Hi Obaid, I've uploaded the requested traces between Windows Server 2019 and Windows 11.
Regards, Kacper On Mon, 5 Jan 2026 at 19:17, Obaid Farooqi <[email protected]> wrote: > Hi Kacper: > > It appears that you can capture encrypted session setup messages from > Windows server 2019 and Windows 11. Can you please send me the traces from > both server and client side when encrypted session set up messages are > exchanged between them? > > > > I have already sent you t.cmd and instruction on how to capture traces > with it. I will repeat the important instructions again. > > > > For SMB server, execute the following commands in sequence (netsh is > Windows built-in command) > > > > t.cmd srvon > > netsh trace start provider=Microsoft-Windows-SMBServer capture=yes > report=disable > > > > For SMB client, > > > > t.cmd clion > > netsh trace start provider= Microsoft-Windows-SMBClient capture=yes > report=disable > > > > Reproduce the scenario that triggers encrypted session set up > > > > After repro, execute the following commands to stop tracing > > > > On SMB server, > > t.cmd srvoff > > netsh trace stop > > > > On client > > t.cmd clioff > > netsh trace stop > > > > Two trace files will be generated on each. Please zip all four files and > upload to the following url: > > File Transfer - Case 2601020040005775 > <https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IkNBRjFBNjdERDUxQjI4QzVCNjg0N0Y5NTFCQTM2QkVDNDk0MkQ4NEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiNzY2ZjEwNzEtYmVkOC00YmQwLTk3MzAtMjQ2NWViY2QzZDA4Iiwic3IiOiIyNjAxMDIwMDQwMDA1Nzc1Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiNTdiYWI5ZTUtNTc1Ny00ODJmLTkzYjctMGZmYmE2ODNkZDRhIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3Njc2MzY4ODMsImV4cCI6MTc3NTQxMjg4MywiaWF0IjoxNzY3NjM2ODgzLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.JAiLjxMrFtOezf5GnSEsnwZ3wO7PVoBIgWy1XDm4FiugjP4I8I-PeHKT56Bw1-DMHcTRKHE92Cz2lvMRafd1T8BO--VeF6dSqZzvf8Mu9NdlYsgka0Sl8belUyOTEMNuCmcXhYNDLJnd4y0x-b-HRjjhrXNXefbAn9Lq6fF_hJNvKUgX8zD-4fAIF-Lq-YUdaPsP360aZpxJOX6ZSeP_YEpheW2kY79XPqGHLP3VZq0uJCA3D7faGstxEwEhMcWq2pZXvREPvAZu-J8hWk_X85HPTkEVBAn8KW5bMgu1zPojjWIQKNTGLM9qlPr4R5clfZUPYzEig8GSXx2I_TxzJQ&wid=766f1071-bed8-4bd0-9730-2465ebcd3d08> > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Obaid Farooqi > *Sent:* Monday, January 5, 2026 11:52 AM > *To:* 'Kacper' <[email protected]> > *Cc:* Microsoft Support <[email protected]> > *Subject:* RE: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2601020040005775 > > > > Hi Kacper: > > I am looking into this issue and will be in touch as soon as I have an > answer. > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Kacper <[email protected]> > *Sent:* Friday, January 2, 2026 6:11 PM > *To:* Obaid Farooqi <[email protected]> > *Subject:* Re: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hello Obaid, > > > > I’m a bit confused about how to interpret MS-SMB2 with respect to session > setup signing and encryption. In addition to my findings in my previous > email I also found: > > MS-SMB2 section 3.3.4.1.1 which states: > “If the server encrypts the message, as specified in section 3.1.4.3, the > server MUST set the Signature field of the SMB2 header to zero.” > > This appears to contradict the requirement that the session setup exchange > must always be signed, even when encryption is in use. Furthermore, in > network traces between Windows Server 2019 and Windows 11, session setup > responses encapsulated within an SMB Transform header appear to contain > SMB2 headers whose Signature field is not zero, which further conflicts > with the stated requirement in MS-SMB2. > > > > Could the new group policy setting in Windows 11 24H2 — Lanman > Workstation → Require encryption — change how Windows handles the session > setup exchange in a way that appears non-conforming to MS-SMB2? Or am I > misinterpreting the specification in MS-SMB2 regarding signing and > encryption of session setup messages? > > > > Regards, > > Kacper > > > > On Fri, 2 Jan 2026 at 22:14, Kacper <[email protected]> wrote: > > Hello Obaid, > > > > I hope you had a good holiday. I’ve been examining how Samba calculates > the session setup signature, and I believe the problem lies in that Samba > doesn't sign the session setup if it's in an SMB2 transform header—that > is, when the entire message is encrypted. > > According to MS-SMB2 section 2.2.1.2, the 