Hi Kacper: Thanks for brining this documentation issue to our attention. After debugging, I confirm that session set up response, even if encrypted, must be signed, like all session set up responses. This is an exception to the general rule that if a message is encrypted, it will not have signature in the header.
In your original question, the signature verification was failing. As you mentioned that Samba does not include signature in SMB header if session setup is signed, that explains the reason why. I have filed a bug against MS-SMB2 to include this additional information about session setup, reauth and signature in the header. Please let me know if this does not answer your question. Also let me know if you have any additional questions. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Kacper <[email protected]> Sent: Monday, January 5, 2026 1:01 PM To: Obaid Farooqi <[email protected]>; cifs-protocol <[email protected]> Cc: Microsoft Support <[email protected]> Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2601020040005775 Hi Obaid, I've uploaded the requested traces between Windows Server 2019 and Windows 11. Regards, Kacper On Mon, 5 Jan 2026 at 19:17, Obaid Farooqi <[email protected]<mailto:[email protected]>> wrote: Hi Kacper: It appears that you can capture encrypted session setup messages from Windows server 2019 and Windows 11. Can you please send me the traces from both server and client side when encrypted session set up messages are exchanged between them? I have already sent you t.cmd and instruction on how to capture traces with it. I will repeat the important instructions again. For SMB server, execute the following commands in sequence (netsh is Windows built-in command) t.cmd srvon netsh trace start provider=Microsoft-Windows-SMBServer capture=yes report=disable For SMB client, t.cmd clion netsh trace start provider= Microsoft-Windows-SMBClient capture=yes report=disable Reproduce the scenario that triggers encrypted session set up After repro, execute the following commands to stop tracing On SMB server, t.cmd srvoff netsh trace stop On client t.cmd clioff netsh trace stop Two trace files will be generated on each. Please zip all four files and upload to the following url: File Transfer - Case 2601020040005775<https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IkNBRjFBNjdERDUxQjI4QzVCNjg0N0Y5NTFCQTM2QkVDNDk0MkQ4NEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiNzY2ZjEwNzEtYmVkOC00YmQwLTk3MzAtMjQ2NWViY2QzZDA4Iiwic3IiOiIyNjAxMDIwMDQwMDA1Nzc1Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiNTdiYWI5ZTUtNTc1Ny00ODJmLTkzYjctMGZmYmE2ODNkZDRhIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3Njc2MzY4ODMsImV4cCI6MTc3NTQxMjg4MywiaWF0IjoxNzY3NjM2ODgzLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.JAiLjxMrFtOezf5GnSEsnwZ3wO7PVoBIgWy1XDm4FiugjP4I8I-PeHKT56Bw1-DMHcTRKHE92Cz2lvMRafd1T8BO--VeF6dSqZzvf8Mu9NdlYsgka0Sl8belUyOTEMNuCmcXhYNDLJnd4y0x-b-HRjjhrXNXefbAn9Lq6fF_hJNvKUgX8zD-4fAIF-Lq-YUdaPsP360aZpxJOX6ZSeP_YEpheW2kY79XPqGHLP3VZq0uJCA3D7faGstxEwEhMcWq2pZXvREPvAZu-J8hWk_X85HPTkEVBAn8KW5bMgu1zPojjWIQKNTGLM9qlPr4R5clfZUPYzEig8GSXx2I_TxzJQ&wid=766f1071-bed8-4bd0-9730-2465ebcd3d08> Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Obaid Farooqi Sent: Monday, January 5, 2026 11:52 AM To: 'Kacper' <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>> Subject: RE: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2601020040005775 Hi Kacper: I am looking into this issue and will be in touch as soon as I have an answer. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Kacper <[email protected]<mailto:[email protected]>> Sent: Friday, January 2, 2026 6:11 PM To: Obaid Farooqi <[email protected]<mailto:[email protected]>> Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hello Obaid, I’m a bit confused about how to interpret MS-SMB2 with respect to session setup signing and encryption. In addition to my findings in my previous email I also found: MS-SMB2 section 3.3.4.1.1 which states: “If the server encrypts the message, as specified in section 3.1.4.3, the server MUST set the Signature field of the SMB2 header to zero.” This appears to contradict the requirement that the session setup exchange must always be signed, even when encryption is in use. Furthermore, in network traces between Windows Server 2019 and Windows 11, session setup responses encapsulated within an SMB Transform header appear to contain SMB2 headers whose Signature field is not zero, which further conflicts with the stated requirement