Active Directory,  Mac OS X,  Mac OS X Server,  Mac Security,  Windows Server

Disable SMB Signing

Mac OS X 10.5 supports SMB signing.  But if you have some older operating systems you may need to disable SMB signing when using Windows Server 2003 and up to host your files, typically when the 2003 Server is also a Domain Controller (DC).  To determine if SMB signing is required use Netmon (Network Monitor).  When using Netmon it is best to use a hub rather than a switch.  Once you have set the addresses and performed a capture, you’ll then look for the SMB negotiation string.  Options here are values of 3, 7 and 15 meaning SMB signing is disabled, enabled/not required and required respectively.

If SMB signing is required then you can set it to enabled/not required for testing.  To do so, you will use the Microsoft network client: Digitally sign communications (always) policy in Group Policy (gpedit.msc from Start->Run of the host in question or edit the policy from a DC).  Setting the policy to disable would still have the policy enabled if the client and server can negotiate signing.  At times we may think that the attempt at signing will cause a failure, although this is pretty rare; therefore you can disable signing by setting the Digitally sign communications (if client agrees).

These values can also be controlled using the following registry path:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters

By setting EnableSecuritySignature to a REG_DWORD value of 0 you would disable Digitally sign communications (if server agrees).  By setting RequireSecuritySignature to a REG_DWORD value of 0 you would disable Digitally sign communications (always).

Digitally sign server communication (always)