Description of problem: The last security update for samba server introduced a new parameter 'client ipc signing' with a default to mandatory (compare https://www.samba.org/samba/security/CVE-2016-2115.html) While the default for 'server signing = false' it leads to the situation that that a client which tries a RPC connection to a PDC will fail because the server doesn't support signing! Using rpcclient to connect to a local server will fail like this: cli_negprot: SMB signing is mandatory and the server doesn't support it. failed negprot: NT_STATUS_ACCESS_DENIED Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED Setting 'server singing = auto' will solve that problem for rpcclient but may introduce other problems with e.g. windows clients: When connecting with a Win7 client using user nobody (default for guest access) to a samba share the client will fail with the following error: [2016/05/14 23:30:27.403950, 1] smbd/service.c:1114(make_connection_snum) vm-buero (192.168.39.10) connect to service austausch initially as user nobody (uid=65534, gid=600) (pid 27161) [2016/05/14 23:30:27.404507, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.39.10 read error = NT_STATUS_CONNECTION_RESET. [2016/05/14 23:30:27.404946, 1] smbd/service.c:1378(close_cnum) vm-buero (192.168.39.10) closed connection to service austausch The only work around I found so far is to set 'client ipc signing = auto' which reduces the security for SMB signing from mandatory to offered but as the server signing is still disabled by default no signing is used.... The first part (regarding the regression) is also discussed upstream and seems to affect onyl samba 3.6 and older: "It is only a problem with 3.6 and older, where we didn't implenent the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED logic." Source: http://comments.gmane.org/gmane.network.samba.internals/90769 Unfortunately I found no reason / explanation why a Win7 client cannot connect using user = nobody with 'server singing = auto'. IMHO it should be possible because to manpage 'auto' means "SMB1 signing is offered, but not enforced." At least I'm not the only one with that problem, I found another report in debian forum unfortunately in German (https://debianforum.de/forum/viewtopic.php?f=9&t=160557). While that is for samba 4.2 it is due to the samba update fixing CVE-2016-2115
I just saw, that this may be a duplicate of Bug 18379. I will try the updated packages in core/updates_testing ASAP.
OK installed updated packages from update_testing # rpm -qa | grep samba samba-common-3.6.25-2.4.mga5 samba-client-3.6.25-2.4.mga5 samba-server-3.6.25-2.4.mga5 # Unfortunately it doesn't change anything to my description above.
ly it doesn't change anything to my description above. (In reply to Stefan Puch from comment #1) > I just saw, that this may be a duplicate of Bug 18379. I will try the > updated packages in core/updates_testing ASAP. (In reply to Stefan Puch from comment #2) > OK installed updated packages from update_testing > > # rpm -qa | grep samba > samba-common-3.6.25-2.4.mga5 > samba-client-3.6.25-2.4.mga5 > samba-server-3.6.25-2.4.mga5 > # > > Unfortunately it doesn't change anything to my description above. @ David Walser Can you please decide what to do with this bug report?
CC: (none) => luigiwalser, marja11
Summary: Samba regression with sever signing = default (with CVE-2016-2115) => Samba regression with server signing = default (with CVE-2016-2115)
Dup *** This bug has been marked as a duplicate of bug 18379 ***
Status: NEW => RESOLVEDResolution: (none) => DUPLICATE