I am writing a short article about smbclient for Linuxjournal, and I can't use encryption on a newer smbclient version (where it works on an older release, and also works without the -e flag). This should only work under -mNT1, as the target does not support SMB3. Both systems are current on updates. Am I doing something incorrectly? This encryption attempt fails: ___ $ smbclient -V Version 4.4.4 $ smbclient //samba.foo.com/public -U USER -W GROUP #PLAINTEXT Enter USER's password: Domain=[GROUP] OS=[Unix] Server=[Samba 3.6.23-13.0.1.el5_11] smb: \> quit $ smbclient -e //samba.foo.com/public -U USER -W GROUP Enter USER's password: smb_signing_good: BAD SIG: seq 1 session setup failed: NT_STATUS_ACCESS_DENIED $ cat /etc/oracle-release /etc/redhat-release Oracle Linux Server release 7.3 Red Hat Enterprise Linux Server release 7.3 (Maipo) While this one works: ___ $ smbclient -V Version 3.6.23-13.0.1.el5_11 $ smbclient -e //samba.foo.com/public -U USER -W GROUP Enter USER's password: Domain=[GROUP] OS=[Unix] Server=[Samba 3.6.23-13.0.1.el5_11] smb: \> quit $ cat /etc/oracle-release /etc/redhat-release Oracle Linux Server release 5.11 Red Hat Enterprise Linux Server release 5.11 (Tikanga)
(In reply to Charlie from comment #0) The problem is that the -e option requires SMB signing and that's not enabled by default by the server. The client can overwrite that with the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED option. But the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED handling in the server is only available in 4.2.0 and newer versions. So you need to either backport the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED handling to 3.6 or upgrade the server, sorry.
(In reply to Stefan Metzmacher from comment #1) Or you just use "server signing = auto", as that will affect all clients and most clients start to use signing if it's available, you may want to enable it for a specific client (were you could also use "server signing = required") only. See https://wiki.samba.org/index.php/Client_specific_logging how configure client ip address specific "include = " lines in the servers smb.conf.
This global config has fixed the problem. Many thanks! Are there any security or performance drawbacks to this? The manual page implies there is no (effective) impact to SMB2. server signing = auto Now I can login: $ smbclient -V Version 4.4.4 limsdev $ smbclient -e //samba.foo.com/public -U USER -W GROUP Enter USER's password: Domain=[GROUP] OS=[Unix] Server=[Samba 3.6.23-13.0.1.el5_11] smb: \> quit