We are having issue with the smb signing on Samba 3.2.3. I understand that there was a bug on 3.2.0 and the status was fixed on 3.2.1. It seems to be the problem still there. We have two domains (domain A and domain B). Both domains are on a different forest. We have a one way external trust relationship between the two domains. Domain B trusting Domain A. The samba server 3.2.3 is a member of domain B, UserIDs and workstations (Windows XP) are member and are logging on domain A. Workstations on domain “A” have the following digital signing policies enable. Microsoft network client: Digitally sign communications (always) Security Setting: enable Microsoft network client: Digitally sign communications (if server agrees) Security Setting: enabled Microsoft network server: Digitally sign communications (always) Security Setting: enable Microsoft network server: Digitally sign communications (if client agrees) Security Setting: enable The problem is, even if the samba 3.2.3 server/client signing were set to “Yes, No and Auto”. Accessing its share from domain A workstations were denied. And then I get these client logs below. [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 1 [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:srv_sign_outgoing_message(708) srv_sign_outgoing_message: seq 1: sent SMB signature of [2008/08/28 16:06:10, 10] lib/util.c:dump_data(2223) [000] 8A 2E D9 6B 17 D8 02 19 ...k.... [2008/08/28 16:06:10, 10] lib/util_sock.c:read_smb_length_return_keepalive(1118) got smb length of 80 [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 2 [2008/08/28 16:06:10, 0] libsmb/smb_signing.c:srv_check_incoming_message(754) srv_check_incoming_message: BAD SIG: seq 2 wanted SMB signature of [2008/08/28 16:06:10, 5] lib/util.c:dump_data(2223) [000] 2E D4 47 83 26 B0 94 D6 ..G.&... [2008/08/28 16:06:10, 0] libsmb/smb_signing.c:srv_check_incoming_message(758) srv_check_incoming_message: BAD SIG: seq 2 got SMB signature of [2008/08/28 16:06:10, 5] lib/util.c:dump_data(2223) [000] 8B 45 BE F4 8D 45 40 10 .E...E@. [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 4294967293 [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 4294967294 [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 4294967295 [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 0 [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 1 [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 2 [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 3 [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 4 [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 5 [2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285) simple_packet_signature: sequence number 6 [2008/08/28 16:06:10, 5] libsmb/smb_signing.c:signing_good(243) srv_check_incoming_message: signing negotiated but not required and peer isn't sending correct signatures. Turning off.
Are the clients logging in using Kerberos or NTLM? Can you please upload a full debug level 10 log of smbd up to this point? This will answer that question. Volker
*** Bug 5735 has been marked as a duplicate of this bug. ***
Created attachment 3519 [details] Split smbd.log level 10 I user split command to split the smbd.log file smbd.log.splitaa smbd.log.splitab smbd.log.splitac smbd.log.splitad smbd.log.splitae smbd.log.splitaf
Created attachment 3520 [details] Split smbd.log.splitab I user split command to split the smbd.log file smbd.log.splitaa smbd.log.splitab smbd.log.splitac smbd.log.splitad smbd.log.splitae smbd.log.splitaf
Created attachment 3521 [details] Split smbd.log.splitac I user split command to split the smbd.log file smbd.log.splitaa smbd.log.splitab smbd.log.splitac smbd.log.splitad smbd.log.splitae smbd.log.splitaf
Created attachment 3522 [details] Splitsmbd.log.splitad I user split command to split the smbd.log file smbd.log.splitaa smbd.log.splitab smbd.log.splitac smbd.log.splitad smbd.log.splitae smbd.log.splitaf
Created attachment 3523 [details] Split smbd.log.splitae I user split command to split the smbd.log file smbd.log.splitaa smbd.log.splitab smbd.log.splitac smbd.log.splitad smbd.log.splitae smbd.log.splitaf
Created attachment 3524 [details] Split smbd.log.splitaf I user split command to split the smbd.log file smbd.log.splitaa smbd.log.splitab smbd.log.splitac smbd.log.splitad smbd.log.splitae smbd.log.splitaf
I'm afraid the error is not in the log file you sent. In your smb.conf you seem to have the option log file = /var/log/samba/%m.log which means that you have split log files in /var/log/samba/<machinename>.log. What we need the machine-specific file for the client that can not connect. You might also want to compress the log file with bzip2 -9 before you upload it. It might become small enough so that you do not have to split it up into several parts. Volker
Created attachment 3530 [details] machinename log file Here is the machine log file that can not connect. Peng
Hi, Any status with smb signing on Samba 3.2.3? Thanks
I upgraded my version to 3.2.6, It seems that smb signing is working if the host is not yet connected to the trusted domain. But after you run wbinfo -u and the wbinfo --online-status and all domain connected, workstations will not connect to samba.
Since 3.2.3 smb signing has been worked on various times, any chance to retest with the latest 3.2.x release ?
Created attachment 4679 [details] My smb.conf file (output of 'net conf list') smb.conf file from PDC.
(In reply to comment #14) > Created an attachment (id=4679) [details] > My smb.conf file (output of 'net conf list') > > smb.conf file from PDC. > Darn! Wrong bug report! Please disregard. - John T.
Cleaning database.... As Günther said, SMB signing has been worked on quite a few times, so I'm assuming it is fixed. If you can reproduce this with 3.2.15, please re-open this bug. Thanks, Volker