Can SMB signing be setup on Truenas scale (or core)?

Nastrek · April 26, 2024, 5:14pm

Hi, trying to work out if smb signing can be setup on TrueNAS scale mainly and on what version? Did it work on core?

awalkerix · April 26, 2024, 5:19pm

It’s already set up by default.

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERSIGNING

Nastrek · April 29, 2024, 8:46am

Hi, I did a security scan of TrueNAS scale 23.10.2 and it came back with smbv2 signing not required, and marks it as a security issue. So it does look like it set.

Nastrek · April 29, 2024, 8:50am

Checked the manual for smb and it says ‘ By default, and when smb signing is set to default, smb signing is required when server role is active directory domain controller and disabled otherwise.’

So will only be set if your TrueNAS is a domain controller.

awalkerix · April 29, 2024, 11:08am

bool srv_init_signing(struct smbXsrv_connection *conn)
{
        struct loadparm_context *lp_ctx = NULL;
        bool ok = true;

        lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
        if (lp_ctx == NULL) {
                DBG_DEBUG("loadparm_init_s3 failed\n");
                return false;
        }

        /*
         * For SMB2 all we need to know is if signing is mandatory.
         * It is always allowed and desired, whatever the smb.conf says.
         */
        (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);

#if defined(WITH_SMB1SERVER)
        ok = smb1_srv_init_signing(lp_ctx, conn);
#endif

        talloc_unlink(conn, lp_ctx);
        return ok;
}

cf source3/smbd/smb2_signing.c

justcallhimdragon · February 19, 2025, 11:43pm

TrueNAS Scale is being flagged by runZero as “SMB Signing Not Required”. I have the SMB Service Advanced Settings > Transport Encryption Behavior to Required and have restarted the SMB service.

Looking at /usr/share/samba/smb.conf I don’t see any evidence of the following being set in the [global] block:

server signing = mandatory  
client signing = mandatory

Looking at a packet capture, the Negotiate Protocol Response from TrueNAS Scale indicates a Security mode of 0x01 (Signing enabled). Note that signing is not required.

The same from a Windows 10 22H2 box indicates 0x03 (Signing enabled, Signing required).

awalkerix · February 20, 2025, 2:14am

If you’re on SCALE that’s the wrong file.

root@truenas[/home/truenas_admin/truenas_pylibzfs]# grep encrypt /etc/smb4.conf
    server smb encrypt = required

justcallhimdragon · February 20, 2025, 5:57am

Thanks for pointing me in the right direction. It looks like changes to this file are reverted upon service startup, so I added the following to /etc/smb4.conf:

server signing = mandatory
server smb3 signing algorithms = AES-128-GMAC

then ran chattr +i /etc/smb4.conf and restarted the service. Looks good!

Security mode: 0x03, Signing enabled, Signing required
… …1 = Signing enabled: True
… …1. = Signing required: True

I’ll have to manually unset the file when making configuration changes from the UI or before upgrading, and re-check / reapply after the upgrade. Thanks again for your help.