[linux-cifs-client] failed connections to 2008r2 server in high security mode

Shirish Pargaonkar shirishpargaonkar at gmail.com
Fri Apr 23 10:36:43 MDT 2010


On Fri, Apr 23, 2010 at 11:02 AM, Jimi Schwar
<schwarj at mail.montclair.edu> wrote:
> On 4/23/10 9:44 AM, Shirish Pargaonkar wrote:
>> On Fri, Apr 23, 2010 at 5:40 AM, Jeff Layton <jlayton at samba.org> wrote:
>>> On Thu, 22 Apr 2010 22:59:10 -0500
>>> Shirish Pargaonkar <shirishpargaonkar at gmail.com> wrote:
>>>
>>>> On Thu, Apr 22, 2010 at 1:01 PM, Jimi Schwar <schwarj at mail.montclair.edu> wrote:
>>>>> I am having a horrible time connecting to a Windows 2008r2 server that
>>>>> requires signing and NTLMv2 from a RHEL 5 server.  When trying to
>>>>> connect I issue the following command:
>>>>>
>>>>> mount -t cifs //<servername>/<sharename> /mnt/cifs/ -o
>>>>> user=<SERVERNAME>\\user,sec=ntlmv2i -vv
>>>>>
>>>>> After entering my password the verbose output is:
>>>>>
>>>>> mount.cifs kernel mount options:
>>>>> unc=//<servername>\<sharename>,domain=<SERVERNAME>,ver=1,rw,user=<username>,,,,,,,,,,,,,,sec=ntlmv2i,ip=x.x.x.x,pass=********
>>>>> mount error(22): Invalid argument
>>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>>>
>>>>> I have tried every combination I can think of, replacing sec=ntlmv2i
>>>>> with ntlmv2, and specifying sign, adding the domain name, trying actual
>>>>> AD users instead of a local user, but all have failed.  However I have
>>>>> no problems at all connecting with smbclient.  One thing I did notice is
>>>>> that with the smbclient SPNEGO must be used to make a connection, when I
>>>>> set it to "no" the connection always fails.  I believe I have it
>>>>> configured properly for the kernel.
>>>>>
>>>>> I have the following 2 lines in /etc/request-key.conf
>>>>>
>>>>> create    cifs.spnego    *    *        /usr/sbin/cifs.upcall %k
>>>>> create    dns_resolver    *    *        /usr/sbin/cifs.upcall %k
>>>>>
>>>>> and I have keyutils installed.  Can anyone tell me what I'm missing, as
>>>>> I'm at a complete loss getting this connection to work.
>>>>>
>>>>> [root@]# yum list | grep keyutil
>>>>> keyutils.x86_64                      1.2-1.el5
>>>>> installed
>>>>> keyutils-libs.i386                   1.2-1.el5
>>>>> installed
>>>>> keyutils-libs.x86_64                 1.2-1.el5              installed
>>>>>
>>>>> Here is my kernel module info:
>>>>>
>>>>> [root@]# modinfo cifs
>>>>> filename:       /lib/modules/2.6.18-194.el5/kernel/fs/cifs/cifs.ko
>>>>> version:        1.60RH
>>>>> description:    VFS to access servers complying with the SNIA CIFS
>>>>> Specification e.g. Samba and Windows
>>>>> license:        GPL
>>>>> author:         Steve French <sfrench at us.ibm.com>
>>>>> srcversion:     1E19234127C80DD280CE641
>>>>> depends:
>>>>> vermagic:       2.6.18-194.el5 SMP mod_unload gcc-4.1
>>>>> parm:           CIFSMaxBufSize:Network buffer size (not including
>>>>> header). Default: 16384 Range: 8192 to 130048 (int)
>>>>> parm:           cifs_min_rcv:Network buffers in pool. Default: 4 Range:
>>>>> 1 to 64 (int)
>>>>> parm:           cifs_min_small:Small network buffers in pool. Default:
>>>>> 30 Range: 2 to 256 (int)
>>>>> parm:           cifs_max_pending:Simultaneous requests to server.
>>>>> Default: 50 Range: 2 to 256 (int)
>>>>> module_sig:
>>>>> 883f3504ba0377878ccfeaa942826a11233a309e20373ac358c1f44611144fd5c03072bacf60c50a0b0fd3052e2277cc786c308ad54cf16c85f0bf
>>>>>
>>>>> dmesg output of the connection:
>>>>>
>>>>> fs/cifs/cifsfs.c: Devname: //x.x.montclair.edu/sharename flags: 64
>>>>>  fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 28 with uid: 0
>>>>>  fs/cifs/connect.c: Domain name set
>>>>>  fs/cifs/connect.c: Username: user
