[linux-cifs-client] failed connections to 2008r2 server in high security mode
Jimi Schwar
schwarj at mail.montclair.edu
Fri Apr 23 10:02:28 MDT 2010
On 4/23/10 9:44 AM, Shirish Pargaonkar wrote:
> On Fri, Apr 23, 2010 at 5:40 AM, Jeff Layton <jlayton at samba.org> wrote:
>> On Thu, 22 Apr 2010 22:59:10 -0500
>> Shirish Pargaonkar <shirishpargaonkar at gmail.com> wrote:
>>
>>> On Thu, Apr 22, 2010 at 1:01 PM, Jimi Schwar <schwarj at mail.montclair.edu> wrote:
>>>> I am having a horrible time connecting to a Windows 2008r2 server that
>>>> requires signing and NTLMv2 from a RHEL 5 server. When trying to
>>>> connect I issue the following command:
>>>>
>>>> mount -t cifs //<servername>/<sharename> /mnt/cifs/ -o
>>>> user=<SERVERNAME>\\user,sec=ntlmv2i -vv
>>>>
>>>> After entering my password the verbose output is:
>>>>
>>>> mount.cifs kernel mount options:
>>>> unc=//<servername>\<sharename>,domain=<SERVERNAME>,ver=1,rw,user=<username>,,,,,,,,,,,,,,sec=ntlmv2i,ip=x.x.x.x,pass=********
>>>> mount error(22): Invalid argument
>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>>
>>>> I have tried every combination I can think of, replacing sec=ntlmv2i
>>>> with ntlmv2, and specifying sign, adding the domain name, trying actual
>>>> AD users instead of a local user, but all have failed. However I have
>>>> no problems at all connecting with smbclient. One thing I did notice is
>>>> that with the smbclient SPNEGO must be used to make a connection, when I
>>>> set it to "no" the connection always fails. I believe I have it
>>>> configured properly for the kernel.
>>>>
>>>> I have the following 2 lines in /etc/request-key.conf
>>>>
>>>> create cifs.spnego * * /usr/sbin/cifs.upcall %k
>>>> create dns_resolver * * /usr/sbin/cifs.upcall %k
>>>>
>>>> and I have keyutils installed. Can anyone tell me what I'm missing, as
>>>> I'm at a complete loss getting this connection to work.
>>>>
>>>> [root@]# yum list | grep keyutil
>>>> keyutils.x86_64 1.2-1.el5
>>>> installed
>>>> keyutils-libs.i386 1.2-1.el5
>>>> installed
>>>> keyutils-libs.x86_64 1.2-1.el5 installed
>>>>
>>>> Here is my kernel module info:
>>>>
>>>> [root@]# modinfo cifs
>>>> filename: /lib/modules/2.6.18-194.el5/kernel/fs/cifs/cifs.ko
>>>> version: 1.60RH
>>>> description: VFS to access servers complying with the SNIA CIFS
>>>> Specification e.g. Samba and Windows
>>>> license: GPL
>>>> author: Steve French <sfrench at us.ibm.com>
>>>> srcversion: 1E19234127C80DD280CE641
>>>> depends:
>>>> vermagic: 2.6.18-194.el5 SMP mod_unload gcc-4.1
>>>> parm: CIFSMaxBufSize:Network buffer size (not including
>>>> header). Default: 16384 Range: 8192 to 130048 (int)
>>>> parm: cifs_min_rcv:Network buffers in pool. Default: 4 Range:
>>>> 1 to 64 (int)
>>>> parm: cifs_min_small:Small network buffers in pool. Default:
>>>> 30 Range: 2 to 256 (int)
>>>> parm: cifs_max_pending:Simultaneous requests to server.
>>>> Default: 50 Range: 2 to 256 (int)
>>>> module_sig:
>>>> 883f3504ba0377878ccfeaa942826a11233a309e20373ac358c1f44611144fd5c03072bacf60c50a0b0fd3052e2277cc786c308ad54cf16c85f0bf
>>>>
>>>> dmesg output of the connection:
>>>>
>>>> fs/cifs/cifsfs.c: Devname: //x.x.montclair.edu/sharename flags: 64
>>>> fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 28 with uid: 0
>>>> fs/cifs/connect.c: Domain name set
>>>> fs/cifs/connect.c: Username: user
>>>> fs/cifs/connect.c: UNC: \\x.x.montclair.edu\webhome ip: x.x.x.x
>>>> fs/cifs/connect.c: Socket created
>>>> fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58
>>>> fs/cifs/connect.c: Existing smb sess not found
>>>> fs/cifs/connect.c: Demultiplex PID: 6900
>>>> fs/cifs/cifssmb.c: secFlags 0x1005
>>>> fs/cifs/transport.c: For smb_command 114
>>>> fs/cifs/transport.c: Sending smb: total_len 82
>>>> | 0x00 0x00 0x00 0x4e 0xff 0x53 0x4d 0x42 | _ _ _ N ? S M B
>>>> | 0x72 0x00 0x00 0x00 0x00 0x00 0x01 0xc0 | r _ _ _ _ _ _ ?
