samba: smb signing ?
samba: smb signing ?
I have a Mutant HD51 with the latest version of OpenATV. I have updated it today.
Since last week I can no longer access the Samba Shares on my Mutant (root and harddisk)
I think I know what's causing this issue.
The laptop I use is owned by the company I work for and part of our Windows AD domain.
In Group Policy they changed a setting that requires SMB signing.
So, with this laptop I can now no longer access the Mutant's shares (it used to work until a week ago)
With the same laptop I still *can* access the shares of my NAS and Webserver (also Linux-base)
To test, I created a Virtual Machine on that laptop with a fresh Win 10 install and now I *can* access the Mutant's shares.
It is not until I change this registry key
HKLM\Sustem\CurrentControlSet\Services\LanManWorkstation\Parameters
-> RequireSecuritySignature and put in the value 1 instead of 0
that everything stops working.
My laptop also has value 1 for said key.
If I change the value back to 0 in my Virtual Machine, the Samba-shares on the Mutant are accessible again.
Because on the NAS and my webserver their Samba shares are still accessilbe, even with the regkey value at 1, I asume I will have to change a setting in smb.conf or smb-user.conf on my OpenATV install??
Do you know which one?
I asumed it was:
server signing = required
but that does not improve things...
Can you help me out?
Thanks!
PS: The Mutant has a multiboot image with also OpenPLI.
I have the same issue there: Samba shares are not accessible when the registry key on the Win 10 machine is set to 1, they start working again when the value = 0.
Since last week I can no longer access the Samba Shares on my Mutant (root and harddisk)
I think I know what's causing this issue.
The laptop I use is owned by the company I work for and part of our Windows AD domain.
In Group Policy they changed a setting that requires SMB signing.
So, with this laptop I can now no longer access the Mutant's shares (it used to work until a week ago)
With the same laptop I still *can* access the shares of my NAS and Webserver (also Linux-base)
To test, I created a Virtual Machine on that laptop with a fresh Win 10 install and now I *can* access the Mutant's shares.
It is not until I change this registry key
HKLM\Sustem\CurrentControlSet\Services\LanManWorkstation\Parameters
-> RequireSecuritySignature and put in the value 1 instead of 0
that everything stops working.
My laptop also has value 1 for said key.
If I change the value back to 0 in my Virtual Machine, the Samba-shares on the Mutant are accessible again.
Because on the NAS and my webserver their Samba shares are still accessilbe, even with the regkey value at 1, I asume I will have to change a setting in smb.conf or smb-user.conf on my OpenATV install??
Do you know which one?
I asumed it was:
server signing = required
but that does not improve things...
Can you help me out?
Thanks!
PS: The Mutant has a multiboot image with also OpenPLI.
I have the same issue there: Samba shares are not accessible when the registry key on the Win 10 machine is set to 1, they start working again when the value = 0.
- Papi2000
- Super Moderator
- Beiträge: 25937
- Registriert: 20 Apr 2013 20:09
- Receiver 1: Viele GigaBlues
- Receiver 2: DM und ZGemma
- Receiver 3: bissl VU
- Hat gedankt: 4497 Mal
- Hat Dank erhalten: 8315 Mal
There are alternative options for the "server signing" in samba:
server signing = required
server signing = mandatory
server signing = disabled
You can try to set it to disabled or mandantory in the
/etc/samba/smb-user.conf (only edit this file, no other!)
I fear, the group police can't be fullfilled by a new external network-device outside the company. Your old connections are allready stored in the registry, so unchanged (maybe dirty implemented). But a new connection will only be established and stored to members of the company.
server signing = required
server signing = mandatory
server signing = disabled
You can try to set it to disabled or mandantory in the
/etc/samba/smb-user.conf (only edit this file, no other!)
I fear, the group police can't be fullfilled by a new external network-device outside the company. Your old connections are allready stored in the registry, so unchanged (maybe dirty implemented). But a new connection will only be established and stored to members of the company.