in MS-SMB2. Could the new group policy setting in Windows 11 24H2 - Lanman Workstation → Require encryption - change how Windows handles the session setup exchange in a way that appears non-conforming to MS-SMB2? Or am I misinterpreting the specification in MS-SMB2 regarding signing and encryption of session setup messages? Regards, Kacper On Fri, 2 Jan 2026 at 22:14, Kacper <[email protected]<mailto:[email protected]>> wrote: Hello Obaid, I hope you had a good holiday. I’ve been examining how Samba calculates the session setup signature, and I believe the problem lies in that Samba doesn't sign the session setup if it's in an SMB2 transform header-that is, when the entire message is encrypted. According to MS-SMB2 section 2.2.1.2, the 16-byte signature is present if SMB2_FLAGS_SIGNED is set in the Flags field and the message is not encrypted. If the message is not signed, this field must be 0. Section 3.3.5.5.3 states that if SMB2_SESSION_FLAG_IS_GUEST is not set in SessionFlags and Session.IsAnonymous is FALSE, the server must sign the final session setup response before sending it to the client. However, the spec also describes an exception for encrypted sessions. If EncryptData is TRUE, Connection.Dialect is SMB 3.x, Connection.ServerCapabilities includes SMB2_GLOBAL_CAP_ENCRYPTION, RejectUnencryptedAccess is TRUE, and SMB2_SESSION_FLAG_BINDING is not set in the request Flags, then the server must set SMB2_SESSION_FLAG_ENCRYPT_DATA in SessionFlags of the session setup response, set Session.SigningRequired to FALSE, and set Session.EncryptData to TRUE. Could you please clarify: does session setup always need to be signed, even when the message is encrypted, or is SMB2_SESSION_FLAG_ENCRYPT_DATA the only situation where signing can be skipped? Regards, Kacper On Thu, 18 Dec 2025 at 18:40, Obaid Farooqi <[email protected]<mailto:[email protected]>> wrote: Hi Kacper: You need to tell me how Samba calculates the signature. There is obviously a different way it is being done for reauthentication since for new authentication, signature is verified correctly. Please consult MS-SMB2 for details on signature calculation. As I mentioned before, the only thing I see on Windows side is that session setup signature is failing. Since session set up response is always signed, Samba must do it right for new authentication. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Kacper <[email protected]<mailto:[email protected]>> Sent: Thursday, December 18, 2025 11:33 AM To: Obaid Farooqi <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; cifs-protocol <[email protected]<mailto:[email protected]>> Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hi Obaid, I think there’s been a misunderstanding. This issue is not resolved. I still would like to understand why Windows 11 24H2 fails signature validation when the new “Require encryption” GPO is enabled, especially when combined with RequireMutualAuthentication in Hardened UNC Paths. SMB encryption works correctly against Samba without this GPO, but fails once it’s enabled. Regards, Kacper On Thu, 18 Dec 2025 at 17:58, Obaid Farooqi <[email protected]<mailto:[email protected]>> wrote: Hi Kacper: Glad to know your issue is resolved. I’ll be closing this case. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Kacper <[email protected]<mailto:[email protected]>> Sent: Tuesday, December 16, 2025 5:24 PM To: Obaid Farooqi <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; cifs-protocol <[email protected]<mailto:[email protected]>> Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hi Obaid, I created a test environment to isolate the issue, but I was unable to reproduce the problem by configuring Hardened UNC Paths alone. After extensive testing, I determined that the issue consistently occurs when Computer Configuration → Administrative Templates → Network → Lanman Workstation → Require encryption is enabled (https://learn.microsoft.com/en-us/windows-server/storage/file-server/configure-smb-client-require-encryption). I apologize for not having tested this more thoroughly in isolation earlier. Perhaps there is a special code path taken when Require encryption is enabled, as setting RequirePrivacy=1 in Hardened UNC Paths does appear to enable SMB encryption without causing the failure. Regards, Kacper On Fri, 12 Dec 2025 at 20:28, Kacper <[email protected]<mailto:[email protected]>> wrote: Hi Obaid, 1) Open the Group Policy Management Console (which is part of Windows RSAT tools) 2) Create a group policy object, highlight the domain where you want the object linked, then open the Action menu and select "Create a GPO in this domain, and Link it here". 3) Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor 4) Navigate to the User Configuration → Preferences → Windows Settings → Drive Maps entry 5) Right-click to the Drive Maps entry and select New → Mapped Drive 6) Set the following: On the General tab, Action: Create, Location: \\server.domain.tld\share\<file://server.domain.tld/share/> (replace server.domain.tld with the domain fqdn of the samba DC). Click OK 7) Close the Group Policy Management Editor. The GPOs are automatically saved on the Sysvol share on the Samba DC. Close the Group Policy Management Console You will also have to configure a shared folder in Samba by: 1) mkdir /srv/share 2) chmod 755 /srv/share 2) adding to smb.conf: [share] path = /srv/share browseable = yes 3) restarting the Samba DC Any other User Configuration GPO setting could probably be applied, but I believe at least one needs to be configured in order for Windows to try to apply user group policies. Let me know if you need any further assistance. Regards, Kacper On Fri, 12 Dec 2025 at 19:49, Obaid Farooqi <[email protected]<mailto:[email protected]>> wrote: Hi Kacper: I don’t support products, which means I don’t help customer configure systems. As such, please elaborate on the following as I have never done this. 3) Create new GPO with user settings, say with a mapped drive As for mutual authentication, it is not related to integrity and privacy. Mutual authentication means that only Kerberos can be used for authentication (mutual authentication means that not only server will authenticate client, client will also authenticate server). NTLM cannot do mutual authentication. Session key is always established whether you do mutual authentication or not. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Kacper <[email protected]<mailto:[email protected]>> Sent: Friday, December 12, 2025 12:34 PM To: Obaid Farooqi <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; cifs-protocol <[email protected]<mailto:[email protected]>> Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hi Obaid, I’ve done some additional testing. When I set RequireMutualAuthentication=0 while keeping RequireIntegrity=1 and RequirePrivacy=1, Windows does not fail the signature verification. My understanding is that mutual authentication is required to establish a session key, which is then used to enable integrity (signing) and privacy (encryption). If that’s the case, then integrity and privacy shouldn’t work when mutual authentication is disabled-correct? In other words, RequireMutualAuthentication would need to be enabled in order to use either integrity or privacy? Additionally, I tested this scenario on Windows 10 22H2, and the issue does not occur there. To reproduce the issue; 1) Provision a Samba DC and create a new domain 3) Join a Windows 11 client to the Samba domain 2) Create a GPO, preferably using RSAT, and configure the setting "Hardened UNC paths" with RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1 (Computer Configuration → Administrative Templates → Network → Network Provider → Hardened UNC Paths) 3) Create new GPO with user settings, say with a mapped drive 4) Create a new user, either using RSAT or samba-tool user create, and set a known password for the user 5) Logon with that user on the Windows 11 client 6) The mapped drive does not get mapped, no group policies have been applied during logon and the Windows event log will log an event with event id 1058, error code 2148073478 and the description invalid signature 7) running gpupdate /force manually will apply policies for both computer and user without errors Regards, Kacper On Fri, 12 Dec 2025 at 16:41, Kacper <[email protected]<mailto:[email protected]>> wrote: Hi Obaid, I'm using the Group Policy Management Console (GPMC) snap-in. I'm configuring hardened UNC paths for \\*\NETLOGON<file://*/NETLOGON> and \\*\SYSVOL<file://*/SYSVOL>. I've uploaded a screenshot of the GPO setting to the secure file exchange. Regards, Kacper On Fri, 12 Dec 2025 at 01:32, Obaid Farooqi <[email protected]<mailto:[email protected]>> wrote: Hi Kacper: How are you applying this group policy on a Samba DC? If you are doing it on a Windows DC, what is the UNC path that you are configuring in the group policy editor? Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Kacper <[email protected]<mailto:[email protected]>> Sent: Thursday, December 11, 2025 4:59 PM To: Obaid Farooqi <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; cifs-protocol <[email protected]<mailto:[email protected]>> Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hi Obaid, If session setup responses are always signed I would like to understand why the signature verification fails when Hardened UNC Paths are configured with RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1 (Computer Configuration → Administrative Templates → Network → Network Provider → Hardened UNC Paths) and why the signature verification succeeds 1) when Hardened UNC Paths are not configured (e.g. the gpo is left at its not configured setting) 2) after logon when manually refreshing group policies with gpupdate /force. Regards, Kacper On Thu, Dec 11, 2025, 20:34 Obaid Farooqi <[email protected]<mailto:[email protected]>> wrote: Hi Kacper: Looking at the traces, here is what’s happening: 1. Just before sending the create request for gpt.ini, client determines that it is a 3-part SPN and there fore it needs to reauthenticate. 2. Client sends a session setup request 3. Server (in this case Samba DC) responds with session set up response 4. Session set up response is always signed. Client tries to verify the signature and that fails. Please let me know if this does not answer your question. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Kacper <[email protected]<mailto:[email protected]>> Sent: Wednesday, December 10, 2025 4:30 AM To: Obaid Farooqi <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; cifs-protocol <[email protected]<mailto:[email protected]>> Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hi Obaid, I have not been able to reproduce this problem against a Windows DC. I've uploaded the requested t.cmd traces to the secure file exchange. Regards, Kacper On Tue, 9 Dec 2025 at 21:13, Obaid Farooqi <[email protected]<mailto:[email protected]>> wrote: Hi Kacper: You’ll have to rename t.txt to t.cmd. Your email provider does not allow .cmd files. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Obaid Farooqi Sent: Tuesday, December 9, 2025 2:10 PM To: 'Kacper' <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; 'cifs-protocol' <[email protected]<mailto:[email protected]>> Subject: RE: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hi Kacper: I want to reproduce this for Windows to Windows. Please let me know the exact steps and set up. Alternatively, you can collect ETW traces for me on the Windows 11 client. The script I have attached to this email does not survive reboot. So, if you can reproduce the scenario without rebooting, here are the steps. 1. Unzip and copy the file t.cmd on your windows 11 client. 2. Login as administrator and in a cmd (elevated), execute the following command: >t.cmd clion 3. Reproduce the scenario, which I guess will require you to log off and login again (preferably as a different user) 4. Once you see the error in Event Viewer, repro is complete. 5. Open an elevated Cmd window and execute the following command: >t.cmd clioff 6. Upload the resulting t*.cab file to the link I provided you. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Obaid Farooqi Sent: Monday, December 8, 2025 10:38 AM To: 'Kacper' <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; cifs-protocol <[email protected]<mailto:[email protected]>> Subject: RE: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hi Kacper: Thank you for the traces. I’ll look into them and get back to you as soon as I have anything conceret. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Kacper <[email protected]<mailto:[email protected]>> Sent: Monday, December 8, 2025 4:20 AM To: Obaid Farooqi <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; cifs-protocol <[email protected]<mailto:[email protected]>> Subject: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hello Obaid, Thank you for taking over this issue. The issue occurs between a Windows 11 client and a Samba DC. I’ve tested the same scenario against a Windows DC, and it works correctly there. My testing was done with Windows 11 (24H2, OS version 26100.7171) and Samba 4.21.10. I’ve uploaded the network trace, the event log entry, and the auth trace. Manually running gpupdate /force after the user logs on works without any issues. I would like to understand why Windows fails to apply GPOs during logon when Hardened UNC Paths are configured and the domain controller is Samba. Regards, Kacper
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
