The Samba-Bugzilla – Bug 11167
Win7-Client cannot communicate with samba public-share when registry-key set to RequireSecuritySignature=1
Last modified: 2015-03-30 14:51:15 UTC
OS: SLES11 SP3
security = user
map to guest = Bad User
guest ok = yes
client min protocol = SMB2
client signing = mandatory
server signing = mandatory
path = /fs1/smb_test_signing_fuso
writable = yes
guest ok = yes
create mask = 0777
directory mask = 0777
Using the samba public share is impossible after setting the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] at a Win7-Client to RequireSecuritySignature=1. But Using DFS-Shares is possible without problem.
As ONLY change, setting back RequireSecuritySignature=0, the samba public share is useable - even with both settings of "client signing = mandatory" and "server signing = mandatory"
After trying many settings the guess is, this must be a bug.
Especially because i can set server signing to any combination without any change of behavior.
The Client is stopping communication with (TCP RST) error 1240 while using cmdline "net use" or ox80004005 while using Explorer
BTW: The Client is member of a domain, samba NOT. The share should be public.
After talking with VL at GUUG Stuttgart i've got the explanation, that the samba server MUST BE a member of the domain to serve a public share to a client coming from a domain. The reason is, that the domain-membership is needed to have information for signing the smb-packages.
So, since my wanted configuration (foreign domain-client using public share from standalone samba server with smb-signed messages) seems to be impossible this ticket can be closed.
(In reply to Raphael Olszewski from comment #2)
Well, this must be small misunderstanding. We don't need to be a member of the domain, we need some authentication to happen. This can be done with a standalone server too. But in your configuration what you say seems right