samba: smb signing ?

Antworten
Nachricht
Autor
tc-t
Beginners
Beginners
Beiträge: 10
Registriert: 22 Nov 2018 14:07
Hat gedankt: 1 Mal

samba: smb signing ?

#1

Beitrag von tc-t »

I have a Mutant HD51 with the latest version of OpenATV. I have updated it today.


Since last week I can no longer access the Samba Shares on my Mutant (root and harddisk)


I think I know what's causing this issue.

The laptop I use is owned by the company I work for and part of our Windows AD domain.
In Group Policy they changed a setting that requires SMB signing.
So, with this laptop I can now no longer access the Mutant's shares (it used to work until a week ago)


With the same laptop I still *can* access the shares of my NAS and Webserver (also Linux-base)

To test, I created a Virtual Machine on that laptop with a fresh Win 10 install and now I *can* access the Mutant's shares.


It is not until I change this registry key
HKLM\Sustem\CurrentControlSet\Services\LanManWorkstation\Parameters
-> RequireSecuritySignature and put in the value 1 instead of 0
that everything stops working.


My laptop also has value 1 for said key.
If I change the value back to 0 in my Virtual Machine, the Samba-shares on the Mutant are accessible again.

Because on the NAS and my webserver their Samba shares are still accessilbe, even with the regkey value at 1, I asume I will have to change a setting in smb.conf or smb-user.conf on my OpenATV install??
Do you know which one?



I asumed it was:
server signing = required



but that does not improve things...




Can you help me out?
Thanks!


PS: The Mutant has a multiboot image with also OpenPLI.
I have the same issue there: Samba shares are not accessible when the registry key on the Win 10 machine is set to 1, they start working again when the value = 0.
Benutzeravatar
Papi2000
Super Moderator
Super Moderator
Beiträge: 25937
Registriert: 20 Apr 2013 20:09
Receiver 1: Viele GigaBlues
Receiver 2: DM und ZGemma
Receiver 3: bissl VU
Hat gedankt: 4497 Mal
Hat Dank erhalten: 8315 Mal

#2

Beitrag von Papi2000 »

There are alternative options for the "server signing" in samba:

server signing = required

server signing = mandatory
server signing = disabled

You can try to set it to disabled or mandantory in the
/etc/samba/smb-user.conf (only edit this file, no other!)

I fear, the group police can't be fullfilled by a new external network-device outside the company. Your old connections are allready stored in the registry, so unchanged (maybe dirty implemented). But a new connection will only be established and stored to members of the company.
Grüßle
Ralf
--------------------------------------------
---- Einen Receiver kann sich jeder kaufen - Eine stabile E²-Box muß man sich verdienen! ----




Bild
tc-t
Beginners
Beginners
Beiträge: 10
Registriert: 22 Nov 2018 14:07
Hat gedankt: 1 Mal

#3

Beitrag von tc-t »

Hi Papi2000

Thanks but no luck so far.

I I put the registry setting HKLM\System\CurrentControlSet\Services\LanManWorkstation\Parameters\RequireSecuritySignature value to 0 on my Virtual Machine I *can* access the Mutant's shares.
It doesn't matter whcih setting I use in the smb-user.conf file, it works for all 3
* server signing = required
* server signing = mandatory
* server signing = disabled

If I put the registry value to 1, it stops working: the Samba shares are no longer accessible.
Once again, it doesn't matter which value I use in the smb-user.conf file.
It fails for all 3:
* server signing = required
* server signing = mandatory
* server signing = disabled

To be sure, I rebooted both the Win 10 Virtual machine and the Mutant every time after making a change.


The Virtual machine is not domain joined so i can make any change to it that i want.
The registry setting with value 1 is the same as what the group policy on the work laptop is doing, so if I can get it working in the VM with registry setting set to 1 I think I can get it working on the lapotp itself too.