Hi Papi2000
Thanks but no luck so far.
I I put the registry setting HKLM\System\CurrentControlSet\Services\LanManWorkstation\Parameters\RequireSecuritySignature value to 0 on my Virtual Machine I *can* access the Mutant's shares.
It doesn't matter whcih setting I use in the smb-user.conf file, it works for all 3
* server signing = required
* server signing = mandatory
* server signing = disabled
If I put the registry value to 1, it stops working: the Samba shares are no longer accessible.
Once again, it doesn't matter which value I use in the smb-user.conf file.
It fails for all 3:
* server signing = required
* server signing = mandatory
* server signing = disabled
To be sure, I rebooted both the Win 10 Virtual machine and the Mutant every time after making a change.
The Virtual machine is not domain joined so i can make any change to it that i want.
The registry setting with value 1 is the same as what the group policy on the work laptop is doing, so if I can get it working in the VM with registry setting set to 1 I think I can get it working on the lapotp itself too.
Alas, not yet ...
Thanks but no luck so far.
I I put the registry setting HKLM\System\CurrentControlSet\Services\LanManWorkstation\Parameters\RequireSecuritySignature value to 0 on my Virtual Machine I *can* access the Mutant's shares.
It doesn't matter whcih setting I use in the smb-user.conf file, it works for all 3
* server signing = required
* server signing = mandatory
* server signing = disabled
If I put the registry value to 1, it stops working: the Samba shares are no longer accessible.
Once again, it doesn't matter which value I use in the smb-user.conf file.
It fails for all 3:
* server signing = required
* server signing = mandatory
* server signing = disabled
To be sure, I rebooted both the Win 10 Virtual machine and the Mutant every time after making a change.
The Virtual machine is not domain joined so i can make any change to it that i want.
The registry setting with value 1 is the same as what the group policy on the work laptop is doing, so if I can get it working in the VM with registry setting set to 1 I think I can get it working on the lapotp itself too.
Alas, not yet ...
- Papi2000
- Super Moderator
- Beiträge: 25937
- Registriert: 20 Apr 2013 20:09
- Receiver 1: Viele GigaBlues
- Receiver 2: DM und ZGemma
- Receiver 3: bissl VU
- Hat gedankt: 4497 Mal
- Hat Dank erhalten: 8315 Mal
The group policy was invoked to your productive machine, to avoid connections to not domain members in future. Old connections are not deletet. That's the dirty part of the implementation in your PC-System. If it would be setup new, it would deny any connections to non-domain-members. So what are you trying? You look for a hack, to to bring your personal equipment into the domain, without them being member of the domain. That's not, what the group policy is intendet to grant. Your virtual machine is not member of the domain, and so not regarding the whole rule package of the productive system.
Sorry if I wasn't clear.
The GPO setting is applied to my work laptop. I'm not trying to change anything there. The setting caused the samba shares on my OpenATV box to be unavailable, but the samba shares on my NAS and my webserver still work.
What I would like to do is make some changes to the Samba settigns on my OpenATV box so I can connect to it again from my work laptop, even with the new GPO setting in place
I found out which registry key the GPO has changed.
I used the Virtual Machine to switch between the old situation (= no GPO setting) and the new situation (= GPO active) so I can easily check if the changes I make to the OpenATV samba settings would have the desired effect.
The GPO setting is applied to my work laptop. I'm not trying to change anything there. The setting caused the samba shares on my OpenATV box to be unavailable, but the samba shares on my NAS and my webserver still work.
What I would like to do is make some changes to the Samba settigns on my OpenATV box so I can connect to it again from my work laptop, even with the new GPO setting in place
I found out which registry key the GPO has changed.
I used the Virtual Machine to switch between the old situation (= no GPO setting) and the new situation (= GPO active) so I can easily check if the changes I make to the OpenATV samba settings would have the desired effect.