>>>>>  fs/cifs/connect.c: UNC: \\x.x.montclair.edu\webhome ip: x.x.x.x
>>>>>  fs/cifs/connect.c: Socket created
>>>>>  fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58
>>>>>  fs/cifs/connect.c: Existing smb sess not found
>>>>>  fs/cifs/connect.c: Demultiplex PID: 6900
>>>>>  fs/cifs/cifssmb.c: secFlags 0x1005
>>>>>  fs/cifs/transport.c: For smb_command 114
>>>>>  fs/cifs/transport.c: Sending smb:  total_len 82
>>>>> | 0x00 0x00 0x00 0x4e 0xff 0x53 0x4d 0x42  |  _ _ _ N ? S M B
>>>>> | 0x72 0x00 0x00 0x00 0x00 0x00 0x01 0xc0  |  r _ _ _ _ _ _ ?
>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a  |  _ _ _ _ _ _ ? _
>>>>> | 0x00 0x00 0x01 0x00 0x00 0x2b 0x00 0x02  |  _ _ _ _ _ + _ _
>>>>> | 0x4c 0x4d 0x31 0x2e 0x32 0x58 0x30 0x30  |  L M 1 . 2 X 0 0
>>>>> | 0x32 0x00 0x02 0x4c 0x41 0x4e 0x4d 0x41  |  2 _ _ L A N M A
>>>>> | 0x4e 0x32 0x2e 0x31 0x00 0x02 0x4e 0x54  |  N 2 . 1 _ _ N T
>>>>> | 0x20 0x4c 0x4d 0x20 0x30 0x2e 0x31 0x32  |    L M   0 . 1 2
>>>>> | 0x00 0x02 0x50 0x4f 0x53 0x49 0x58 0x20  |  _ _ P O S I X
>>>>> | 0x32 0x00                                |  2 _
>>>>>  fs/cifs/connect.c: rfc1002 length 0x71
>>>>> | 0x6d 0x00 0x00 0x00 0xff 0x53 0x4d 0x42  |  m _ _ _ ? S M B
>>>>> | 0x72 0x00 0x00 0x00 0x00 0x80 0x01 0xc0  |  r _ _ _ _ _ _ ?
>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a  |  _ _ _ _ _ _ ? _
>>>>> | 0x00 0x00 0x01 0x00 0x11 0x02 0x00 0x0f  |  _ _ _ _ _ _ _ _
>>>>> | 0x32 0x00 0x01 0x00 0x04 0x41 0x00 0x00  |  2 _ _ _ _ A _ _
>>>>> | 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>> | 0xfc 0xe3 0x01 0x00 0x8c 0x00 0x5c 0x77  |  ? ? _ _ _ _ \ w
>>>>> | 0x42 0xe2 0xca 0x01 0xf0 0x00 0x08 0x28  |  B ? ? _ ? _ _ (
>>>>> | 0x00 0x93 0x41 0xc6 0x0a 0x12 0xc3 0x01  |  _ _ A ? _ _ ? _
>>>>> | 0x89 0x41 0x00 0x44 0x00 0x00 0x00 0x43  |  _ A _ D _ _ _ C
>>>>> | 0x00 0x57 0x00 0x46 0x00 0x4c 0x00 0x50  |  _ W _ F _ L _ P
>>>>> | 0x00 0x52 0x00 0x53 0x00 0x56 0x00 0x52  |  _ R _ S _ V _ R
>>>>> | 0x00 0x31 0x00 0x57 0x00 0x38 0x00 0x00  |  _ 1 _ W _ 8 _ _
>>>>> | 0x00                                     |  _
>>>>> | 0x6d 0x00 0x00 0x00 0xff 0x53 0x4d 0x42  |  m _ _ _ ? S M B
>>>>> | 0x72 0x00 0x00 0x00 0x00 0x80 0x01 0xc0  |  r _ _ _ _ _ _ ?
>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a  |  _ _ _ _ _ _ ? _
>>>>> | 0x00 0x00 0x01 0x00 0x11 0x02 0x00 0x0f  |  _ _ _ _ _ _ _ _
>>>>> | 0x32 0x00 0x01 0x00 0x04 0x41 0x00 0x00  |  2 _ _ _ _ A _ _
>>>>> | 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>> | 0xfc 0xe3 0x01 0x00 0x8c 0x00 0x5c 0x77  |  ? ? _ _ _ _ \ w
>>>>> | 0x42 0xe2 0xca 0x01 0xf0 0x00 0x08 0x28  |  B ? ? _ ? _ _ (
>>>>> | 0x00 0x93 0x41 0xc6 0x0a 0x12 0xc3 0x01  |  _ _ A ? _ _ ? _
>>>>> | 0x89 0x41 0x00 0x44 0x00 0x00 0x00 0x43  |  _ A _ D _ _ _ C
>>>>> | 0x00 0x57 0x00 0x46                      |  _ W _ F
>>>>>  fs/cifs/cifssmb.c: Dialect: 2
>>>>>  fs/cifs/cifssmb.c: Must sign - secFlags 0x1005
>>>>>  fs/cifs/cifssmb.c: negprot rc 0
>>>>>  fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x1e3fc TimeAdjust:
>>>>> 14400
>>>>>  fs/cifs/sess.c: sess setup type 3
>>>>>  fs/cifs/transport.c: For smb_command 115
>>>>>  fs/cifs/transport.c: Sending smb:  total_len 270
>>>>> | 0x00 0x00 0x01 0x0a 0xff 0x53 0x4d 0x42  |  _ _ _ _ ? S M B
>>>>> | 0x73 0x00 0x00 0x00 0x00 0x00 0x05 0xc0  |  s _ _ _ _ _ _ ?
>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c  |  _ _ _ ( _ ? ? <
>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a  |  ? S _ _ _ _ ? _
>>>>> | 0x00 0x00 0x02 0x00 0x0d 0xff 0x00 0x00  |  _ _ _ _ _ ? _ _
>>>>> | 0x00 0x58 0x40 0x32 0x00 0x00 0x00 0x00  |  _ X @ 2 _ _ _ _
>>>>> | 0x00 0x00 0x00 0x00 0x00 0x34 0x00 0x00  |  _ _ _ _ _ 4 _ _
>>>>> | 0x00 0x00 0x00 0xdc 0xc0 0x00 0x00 0xcd  |  _ _ _ ? ? _ _ ?
