[Samba] Regression: The 'net' command is now failing to login (UNKNOWN ENUM VALUE 1003?)
pisymbol .
pisymbol at gmail.com
Thu May 26 11:23:16 UTC 2016
On Wed, May 25, 2016 at 2:38 PM, pisymbol . <pisymbol at gmail.com> wrote:
> Hello:
>
> Platform: CentOS 6.7 x86-64
>
> $ rpm -qa | grep samba
> samba-common-3.6.23-30.el6_7.x86_64
> samba4-libs-4.2.10-6.el6_7.x86_64
> ie-samba-utils-3.6.13-7.x86_64
> samba-winbind-3.6.23-30.el6_7.x86_64
> samba-client-3.6.23-30.el6_7.x86_64
> samba-winbind-clients-3.6.23-30.el6_7.i686
> samba-winbind-clients-3.6.23-30.el6_7.x86_64
>
> Problems began after requiring SMB signing (I forgot the specifics but
> it was related to CVE-2016-2111 and the one before it I think).
>
> I had to enable support for signatures on the NetApp (I'm using their
> latest patched 8.2.4P3D1 firmware too however it looks like it fails
> on older releases of OnTap as well) as per their KB. That worked for
> now making commands like rpcclient working.
>
> However, this now breaks the 'net' command:
>
> $ sudo net -d10 -U someuser%somepass -S <netapp hostname> share
> ....
> ntlmssp3_handle_neg_flags: Got challenge flags[0x60898205] - possible
> downgrade detected! missing_flags[0x00000010] -
> NT_STATUS_RPC_SEC_PKG_ERROR
> Got NTLMSSP neg_flags=0x00000010
> NTLMSSP_NEGOTIATE_SIGN
> neg_flags[0x60088205]
> Got NTLMSSP neg_flags=0x60088205
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_NTLM2
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> SPNEGO login failed: NT_STATUS_RPC_SEC_PKG_ERROR
> lang_tdb_init: /usr/lib64/samba/en_US.UTF-8.msg: No such file or directory
> session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
> did you forget to run kinit?
> NetShareEnum: struct NetShareEnum
> out: struct NetShareEnum
> buffer : *
> buffer : NULL
> entries_read : *
> entries_read : 0x00000000 (0)
> total_entries : *
> total_entries : 0x00000000 (0)
> resume_handle : *
> resume_handle : 0x00000000 (0)
> result : UNKNOWN_ENUM_VALUE (1003)
> return code = 1003
>
> What is UNKNOWN ENUM VALUE (1003)?
If I turn off spnego on the client, then the net command works but now
rpcclient doesn't:
Attempt to open gencache.tdb has failed.
internal_resolve_name: returning 1 addresses: 192.168.17.248:0
Running timed event "tevent_req_timedout" 0x246a968
Connecting to 192.168.17.248 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 19800
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
Could not test socket option SO_SNDTIMEO.
Could not test socket option SO_RCVTIMEO.
TCP_QUICKACK = 1
Failed to load /var/lib/samba/lib/upcase.dat - No such file or directory
Failed to load /var/lib/samba/lib/lowcase.dat - No such file or directory
Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
Substituting charset 'UTF-8' for LOCALE
cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE
failed session setup with NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Can someone please explain to me why 'net' and 'rpcclient'
authenticate differently?
Note that I tried this on our NetApp with signing on and off.
-aps
More information about the samba
mailing list