Alas, not yet ...
Benutzeravatar
Papi2000
Super Moderator
Super Moderator
Beiträge: 25937
Registriert: 20 Apr 2013 20:09
Receiver 1: Viele GigaBlues
Receiver 2: DM und ZGemma
Receiver 3: bissl VU
Hat gedankt: 4497 Mal
Hat Dank erhalten: 8315 Mal

#4

Beitrag von Papi2000 »

The group policy was invoked to your productive machine, to avoid connections to not domain members in future. Old connections are not deletet. That's the dirty part of the implementation in your PC-System. If it would be setup new, it would deny any connections to non-domain-members. So what are you trying? You look for a hack, to to bring your personal equipment into the domain, without them being member of the domain. That's not, what the group policy is intendet to grant. Your virtual machine is not member of the domain, and so not regarding the whole rule package of the productive system.
Grüßle
Ralf
--------------------------------------------
---- Einen Receiver kann sich jeder kaufen - Eine stabile E²-Box muß man sich verdienen! ----




Bild
tc-t
Beginners
Beginners
Beiträge: 10
Registriert: 22 Nov 2018 14:07
Hat gedankt: 1 Mal

#5

Beitrag von tc-t »

Sorry if I wasn't clear.


The GPO setting is applied to my work laptop. I'm not trying to change anything there. The setting caused the samba shares on my OpenATV box to be unavailable, but the samba shares on my NAS and my webserver still work.

What I would like to do is make some changes to the Samba settigns on my OpenATV box so I can connect to it again from my work laptop, even with the new GPO setting in place



I found out which registry key the GPO has changed.
I used the Virtual Machine to switch between the old situation (= no GPO setting) and the new situation (= GPO active) so I can easily check if the changes I make to the OpenATV samba settings would have the desired effect.
Benutzeravatar
Papi2000
Super Moderator
Super Moderator
Beiträge: 25937
Registriert: 20 Apr 2013 20:09
Receiver 1: Viele GigaBlues
Receiver 2: DM und ZGemma
Receiver 3: bissl VU
Hat gedankt: 4497 Mal
Hat Dank erhalten: 8315 Mal

#6

Beitrag von Papi2000 »

You have been clear, but didn'T understand the whole thing.
The old SMB-Settings in oATV will not longer work. So it will be a new connection for your work pc. -> not granted in the live system.
If you delete the old connections to your other equipment, it also will not be granted again by a new try to connect to them.
And therefore i'm out here.
Grüßle
Ralf
--------------------------------------------
---- Einen Receiver kann sich jeder kaufen - Eine stabile E²-Box muß man sich verdienen! ----




Bild
WolfgangWue
Member
Member
Beiträge: 244
Registriert: 07 Jul 2019 16:16
Hat gedankt: 3 Mal
Hat Dank erhalten: 39 Mal

#7

Beitrag von WolfgangWue »

Try in Windows 10 - Systemsteuerung\Alle Systemsteuerungselemente\Programme und Features - Windows Features activate or deactivate - support for SMB 1.0 activate.

Sorry I have German WIN 10. I do not know the exact English wording for “ Systemsteuerung\Alle Systemsteuerungselemente”.

Hope your companies’ laptop will allow this change.
Benutzeravatar
Papi2000
Super Moderator
Super Moderator
Beiträge: 25937
Registriert: 20 Apr 2013 20:09
Receiver 1: Viele GigaBlues
Receiver 2: DM und ZGemma
Receiver 3: bissl VU
Hat gedankt: 4497 Mal
Hat Dank erhalten: 8315 Mal

#8

Beitrag von Papi2000 »

That is for a work pc in a company NO solution, that should NOT be done at all, even in private networking...
Grüßle
Ralf
--------------------------------------------
---- Einen Receiver kann sich jeder kaufen - Eine stabile E²-Box muß man sich verdienen! ----




Bild
WolfgangWue
Member
Member
Beiträge: 244
Registriert: 07 Jul 2019 16:16
Hat gedankt: 3 Mal
Hat Dank erhalten: 39 Mal

#9

Beitrag von WolfgangWue »

Hallo Papi,
ohne diese Feature zu aktivieren hätte ich mit meinem Sohn unser halbes Netzequipment wegschmeißen können.
Benutzeravatar
Papi2000
Super Moderator
Super Moderator
Beiträge: 25937
Registriert: 20 Apr 2013 20:09
Receiver 1: Viele GigaBlues
Receiver 2: DM und ZGemma
Receiver 3: bissl VU
Hat gedankt: 4497 Mal
Hat Dank erhalten: 8315 Mal

#10

Beitrag von Papi2000 »

Und stattdessen lädst du die hundertfache Menge an Hackern zu dir ein - scnr.
Grüßle
Ralf
--------------------------------------------
---- Einen Receiver kann sich jeder kaufen - Eine stabile E²-Box muß man sich verdienen! ----




Bild
tc-t
Beginners
Beginners
Beiträge: 10
Registriert: 22 Nov 2018 14:07
Hat gedankt: 1 Mal

#11

Beitrag von tc-t »

No indeed I can't do that.

