SOLVED SMB Signing

[TeaBee]

Hello everyone,

Is it possible that

• client signing = ....
• client ipc signing = ....

auxiliary parameters have no effect on TrueNAS' SMB/CIF configuration?

I've received an internal penetration test report in which it's mentioned that message block signing is enabled but it is not mandatory. Kali's crackmapexec utility and an nmap script (nmap --script smb2-security-mode.nse -p445) was used to testing. I tried make it mandatory with setting tha parameters above to 'required' value - without succes. Just for testing reason I tried to set them to 'disabled' value - the result was the same: "Message signing enabled but not required".

Is there a way to set smb signing mandatory?

Many thanks in advance,

Tibor

 

[anodos]

Hello everyone,

Is it possible that

• client signing = ....
• client ipc signing = ....

auxiliary parameters have no effect on TrueNAS' SMB/CIF configuration?

I've received an internal penetration test report in which it's mentioned that message block signing is enabled but it is not mandatory. Kali's crackmapexec utility and an nmap script (nmap --script smb2-security-mode.nse -p445) was used to testing. I tried make it mandatory with setting tha parameters above to 'required' value - without succes. Just for testing reason I tried to set them to 'disabled' value - the result was the same: "Message signing enabled but not required".

Is there a way to set smb signing mandatory?

Many thanks in advance,

Tibor

Someone ran a nessus scan and copy-pasted results? :) You need this parameter https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERSIGNING

 

[TeaBee]

Someone ran a nessus scan and copy-pasted results? :) You need this parameter https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERSIGNING

Not nessus, but yes, something like that :) I've already tried the suggested parameter (server smb encrypt = required) but TrueNAS doesn't like it, I can't save in the management gui and the error says: "Parameter server smb encrypt unknown for section global." If I change it to "smb encrypt = required" it makes no difference, till "Message signing enabled but not required".

 

[anodos]

Right, we do minimal validation of auxiliary parameters to prevent egregious foot-shooting (aux parameters that will break the smb.conf). In this case Samba's lib/param is saying that your parameter is not a global parameter (has an "S" next to it in the config manpage). You'll need to put that in your share config.

 

[TeaBee]

Right, we do minimal validation of auxiliary parameters to prevent egregious foot-shooting (aux parameters that will break the smb.conf). In this case Samba's lib/param is saying that your parameter is not a global parameter (has an "S" next to it in the config manpage). You'll need to put that in your share config.

Thanks for your effort and the advice. If I understand correctly I should place the parameter (server smb encrypt = required) into the auxiliary parameters of all existing shares under Sharing/Windows Shares (SMB)?

 

[anodos]

Thanks for your effort and the advice. If I understand correctly I should place the parameter (server smb encrypt = required) into the auxiliary parameters of all existing shares under Sharing/Windows Shares (SMB)?

Yes, if you want to force SMB encryption on all SMB shares. Do note that this is different than simply requiring signing "server signing = required". The latter is a global parameter, may be set under Services->SMB, and is most likely sufficient to address the "finding".

 

[TeaBee]

Yes, if you want to force SMB encryption on all SMB shares. Do note that this is different than simply requiring signing "server signing = required". The latter is a global parameter, may be set under Services->SMB, and is most likely sufficient to address the "finding".

Well, placing "server smb encrypt = required" into any share's Auxiliary Parameters doesn't work. I can't save it. The error is:

-----------------------------------------
[EFAULT] net conf setparm [backup] failed with error: Unknown parameter encountered: "server smb encrypt" Invalid parameter 'server smb encrypt' given.

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 138, in call_method
result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self,
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1213, in _call
return await methodobj(*prepared_call.args)
File "/usr/local/lib/python3.9/site-packages/middlewared/service.py", line 673, in update
rv = await super().update(app, id, data)
File "/usr/local/lib/python3.9/site-packages/middlewared/service.py", line 495, in update
rv = await self.middleware._call(
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1213, in _call
return await methodobj(*prepared_call.args)
File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 975, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/smb.py", line 973, in do_update
await self.middleware.call('sharing.smb.apply_conf_diff',
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1256, in call
return await self._call(
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1213, in _call
return await methodobj(*prepared_call.args)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/smb_/registry.py", line 227, in apply_conf_diff
return await self.apply_conf_registry(share, confdiff)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/smb_/registry.py", line 208, in apply_conf_registry
await self.reg_setparm(share, k, v)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/smb_/registry.py", line 106, in reg_setparm
return await self.netconf(action='setparm', share=share, args=[parm, value])
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/smb_/registry.py", line 61, in netconf
raise CallError(
middlewared.service_exception.CallError: [EFAULT] net conf setparm [backup] failed with error: Unknown parameter encountered: "server smb encrypt"
Invalid parameter 'server smb encrypt' given.