- Papi2000
- Super Moderator
- Beiträge: 25937
- Registriert: 20 Apr 2013 20:09
- Receiver 1: Viele GigaBlues
- Receiver 2: DM und ZGemma
- Receiver 3: bissl VU
- Hat gedankt: 4497 Mal
- Hat Dank erhalten: 8315 Mal
You have been clear, but didn'T understand the whole thing.
The old SMB-Settings in oATV will not longer work. So it will be a new connection for your work pc. -> not granted in the live system.
If you delete the old connections to your other equipment, it also will not be granted again by a new try to connect to them.
And therefore i'm out here.
The old SMB-Settings in oATV will not longer work. So it will be a new connection for your work pc. -> not granted in the live system.
If you delete the old connections to your other equipment, it also will not be granted again by a new try to connect to them.
And therefore i'm out here.
-
- Member
- Beiträge: 244
- Registriert: 07 Jul 2019 16:16
- Hat gedankt: 3 Mal
- Hat Dank erhalten: 39 Mal
Try in Windows 10 - Systemsteuerung\Alle Systemsteuerungselemente\Programme und Features - Windows Features activate or deactivate - support for SMB 1.0 activate.
Sorry I have German WIN 10. I do not know the exact English wording for “ Systemsteuerung\Alle Systemsteuerungselemente”.
Hope your companies’ laptop will allow this change.
Sorry I have German WIN 10. I do not know the exact English wording for “ Systemsteuerung\Alle Systemsteuerungselemente”.
Hope your companies’ laptop will allow this change.
-
- Member
- Beiträge: 244
- Registriert: 07 Jul 2019 16:16
- Hat gedankt: 3 Mal
- Hat Dank erhalten: 39 Mal
No indeed I can't do that.
I can't activate SMB1 after we put in many efforts to finally move away from it.
SMB2 and SM3 should work fine, right?
I have disabled this on my home network too, een a long time ago.
The problem should not be there, the Samba share to the OpenATV box have always worked with SM2 or SMB3.
-
I'm still unsure why I can't connect to the Samba shares when the registry setting
HKLM\Sustem\CurrentControlSet\Services\LanManWorks tation\Parameters\RequireSecuritySignature is set to 1.
The samba shares on my webserver or on my NAS don't seem to worry about that change while OpenATV does...
I can't activate SMB1 after we put in many efforts to finally move away from it.
SMB2 and SM3 should work fine, right?
I have disabled this on my home network too, een a long time ago.
The problem should not be there, the Samba share to the OpenATV box have always worked with SM2 or SMB3.
-
I'm still unsure why I can't connect to the Samba shares when the registry setting
HKLM\Sustem\CurrentControlSet\Services\LanManWorks tation\Parameters\RequireSecuritySignature is set to 1.
The samba shares on my webserver or on my NAS don't seem to worry about that change while OpenATV does...
Papi2000 hat geschrieben:The connection is not denied by the box, but by your pc.
Yes, that's quite possible.
The PC doesn't want to connect to anything that doesn't do SMB signing. That's what the new GPO has arranged.
So I'm looking for a way to get the box and the PC talking again.
The PC can talk to the NAS and to the webserver, so they both seem to do SMB signing?
I guess I must be possible to get the PC to talk to the OpenATV again, too ?
Papi2000 hat geschrieben:Delete the sved connections to your NAS and the Webserver, and restart your PC. Try to get them connected again...
They still work.
On my work laptop, and also on the virtual machine.
There were no saved connections on the Virtual Machine, that was newely installed yesterday.
I just use \\NAS and \\webserver to connect to it. Like I use \\hd51 to connect to the OpenATV box.
Only that last one gives an error.
Papi2000 hat geschrieben:You use for the box the user "root" and your own password, that you have given to the box in the network-menue?
No, I don't even get that far.
I get an erropr straight away when I type \\hd51.
I don't get a windows asking username/password.
If I did, I would try with the username/password I use for my ssh connection.