Guest Browsing denied with Windows XP SP2

Guest browsing denied XP in workgroup mode smbclient works ok The account is not authorized to log in from this station

Certain network setups do not need the tremendous ammo of Windows XP Security burried inside Service Pack 2. It seems that XP SP2 cannot perform browsing and access windows shares the old fashioned way in WORKGROUP mode only.

It seems that applying the following patch Win2003_AllowNonSMBSign.reg is able to solve this problem. checkout this registry directory for more Registries which are of importance when dealing with Samba. 
Win2003_AllowNonSMBSign.reg :


REGEDIT4

; Disable SMB signing.  SMB signing is strong authentication for SMB/CIFS;
; unfortunately Samba-TNG does not support it at this time.  Thus this
; patch is necessary on Windows Server 2003, and possibly future service
; packs of Windows XP - otherwise rpcclient and smbclient can't communicate
; with them.
; Thanks to Volker Lendecke for the information.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"requiresecuritysignature"=dword:0

This patch is to be applied on your XPSP2 to connect with a older samba server. In fact it _will_ speed up your SMB network speed considerably. No security signing mismatch handshakes are needed anymore.

The following adjustments are needed inside any samba 2.0.x or 2.2.x version : 


1. Use : security = user
2. Use : encrypt passwords = yes
	 smb passwd file = /etc/samba/smbpasswd
3. Make sure a working /etc/samba/smbpasswd exists and has working password
   hashes:

   # cd /etc/samba
   # mksmbpasswd.sh < /etc/passwd > smbpasswd
   # smbpasswd stock < your_password >

The end result looks like this :
Workgroup browse works ok The account is not authorized to log in from this station

The samba team has been playing rather misty for me, again, as they left out this essential registry patch inside their main samba source tree : http://www.crashrecovery.org/xpsp2/registry/Win2003_AllowNonSMBSign.reg .

Inside Windows Server 2003 versions this Registry is known as "Require Security Signature" and is supposed to increase security. However take in mind that only the login/password handshake gets an increased Security Signing, but once authenticated the SMB traffic itself is still unencrypted. Anyone running a sniffer on your LAN thus can still capture that SMB traffic without any extra decrypting efforts.

In practice the netto result is that older Windows clients like windows 95, 89, 89SE , Millenium, and unpatched versions of Windows 2000 , 2003 and XP cannot access your Windows 2003 Server runing the "Require Security Signature". This is a little odd. Certainly if its subsequently suggested that your complete network has to be upgraded to meet the "Require Security Signature" requirement.

Happy Samba-ing again :)

Kudos go to Fred N. van Kempen for pointing this out to me.