>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a | _ _ _ _ _ _ ? _
>>>> | 0x00 0x00 0x01 0x00 0x00 0x2b 0x00 0x02 | _ _ _ _ _ + _ _
>>>> | 0x4c 0x4d 0x31 0x2e 0x32 0x58 0x30 0x30 | L M 1 . 2 X 0 0
>>>> | 0x32 0x00 0x02 0x4c 0x41 0x4e 0x4d 0x41 | 2 _ _ L A N M A
>>>> | 0x4e 0x32 0x2e 0x31 0x00 0x02 0x4e 0x54 | N 2 . 1 _ _ N T
>>>> | 0x20 0x4c 0x4d 0x20 0x30 0x2e 0x31 0x32 | L M 0 . 1 2
>>>> | 0x00 0x02 0x50 0x4f 0x53 0x49 0x58 0x20 | _ _ P O S I X
>>>> | 0x32 0x00 | 2 _
>>>> fs/cifs/connect.c: rfc1002 length 0x71
>>>> | 0x6d 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | m _ _ _ ? S M B
>>>> | 0x72 0x00 0x00 0x00 0x00 0x80 0x01 0xc0 | r _ _ _ _ _ _ ?
>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a | _ _ _ _ _ _ ? _
>>>> | 0x00 0x00 0x01 0x00 0x11 0x02 0x00 0x0f | _ _ _ _ _ _ _ _
>>>> | 0x32 0x00 0x01 0x00 0x04 0x41 0x00 0x00 | 2 _ _ _ _ A _ _
>>>> | 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>> | 0xfc 0xe3 0x01 0x00 0x8c 0x00 0x5c 0x77 | ? ? _ _ _ _ \ w
>>>> | 0x42 0xe2 0xca 0x01 0xf0 0x00 0x08 0x28 | B ? ? _ ? _ _ (
>>>> | 0x00 0x93 0x41 0xc6 0x0a 0x12 0xc3 0x01 | _ _ A ? _ _ ? _
>>>> | 0x89 0x41 0x00 0x44 0x00 0x00 0x00 0x43 | _ A _ D _ _ _ C
>>>> | 0x00 0x57 0x00 0x46 0x00 0x4c 0x00 0x50 | _ W _ F _ L _ P
>>>> | 0x00 0x52 0x00 0x53 0x00 0x56 0x00 0x52 | _ R _ S _ V _ R
>>>> | 0x00 0x31 0x00 0x57 0x00 0x38 0x00 0x00 | _ 1 _ W _ 8 _ _
>>>> | 0x00 | _
>>>> | 0x6d 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | m _ _ _ ? S M B
>>>> | 0x72 0x00 0x00 0x00 0x00 0x80 0x01 0xc0 | r _ _ _ _ _ _ ?
>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a | _ _ _ _ _ _ ? _
>>>> | 0x00 0x00 0x01 0x00 0x11 0x02 0x00 0x0f | _ _ _ _ _ _ _ _
>>>> | 0x32 0x00 0x01 0x00 0x04 0x41 0x00 0x00 | 2 _ _ _ _ A _ _
>>>> | 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>> | 0xfc 0xe3 0x01 0x00 0x8c 0x00 0x5c 0x77 | ? ? _ _ _ _ \ w
>>>> | 0x42 0xe2 0xca 0x01 0xf0 0x00 0x08 0x28 | B ? ? _ ? _ _ (
>>>> | 0x00 0x93 0x41 0xc6 0x0a 0x12 0xc3 0x01 | _ _ A ? _ _ ? _
>>>> | 0x89 0x41 0x00 0x44 0x00 0x00 0x00 0x43 | _ A _ D _ _ _ C
>>>> | 0x00 0x57 0x00 0x46 | _ W _ F
>>>> fs/cifs/cifssmb.c: Dialect: 2
>>>> fs/cifs/cifssmb.c: Must sign - secFlags 0x1005
>>>> fs/cifs/cifssmb.c: negprot rc 0
>>>> fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x1e3fc TimeAdjust:
>>>> 14400
>>>> fs/cifs/sess.c: sess setup type 3
>>>> fs/cifs/transport.c: For smb_command 115
>>>> fs/cifs/transport.c: Sending smb: total_len 270
>>>> | 0x00 0x00 0x01 0x0a 0xff 0x53 0x4d 0x42 | _ _ _ _ ? S M B
>>>> | 0x73 0x00 0x00 0x00 0x00 0x00 0x05 0xc0 | s _ _ _ _ _ _ ?