I can't activate SMB1 after we put in many efforts to finally move away from it.
SMB2 and SM3 should work fine, right?

I have disabled this on my home network too, een a long time ago.
The problem should not be there, the Samba share to the OpenATV box have always worked with SM2 or SMB3.


-

I'm still unsure why I can't connect to the Samba shares when the registry setting
HKLM\Sustem\CurrentControlSet\Services\LanManWorks tation\Parameters\RequireSecuritySignature is set to 1.

The samba shares on my webserver or on my NAS don't seem to worry about that change while OpenATV does...
Benutzeravatar
Papi2000
Super Moderator
Super Moderator
Beiträge: 25937
Registriert: 20 Apr 2013 20:09
Receiver 1: Viele GigaBlues
Receiver 2: DM und ZGemma
Receiver 3: bissl VU
Hat gedankt: 4497 Mal
Hat Dank erhalten: 8315 Mal

#12

Beitrag von Papi2000 »

The connection is not denied by the box, but by your pc.
Grüßle
Ralf
--------------------------------------------
---- Einen Receiver kann sich jeder kaufen - Eine stabile E²-Box muß man sich verdienen! ----




Bild
tc-t
Beginners
Beginners
Beiträge: 10
Registriert: 22 Nov 2018 14:07
Hat gedankt: 1 Mal

#13

Beitrag von tc-t »

Papi2000 hat geschrieben:The connection is not denied by the box, but by your pc.


Yes, that's quite possible.

The PC doesn't want to connect to anything that doesn't do SMB signing. That's what the new GPO has arranged.
So I'm looking for a way to get the box and the PC talking again.

The PC can talk to the NAS and to the webserver, so they both seem to do SMB signing?
I guess I must be possible to get the PC to talk to the OpenATV again, too ?
Benutzeravatar
Papi2000
Super Moderator
Super Moderator
Beiträge: 25937
Registriert: 20 Apr 2013 20:09
Receiver 1: Viele GigaBlues
Receiver 2: DM und ZGemma
Receiver 3: bissl VU
Hat gedankt: 4497 Mal
Hat Dank erhalten: 8315 Mal

#14

Beitrag von Papi2000 »

Delete the saved connections to your NAS and the Webserver, and restart your PC. Try to get them connected again...
Grüßle
Ralf
--------------------------------------------
---- Einen Receiver kann sich jeder kaufen - Eine stabile E²-Box muß man sich verdienen! ----




Bild
tc-t
Beginners
Beginners
Beiträge: 10
Registriert: 22 Nov 2018 14:07
Hat gedankt: 1 Mal

#15

Beitrag von tc-t »

Papi2000 hat geschrieben:Delete the sved connections to your NAS and the Webserver, and restart your PC. Try to get them connected again...


They still work.
On my work laptop, and also on the virtual machine.

There were no saved connections on the Virtual Machine, that was newely installed yesterday.

I just use \\NAS and \\webserver to connect to it. Like I use \\hd51 to connect to the OpenATV box.
Only that last one gives an error.
Benutzeravatar
Papi2000
Super Moderator
Super Moderator
Beiträge: 25937
Registriert: 20 Apr 2013 20:09
Receiver 1: Viele GigaBlues
Receiver 2: DM und ZGemma
Receiver 3: bissl VU
Hat gedankt: 4497 Mal
Hat Dank erhalten: 8315 Mal

#16

Beitrag von Papi2000 »

You use for the box the user "root" and your own password, that you have given to the box in the network-menue?
Grüßle
Ralf
--------------------------------------------
---- Einen Receiver kann sich jeder kaufen - Eine stabile E²-Box muß man sich verdienen! ----




Bild
tc-t
Beginners
Beginners
Beiträge: 10
Registriert: 22 Nov 2018 14:07
Hat gedankt: 1 Mal

#17

Beitrag von tc-t »

Papi2000 hat geschrieben:You use for the box the user "root" and your own password, that you have given to the box in the network-menue?


No, I don't even get that far.

I get an erropr straight away when I type \\hd51.
I don't get a windows asking username/password.

If I did, I would try with the username/password I use for my ssh connection.
Antworten

Zurück zu „English Section“