>>>>> | 0x00                                     |  _
>>>>>  fs/cifs/connect.c: rfc1002 length 0x27
>>>>> | 0x23 0x00 0x00 0x00 0xff 0x53 0x4d 0x42  |  # _ _ _ ? S M B
>>>>> | 0x73 0x0d 0x00 0x00 0xc0 0x80 0x05 0xc0  |  s _ _ _ ? _ _ ?
>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c  |  _ _ _ ( _ ? ? <
>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a  |  ? S _ _ _ _ ? _
>>>>> | 0x00 0x00 0x02 0x00 0x00 0x00 0x00       |  _ _ _ _ _ _ _
>>>>> | 0x23 0x00 0x00 0x00 0xff 0x53 0x4d 0x42  |  # _ _ _ ? S M B
>>>>> | 0x73 0x0d 0x00 0x00 0xc0 0x80 0x05 0xc0  |  s _ _ _ ? _ _ ?
>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c  |  _ _ _ ( _ ? ? <
>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a  |  ? S _ _ _ _ ? _
>>>>> | 0x00 0x00 0x02 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>> | 0x00 0x58 0x40 0x32 0x00 0x00 0x00 0x00  |  _ X @ 2 _ _ _ _
>>>>> | 0x00 0x00 0x00 0x18 0x00 0x18 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>> | 0x00 0x00 0x00 0xdc 0xc0 0x00 0x00 0xc9  |  _ _ _ ? ? _ _ ?
>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>>  |  _ _ _ _ _ _ _ _
>>>>>  CIFS VFS: Unexpected SMB signature
>>>>> Status code returned 0xc000000d NT_STATUS_INVALID_PARAMETER
>>>>>  fs/cifs/netmisc.c: Mapping smb error code 87 to POSIX err -22
>>>>>  fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
>>>>>  fs/cifs/sess.c: ssetup rc from sendrecv2 is -22
>>>>>  fs/cifs/sess.c: ssetup freeing small buf ffff81006ef78300
>>>>>  CIFS VFS: Send error in SessSetup = -22
>>>>>  fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 28) rc = -22
>>>>>  CIFS VFS: cifs_mount failed w/return code = -22
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> linux-cifs-client mailing list
>>>>> linux-cifs-client at lists.samba.org
>>>>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>>>>>
>>>>
>>>> It is broken.  I have coded to send SPNEGO ntlmv2 authentication but
>>>> somehow am getting error of
>>>> Invalid  parameter, the response does not tell which parameter though.
>>>>
>>>
>>> I think this is actually a bug in win2k8/vista:
>>>
>>>   http://support.microsoft.com/kb/957441
>>>
>>> ...though it wouldn't be an issue if NTLMSSP/SPNEGO worked properly.
>>>
>>> --
>>> Jeff Layton <jlayton at samba.org>
>>>
>>
>> The bug does not mention Windows7, I have a Windows 7 box, so will try first
>> authenticating with it instead of Windows 2008 Server.
>> Also, I am not sure how essential SPNEGO is i.e. would Raw NTLMSSP with
>> NTLMv2 authentication mechanism suffice instead of SPNEGO NTLMSSP ntlmv2.
>> I also need to figure out how to tell smbclient talk ntlmv2 NTLMSSP
>> without SPNEGO,
>> by default it is SPNEGO NTLMSSP which I have been able to use against
>> a Windows7 box.
>>
>> Regards,
>>
>> Shirish
>
> I have tried sec=ntlmssp, which from the doc says is experimental, and
> it failed as well.  Adding the registry key mentioned in the KB did
> allow me to mount the share without issue on both 2008 and 2008r2, so
> thanks Jeff, you rock.

Two things, first, I think with sec=ntlmssp, you are using ntlmv1 in the current
cifs code. Can you please verify that?
And second, why is not smbclient bothered with this registry key presense or
absense?

>
> Also, I know this is out of place for the conversation, but I also set
> up kerberos auth and it negotiated properly to auth to the share.
>
> If you guys want me to provide more feedback, please let me know what
> you need.  Thanks for the help you've both provided so far.
>
> Jimi
> _______________________________________________
> linux-cifs-client mailing list
> linux-cifs-client at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>


More information about the linux-cifs-client mailing list