16-byte signature is present if > SMB2_FLAGS_SIGNED is set in the Flags field and the message is not > encrypted. If the message is not signed, this field must be 0. > > Section 3.3.5.5.3 states that if SMB2_SESSION_FLAG_IS_GUEST is not set in > SessionFlags and Session.IsAnonymous is FALSE, the server must sign the > final session setup response before sending it to the client. > > However, the spec also describes an exception for encrypted sessions. If > EncryptData is TRUE, Connection.Dialect is SMB 3.x, > Connection.ServerCapabilities includes SMB2_GLOBAL_CAP_ENCRYPTION, > RejectUnencryptedAccess is TRUE, and SMB2_SESSION_FLAG_BINDING is not set > in the request Flags, then the server must set > SMB2_SESSION_FLAG_ENCRYPT_DATA in SessionFlags of the session setup > response, set Session.SigningRequired to FALSE, and set Session.EncryptData > to TRUE. > > Could you please clarify: does session setup always need to be signed, > even when the message is encrypted, or is SMB2_SESSION_FLAG_ENCRYPT_DATA > the only situation where signing can be skipped? > > > > Regards, > > Kacper > > > > On Thu, 18 Dec 2025 at 18:40, Obaid Farooqi <[email protected]> wrote: > > Hi Kacper: > > You need to tell me how Samba calculates the signature. There is obviously > a different way it is being done for reauthentication since for new > authentication, signature is verified correctly. Please consult MS-SMB2 for > details on signature calculation. > > As I mentioned before, the only thing I see on Windows side is that > session setup signature is failing. Since session set up response is always > signed, Samba must do it right for new authentication. > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Kacper <[email protected]> > *Sent:* Thursday, December 18, 2025 11:33 AM > *To:* Obaid Farooqi <[email protected]> > *Cc:* Microsoft Support <[email protected]>; cifs-protocol < > [email protected]> > *Subject:* Re: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hi Obaid, > > I think there’s been a misunderstanding. This issue is not resolved. > I still would like to understand why Windows 11 24H2 fails signature > validation when the new “Require encryption” GPO is enabled, especially > when combined with RequireMutualAuthentication in Hardened UNC Paths. > SMB encryption works correctly against Samba without this GPO, but fails > once it’s enabled. > > > > Regards, > > Kacper > > > > On Thu, 18 Dec 2025 at 17:58, Obaid Farooqi <[email protected]> wrote: > > Hi Kacper: > > Glad to know your issue is resolved. I’ll be closing this case. > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Kacper <[email protected]> > *Sent:* Tuesday, December 16, 2025 5:24 PM > *To:* Obaid Farooqi <[email protected]> > *Cc:* Microsoft Support <[email protected]>; cifs-protocol < > [email protected]> > *Subject:* Re: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hi Obaid, > > > > I created a test environment to isolate the issue, but I was unable to > reproduce the problem by configuring Hardened UNC Paths alone. After > extensive testing, I determined that the issue consistently occurs when > Computer Configuration → Administrative Templates → Network → Lanman > Workstation → Require encryption is enabled ( > https://learn.microsoft.com/en-us/windows-server/storage/file-server/configure-smb-client-require-encryption). > I apologize for not having tested this more thoroughly in isolation earlier. > > > > Perhaps there is a special code path taken when Require encryption is > enabled, as setting RequirePrivacy=1 in Hardened UNC Paths does appear to > enable SMB encryption without causing the failure. > > > > Regards, > > Kacper > > > > On Fri, 12 Dec 2025 at 20:28, Kacper <[email protected]> wrote: > > Hi Obaid, > > > > 1) Open the Group Policy Management Console (which is part of Windows RSAT > tools) > 2) Create a group policy object, highlight the domain where you want the > object linked, then open the Action menu and select "Create a GPO in this > domain, and Link it here". > 3) Right-click to the newly-created GPO and select Edit to open the Group > Policy Management Editor > 4) Navigate to the User Configuration → Preferences → Windows Settings → > Drive Maps entry > 5) Right-click to the Drive Maps entry and select New → Mapped Drive > 6) Set the following: On the General tab, Action: Create, Location: > \\server.domain.tld\share\ (replace server.domain.tld