OS: SLES11 SP3 SAMBA: sernet-samba-4.1.17-11.suse111 CONFIG: [global] security = user map to guest = Bad User guest ok = yes client min protocol = SMB2 client signing = mandatory server signing = mandatory [pub] path = /fs1/smb_test_signing_fuso browsable =yes writable = yes guest ok = yes create mask = 0777 directory mask = 0777 Using the samba public share is impossible after setting the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] at a Win7-Client to RequireSecuritySignature=1. But Using DFS-Shares is possible without problem. As ONLY change, setting back RequireSecuritySignature=0, the samba public share is useable - even with both settings of "client signing = mandatory" and "server signing = mandatory" After trying many settings the guess is, this must be a bug. Especially because i can set server signing to any combination without any change of behavior. The Client is stopping communication with (TCP RST) error 1240 while using cmdline "net use" or ox80004005 while using Explorer BTW: The Client is member of a domain, samba NOT. The share should be public. Ref: https://lists.samba.org/archive/samba/2015-March/190014.html
See also: > https://code.google.com/p/google-security-research/issues/detail?id=222 Regards Karsten
After talking with VL at GUUG Stuttgart i've got the explanation, that the samba server MUST BE a member of the domain to serve a public share to a client coming from a domain. The reason is, that the domain-membership is needed to have information for signing the smb-packages. So, since my wanted configuration (foreign domain-client using public share from standalone samba server with smb-signed messages) seems to be impossible this ticket can be closed.
(In reply to Raphael Olszewski from comment #2) Well, this must be small misunderstanding. We don't need to be a member of the domain, we need some authentication to happen. This can be done with a standalone server too. But in your configuration what you say seems right