RequireSecuritySignature=0, the samba public share is useable - even with both settings of "client signing = mandatory" and "server signing = mandatory"

After trying many settings the guess is, this must be a bug.
Especially because i can set server signing to any combination without any change of behavior.

The Client is stopping communication with (TCP RST) error 1240 while using cmdline "net use" or ox80004005 while using Explorer
BTW: The Client is member of a domain, samba NOT. The share should be public.

Ref: https://lists.samba.org/archive/samba/2015-March/190014.html
Comment 1 Karsten 2015-03-27 21:51:04 UTC
See also:
> https://code.google.com/p/google-security-research/issues/detail?id=222

Comment 2 Raphael Olszewski 2015-03-30 10:06:21 UTC
After talking with VL at GUUG Stuttgart i've got the explanation, that the samba server MUST BE a member of the domain to serve a public share to a client coming from a domain. The reason is, that the domain-membership is needed to have information for signing the smb-packages.
So, since my wanted configuration (foreign domain-client using public share from standalone samba server with smb-signed messages) seems to be impossible this ticket can be closed.
Comment 3 Volker Lendecke 2015-03-30 14:51:15 UTC
(In reply to Raphael Olszewski from comment #2)

Well, this must be small misunderstanding. We don't need to be a member of the domain, we need some authentication to happen. This can be done with a standalone server too. But in your configuration what you say seems right