Categories
Linux Mastering Development Ubuntu

Why is Samba denying access to clients browsing, for no encryption/signing, even when that is disabled?

I am running Samba version 4.11.6 on Ubuntu 20.04 LTS Server. Ubuntu and Windows 10 clients are able to access shares directly by name, but attempting to browse the server’s shares fails, because the client’s request for the IPC$ share is denied due to lack of encryption or signing of the request, even when the server is configured not to require encryption or signing:

smb.conf:

[global]
   nt pipe support = no
   netbios name = fileserver
   workgroup = WORKGROUP
   server string = %h
   dns proxy = yes
   name resolve order = lmhosts host wins bcast
   interfaces = enp1s0 lo
   bind interfaces only = yes
   log level = 9
   max log size = 1000
   panic action = /usr/share/samba/panic-action %d
   security = user
   map to guest = bad user
   guest account = nobody
   force group = +mydocs
   encrypt passwords = true
   passdb backend = tdbsam
   invalid users = root
   domain logons = no
   load printers = no
   socket options = TCP_NODELAY
   client max protocol = default
   local master = yes
   preferred master = yes
   os level = 65
   guest ok = yes
   client ipc signing = off
   smb encrypt = off


[my_documents]
   comment = My Documents
   path = /export/share/my_documents
   browseable = yes
   writable = yes
   create mask = 0775
   guest ok = yes

log.smbd:

[2020/08/02 16:17:36.842128,  4] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/08/02 16:17:36.842185,  5] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2020/08/02 16:17:36.842221,  5] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2020/08/02 16:17:36.842282,  5] ../../source3/smbd/uid.c:503(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2020/08/02 16:17:36.842361,  1] ../../source3/smbd/smb2_tcon.c:229(smbd_smb2_tree_connect)
  smbd_smb2_tree_connect: reject request to share [IPC$] as 'FILESERVER\james' without encryption or signing. Disconnecting.
[2020/08/02 16:17:36.842405,  3] ../../source3/smbd/smb2_server.c:3254(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:142

I have also tried explicitly defining an IPC$ share (even though it shouldn’t be necessary) at path /tmp with encryption and signing disabled and guest access enabled, no difference.

Any ideas?

Alternatively, is there some Windows-fu I can use to make it sign and/or encrypt requests for IPC$?

Leave a Reply

Your email address will not be published. Required fields are marked *