with the domain > fqdn of the samba DC). Click OK > 7) Close the Group Policy Management Editor. The GPOs are automatically > saved on the Sysvol share on the Samba DC. Close the Group Policy > Management Console > > You will also have to configure a shared folder in Samba by: > 1) mkdir /srv/share > > 2) chmod 755 /srv/share > 2) adding to smb.conf: > [share] > path = /srv/share > browseable = yes > > 3) restarting the Samba DC > > Any other User Configuration GPO setting could probably be applied, but I > believe at least one needs to be configured in order for Windows to try to > apply user group policies. > > Let me know if you need any further assistance. > > Regards, > Kacper > > > > On Fri, 12 Dec 2025 at 19:49, Obaid Farooqi <[email protected]> wrote: > > Hi Kacper: > > I don’t support products, which means I don’t help customer configure > systems. As such, please elaborate on the following as I have never done > this. > > 3) Create new GPO with user settings, say with a mapped drive > > > > As for mutual authentication, it is not related to integrity and privacy. > > Mutual authentication means that only Kerberos can be used for > authentication (mutual authentication means that not only server will > authenticate client, client will also authenticate server). NTLM cannot do > mutual authentication. > > > > Session key is always established whether you do mutual authentication or > not. > > > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Kacper <[email protected]> > *Sent:* Friday, December 12, 2025 12:34 PM > *To:* Obaid Farooqi <[email protected]> > *Cc:* Microsoft Support <[email protected]>; cifs-protocol < > [email protected]> > *Subject:* Re: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hi Obaid, > > > > I’ve done some additional testing. When I set > RequireMutualAuthentication=0 while keeping RequireIntegrity=1 and > RequirePrivacy=1, Windows does not fail the signature verification. My > understanding is that mutual authentication is required to establish a > session key, which is then used to enable integrity (signing) and privacy > (encryption). > If that’s the case, then integrity and privacy shouldn’t work when mutual > authentication is disabled—correct? In other words, > RequireMutualAuthentication would need to be enabled in order to use either > integrity or privacy? > > Additionally, I tested this scenario on Windows 10 22H2, and the issue > does not occur there. > > > > To reproduce the issue; > > 1) Provision a Samba DC and create a new domain > > 3) Join a Windows 11 client to the Samba domain > > 2) Create a GPO, preferably using RSAT, and configure the setting > "Hardened UNC paths" with RequireMutualAuthentication=1, > RequireIntegrity=1, RequirePrivacy=1 (Computer Configuration → > Administrative Templates → Network → Network Provider → Hardened UNC > Paths) > > 3) Create new GPO with user settings, say with a mapped drive > > 4) Create a new user, either using RSAT or samba-tool user create, and set > a known password for the user > > 5) Logon with that user on the Windows 11 client > > 6) The mapped drive does not get mapped, no group policies have been > applied during logon and the Windows event log will log an event with event > id 1058, error code 2148073478 and the description invalid signature > > 7) running gpupdate /force manually will apply policies for both computer > and user without errors > > > > Regards, > > Kacper > > > > On Fri, 12 Dec 2025 at 16:41, Kacper <[email protected]> wrote: > > Hi Obaid, > > > > I'm using the Group Policy Management Console (GPMC) snap-in. I'm > configuring hardened UNC paths for \\*\NETLOGON and \\*\SYSVOL. I've > uploaded a screenshot of the GPO setting to the secure file exchange. > > > > Regards, > > Kacper > > > > On Fri, 12 Dec 2025 at 01:32, Obaid Farooqi <[email protected]> wrote: > > Hi Kacper: > > How are you applying this group policy on a Samba DC? If you are doing it > on a Windows DC, what is the UNC path that you are configuring in the group > policy editor? > > > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Kacper <[email protected]> > *Sent:* Thursday, December 11, 2025 4:59 PM > *To:* Obaid Farooqi <[email protected]> > *Cc:* Microsoft Support <[email protected]>; cifs-protocol < > [email protected]> > *Subject:* Re: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hi Obaid, > > > > If session setup responses are