-----------------------------------------

But anyway.... it's can't be a high risk if it's not implemented in this environment so I will ignore the "finding". It doesn't worth too much effort to put into it. Many thanks for all information you gave, and I really appreciate your help.

 

[Samuel Tai]

Well, placing "server smb encrypt = required" into any share's Auxiliary Parameters doesn't work.

That's because it's a global Samba parameter. You need to put this in the SMB service's Aux Parameters, and then restart the SMB service.

 

[TeaBee]

That's because it's a global Samba parameter. You need to put this in the SMB service's Aux Parameters, and then restart the SMB service.

I'm afraid you're wrong. There's an (S)at the end of the title of the config parameter in the man page (https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERSIGNING) and as anodos mentioned it means that it is NOT a global parameter.

 

[anodos]

Code:

Unknown parameter encountered: "server smb encrypt"
Invalid parameter 'server smb encrypt' given.

Which version of TrueNAS is this? This error means that libsmbconf is preventing you from setting the parameter because it doesn't exist in the version of samba (most likely). The parameter changed between Samba 4.13 and Samba 4.14.

Code:

commit bd5a888746e15eff0a3f24e2a3e8e853fab0993b
Author: Andreas Schneider <asn@samba.org>
Date:   Thu Oct 10 14:18:23 2019 +0200

    param: Add 'server smb encrypt' parameter
   
    And this also makes 'smb encrypt' a synonym of that.
   
    Signed-off-by: Andreas Schneider <asn@samba.org>
    Reviewed-by: Stefan Metzmacher <metze@samba.org>

 

[Samuel Tai]

I should've looked at my system first. The global parameter is smb encrypt = required.

 

[anodos]

I should've looked at my system first. The global parameter is smb encrypt = required.

Ah good to know. I spend so much time hopping between source versions, I forget which parameters changed in which versions. Generally speaking, auxiliary parameters are mostly "use at your own risk". The only tested / supported configurations are ones available through the GUI.

 

[Samuel Tai]

Ah good to know. I spend so much time hopping between source versions, I forget which parameters changed in which versions. Generally speaking, auxiliary parameters are mostly "use at your own risk". The only tested / supported configurations are ones available through the GUI.

The Samba documentation says this is (S) level, so it can be set either per-share or globally. I think 4.14 added both client smb encrypt and server smb encrypt, and made smb encrypt a synonym of server smb encrypt.

 

[anodos]

The Samba documentation says this is (S) level, so it can be set either per-share or globally. I think 4.14 added both client smb encrypt and server smb encrypt, and made smb encrypt a synonym of server smb encrypt.

Right, but if this is Samba 4.12 (TN 12.0-U6) or Samba 4.13 (TN 12.0-U6.1 +), then "server smb encrypt" is invalid. In the case of Services->SMB, we validate auxiliary parameters that don't contain a colon (":") via the python binding for lib/param, which means it's always correct for the version of samba installed in TN even if my memory is fuzzy. :)

 

[TeaBee]

Code:

Unknown parameter encountered: "server smb encrypt"
Invalid parameter 'server smb encrypt' given.

Which version of TrueNAS is this? This error means that libsmbconf is preventing you from setting the parameter because it doesn't exist in the version of samba (most likely). The parameter changed between Samba 4.13 and Samba 4.14.

Code:

commit bd5a888746e15eff0a3f24e2a3e8e853fab0993b
Author: Andreas Schneider <asn@samba.org>
Date:   Thu Oct 10 14:18:23 2019 +0200

    param: Add 'server smb encrypt' parameter
  
    And this also makes 'smb encrypt' a synonym of that.
  
    Signed-off-by: Andreas Schneider <asn@samba.org>
    Reviewed-by: Stefan Metzmacher <metze@samba.org>

TrueNAS Core - 12.0-U6.1

 

[TeaBee]

I should've looked at my system first. The global parameter is smb encrypt = required.

I've allready tried without any "success". When I check with " nmap --script smb2-security-mode.nse -p445 <ip address>" I receive the following:

Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required

 

[anodos]

I've allready tried without any "success". When I check with " nmap --script smb2-security-mode.nse -p445 <ip address>" I receive the following:

Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required

Have you tried setting server signing = required as I mentioned earlier?

 

[TeaBee]

Have you tried setting server signing = required as I mentioned earlier?

Yes. I can't save it neither under Services /SMB nor under Shares/Windows Shares (SMB). See post #3 and #7.

 

[anodos]

Post 3 you're setting "server smb encrypt". That's a different setting. Ditto for Post 7.

 

[anodos]