Hello, When I add "server signing = mandatory" to my smb.conf file (AIX V6.1, 6100-04-11-1140 running Samba v3.6.5) that has "encrypt passwords = no", my windows client no longer can connect. It fails with system error 64. The windows system is running XP vers 2002 with service pack 3. The security settings are set to: Microsoft network client: Digitally sign communications (always) Disabled Microsoft network client: Digitally sign communications (if server agrees) Enabled Microsoft network client: Send unencrypted password to third-party SMB servers Enabled Microsoft network server: Amount of idle time required before suspending session 15 minutes Microsoft network server: Digitally sign communications (always) Disabled Microsoft network server: Digitally sign communications (if client agrees) Disabled Microsoft network server: Disconnect clients when logon hours expire Enabled Like wise, when I add "server signing = mandatory" to my smb.conf file that has "encrypt passwords = yes" (and "passdb backend = smbpasswd" with valid id/password in the smbpasswd file), my AIX client no longer can connect. I have added "client signing = mandatory" to smb.conf also and get the same results (unencrypted: windows clients cannot connect. encrypted: aix clients cannot connect). Are there any known problems in v3.6.5 related to these connection problems? Are there any fixes in newer releases?
It is worth mentioning our security exec's are threatening to shut down our environment if we cannot get this working. Any help on why the connections fail and if/when a fix is expected/available would be greatly helpful!
Does "encrypt passwords = no" means that the cleartext password is send of the over the wire? If someone can get the password, what is the point of doing signing?
Re-assigning to Metze.
(In reply to comment #2) > Does "encrypt passwords = no" means that the cleartext password > is send of the over the wire? If someone can get the password, > what is the point of doing signing? If there's still a problem with Send unencrypted password to third-party => disabled and removing "encrypt passwords = no" please reopen the bug
As a non-admin I cannot reopen this bug, however it exists even with encrypted passwords. Basically Windows 8 intermittently fails to access the samba server when mandatory signing is enabled because manadatory signing prevents anonymous (guest) access to the server and windows 8 uses anonymous access to get share lists and even to recognize that the server is available. The bug is frustrating to diagnose because windows sometimes uses stored credentials and sometimes guest access so you get a situation where access (but never visibility in icon in 'Network' in Explorer) sometimes works and sometimes does not. If windows consistently used stored credentials there would be no issue because mandatory signing preventing guest access would not be an issue. From mailing list I saw that the decision was made that mandatory signing would mean that guest access would result in an error instead of allowing guest access without signing, which is unforunately incompatible with windows decisions/usage.
(In reply to Daniel Dickinson from comment #5) I just tested that we behave like a Windows 2012R2 DC. Anonymous access to IPC$ is allowed, but a TCON to a file share e.g. "netlogon" returns NT_STATUS_ACCESS_DENIED.