always signed I would like to understand > why the signature verification fails when Hardened UNC Paths are configured > with RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1 > (Computer Configuration → Administrative Templates → Network → Network > Provider → Hardened UNC Paths) and why the signature verification > succeeds > > 1) when Hardened UNC Paths are not configured (e.g. the gpo is left at its > not configured setting) > > 2) after logon when manually refreshing group policies with gpupdate > /force. > > > > Regards, > > Kacper > > > > On Thu, Dec 11, 2025, 20:34 Obaid Farooqi <[email protected]> wrote: > > Hi Kacper: > > Looking at the traces, here is what’s happening: > > 1. Just before sending the create request for gpt.ini, client > determines that it is a 3-part SPN and there fore it needs to > reauthenticate. > 2. Client sends a session setup request > 3. Server (in this case Samba DC) responds with session set up response > 4. Session set up response is always signed. Client tries to verify > the signature and that fails. > > > > Please let me know if this does not answer your question. > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Kacper <[email protected]> > *Sent:* Wednesday, December 10, 2025 4:30 AM > *To:* Obaid Farooqi <[email protected]> > *Cc:* Microsoft Support <[email protected]>; cifs-protocol < > [email protected]> > *Subject:* Re: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hi Obaid, > > > > I have not been able to reproduce this problem against a Windows DC. I've > uploaded the requested t.cmd traces to the secure file exchange. > > > > Regards, > > Kacper > > > > On Tue, 9 Dec 2025 at 21:13, Obaid Farooqi <[email protected]> wrote: > > Hi Kacper: > > You’ll have to rename t.txt to t.cmd. Your email provider does not allow > .cmd files. > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Obaid Farooqi > *Sent:* Tuesday, December 9, 2025 2:10 PM > *To:* 'Kacper' <[email protected]> > *Cc:* Microsoft Support <[email protected]>; 'cifs-protocol' < > [email protected]> > *Subject:* RE: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > > > Hi Kacper: > > I want to reproduce this for Windows to Windows. Please let me know the > exact steps and set up. > > > > Alternatively, you can collect ETW traces for me on the Windows 11 client. > The script I have attached to this email does not survive reboot. So, if > you can reproduce the scenario without rebooting, here are the steps. > > > > 1. Unzip and copy the file t.cmd on your windows 11 client. > 2. Login as administrator and in a cmd (elevated), execute the > following command: > >t.cmd clion > 3. Reproduce the scenario, which I guess will require you to log off > and login again (preferably as a different user) > 4. Once you see the error in Event Viewer, repro is complete. > 5. Open an elevated Cmd window and execute the following command: > >t.cmd clioff > 6. Upload the resulting t*.cab file to the link I provided you. > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Obaid Farooqi > *Sent:* Monday, December 8, 2025 10:38 AM > *To:* 'Kacper' <[email protected]> > *Cc:* Microsoft Support <[email protected]>; cifs-protocol < > [email protected]> > *Subject:* RE: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hi Kacper: > > Thank you for the traces. I’ll look into them and get back to you as soon > as I have anything conceret. > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Kacper <[email protected]> > *Sent:* Monday, December 8, 2025 4:20 AM > *To:* Obaid Farooqi <[email protected]> > *Cc:* Microsoft Support <[email protected]>; cifs-protocol < > [email protected]> > *Subject:* [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hello Obaid, > > > > Thank you for taking over this issue. The issue occurs between a Windows > 11 client and a Samba DC. I’ve tested the same scenario against a Windows > DC, and it works correctly there. > My testing was done with Windows 11 (24H2, OS version 26100.7171) and > Samba 4.21.10. I’ve uploaded the network trace, the event log entry, and > the auth trace. > Manually running gpupdate /force after the user logs on works without any > issues. > > > I would like to understand why Windows fails to apply GPOs during logon when > Hardened UNC Paths are configured and the domain controller is Samba. > > > > Regards, > > Kacper > >
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