>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c | _ _ _ ( _ ? ? <
>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a | ? S _ _ _ _ ? _
>>>> | 0x00 0x00 0x02 0x00 0x0d 0xff 0x00 0x00 | _ _ _ _ _ ? _ _
>>>> | 0x00 0x58 0x40 0x32 0x00 0x00 0x00 0x00 | _ X @ 2 _ _ _ _
>>>> | 0x00 0x00 0x00 0x00 0x00 0x34 0x00 0x00 | _ _ _ _ _ 4 _ _
>>>> | 0x00 0x00 0x00 0xdc 0xc0 0x00 0x00 0xcd | _ _ _ ? ? _ _ ?
>>>> | 0x00 | _
>>>> fs/cifs/connect.c: rfc1002 length 0x27
>>>> | 0x23 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | # _ _ _ ? S M B
>>>> | 0x73 0x0d 0x00 0x00 0xc0 0x80 0x05 0xc0 | s _ _ _ ? _ _ ?
>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c | _ _ _ ( _ ? ? <
>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a | ? S _ _ _ _ ? _
>>>> | 0x00 0x00 0x02 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _
>>>> | 0x23 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | # _ _ _ ? S M B
>>>> | 0x73 0x0d 0x00 0x00 0xc0 0x80 0x05 0xc0 | s _ _ _ ? _ _ ?
>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c | _ _ _ ( _ ? ? <
>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a | ? S _ _ _ _ ? _
>>>> | 0x00 0x00 0x02 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>> | 0x00 0x58 0x40 0x32 0x00 0x00 0x00 0x00 | _ X @ 2 _ _ _ _
>>>> | 0x00 0x00 0x00 0x18 0x00 0x18 0x00 0x00 | _ _ _ _ _ _ _ _
>>>> | 0x00 0x00 0x00 0xdc 0xc0 0x00 0x00 0xc9 | _ _ _ ? ? _ _ ?
>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>> | _ _ _ _ _ _ _ _
>>>> CIFS VFS: Unexpected SMB signature
>>>> Status code returned 0xc000000d NT_STATUS_INVALID_PARAMETER
>>>> fs/cifs/netmisc.c: Mapping smb error code 87 to POSIX err -22
>>>> fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
>>>> fs/cifs/sess.c: ssetup rc from sendrecv2 is -22
>>>> fs/cifs/sess.c: ssetup freeing small buf ffff81006ef78300
>>>> CIFS VFS: Send error in SessSetup = -22
>>>> fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 28) rc = -22
>>>> CIFS VFS: cifs_mount failed w/return code = -22
>>>>
>>>>
>>>> _______________________________________________
>>>> linux-cifs-client mailing list
>>>> linux-cifs-client at lists.samba.org
>>>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>>>>
>>>
>>> It is broken. I have coded to send SPNEGO ntlmv2 authentication but
>>> somehow am getting error of
>>> Invalid parameter, the response does not tell which parameter though.
>>>
>>
>> I think this is actually a bug in win2k8/vista:
>>
>> http://support.microsoft.com/kb/957441
>>
>> ...though it wouldn't be an issue if NTLMSSP/SPNEGO worked properly.
>>
>> --
>> Jeff Layton <jlayton at samba.org>
>>
>
> The bug does not mention Windows7, I have a Windows 7 box, so will try first
> authenticating with it instead of Windows 2008 Server.
> Also, I am not sure how essential SPNEGO is i.e. would Raw NTLMSSP with
> NTLMv2 authentication mechanism suffice instead of SPNEGO NTLMSSP ntlmv2.
> I also need to figure out how to tell smbclient talk ntlmv2 NTLMSSP
> without SPNEGO,
> by default it is SPNEGO NTLMSSP which I have been able to use against
> a Windows7 box.
>
> Regards,
>
> Shirish
I have tried sec=ntlmssp, which from the doc says is experimental, and
it failed as well. Adding the registry key mentioned in the KB did
allow me to mount the share without issue on both 2008 and 2008r2, so
thanks Jeff, you rock.
Also, I know this is out of place for the conversation, but I also set
up kerberos auth and it negotiated properly to auth to the share.
If you guys want me to provide more feedback, please let me know what
you need. Thanks for the help you've both provided so far.
Jimi
More information about the linux-cifs-client
mailing list