[linux-cifs-client] failed connections to 2008r2 server in high security mode

Jimi Schwar schwarj at mail.montclair.edu
Fri Apr 23 15:46:07 MDT 2010


On 4/23/10 4:35 PM, Shirish Pargaonkar wrote:
> On Fri, Apr 23, 2010 at 3:18 PM, Shirish Pargaonkar
> <shirishpargaonkar at gmail.com> wrote:
>> On Fri, Apr 23, 2010 at 2:16 PM, Jimi Schwar <schwarj at mail.montclair.edu> wrote:
>>> On 4/23/10 12:36 PM, Shirish Pargaonkar wrote:
>>>> On Fri, Apr 23, 2010 at 11:02 AM, Jimi Schwar
>>>> <schwarj at mail.montclair.edu> wrote:
>>>>> On 4/23/10 9:44 AM, Shirish Pargaonkar wrote:
>>>>>> On Fri, Apr 23, 2010 at 5:40 AM, Jeff Layton <jlayton at samba.org> wrote:
>>>>>>> On Thu, 22 Apr 2010 22:59:10 -0500
>>>>>>> Shirish Pargaonkar <shirishpargaonkar at gmail.com> wrote:
>>>>>>>
>>>>>>>> On Thu, Apr 22, 2010 at 1:01 PM, Jimi Schwar <schwarj at mail.montclair.edu> wrote:
>>>>>>>>> I am having a horrible time connecting to a Windows 2008r2 server that
>>>>>>>>> requires signing and NTLMv2 from a RHEL 5 server.  When trying to
>>>>>>>>> connect I issue the following command:
>>>>>>>>>
>>>>>>>>> mount -t cifs //<servername>/<sharename> /mnt/cifs/ -o
>>>>>>>>> user=<SERVERNAME>\\user,sec=ntlmv2i -vv
>>>>>>>>>
>>>>>>>>> After entering my password the verbose output is:
>>>>>>>>>
>>>>>>>>> mount.cifs kernel mount options:
>>>>>>>>> unc=//<servername>\<sharename>,domain=<SERVERNAME>,ver=1,rw,user=<username>,,,,,,,,,,,,,,sec=ntlmv2i,ip=x.x.x.x,pass=********
>>>>>>>>> mount error(22): Invalid argument
>>>>>>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>>>>>>>
>>>>>>>>> I have tried every combination I can think of, replacing sec=ntlmv2i
>>>>>>>>> with ntlmv2, and specifying sign, adding the domain name, trying actual
>>>>>>>>> AD users instead of a local user, but all have failed.  However I have
>>>>>>>>> no problems at all connecting with smbclient.  One thing I did notice is
>>>>>>>>> that with the smbclient SPNEGO must be used to make a connection, when I
>>>>>>>>> set it to "no" the connection always fails.  I believe I have it
>>>>>>>>> configured properly for the kernel.
>>>>>>>>>
>>>>>>>>> I have the following 2 lines in /etc/request-key.conf
>>>>>>>>>
>>>>>>>>> create    cifs.spnego    *    *        /usr/sbin/cifs.upcall %k
>>>>>>>>> create    dns_resolver    *    *        /usr/sbin/cifs.upcall %k
>>>>>>>>>
>>>>>>>>> and I have keyutils installed.  Can anyone tell me what I'm missing, as
>>>>>>>>> I'm at a complete loss getting this connection to work.
>>>>>>>>>
>>>>>>>>> [root@]# yum list | grep keyutil
>>>>>>>>> keyutils.x86_64                      1.2-1.el5
>>>>>>>>> installed
>>>>>>>>> keyutils-libs.i386                   1.2-1.el5
>>>>>>>>> installed
>>>>>>>>> keyutils-libs.x86_64                 1.2-1.el5              installed
>>>>>>>>>
>>>>>>>>> Here is my kernel module info:
>>>>>>>>>
>>>>>>>>> [root@]# modinfo cifs
>>>>>>>>> filename:       /lib/modules/2.6.18-194.el5/kernel/fs/cifs/cifs.ko
>>>>>>>>> version:        1.60RH
>>>>>>>>> description:    VFS to access servers complying with the SNIA CIFS
>>>>>>>>> Specification e.g. Samba and Windows
>>>>>>>>> license:        GPL
>>>>>>>>> author:         Steve French <sfrench at us.ibm.com>
>>>>>>>>> srcversion:     1E19234127C80DD280CE641
>>>>>>>>> depends:
>>>>>>>>> vermagic:       2.6.18-194.el5 SMP mod_unload gcc-4.1
>>>>>>>>> parm:           CIFSMaxBufSize:Network buffer size (not including
>>>>>>>>> header). Default: 16384 Range: 8192 to 130048 (int)
>>>>>>>>> parm:           cifs_min_rcv:Network buffers in pool. Default: 4 Range:
>>>>>>>>> 1 to 64 (int)
>>>>>>>>> parm:           cifs_min_small:Small network buffers in pool. Default:
>>>>>>>>> 30 Range: 2 to 256 (int)
>>>>>>>>> parm:           cifs_max_pending:Simultaneous requests to server.
>>>>>>>>> Default: 50 Range: 2 to 256 (int)
>>>>>>>>> module_sig:
>>>>>>>>> 883f3504ba0377878ccfeaa942826a11233a309e20373ac358c1f44611144fd5c03072bacf60c50a0b0fd3052e2277cc786c308ad54cf16c85f0bf
>>>>>>>>>
>>>>>>>>> dmesg output of the connection:
>>>>>>>>>
>>>>>>>>> fs/cifs/cifsfs.c: Devname: //x.x.montclair.edu/sharename flags: 64
>>>>>>>>>  fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 28 with uid: 0
>>>>>>>>>  fs/cifs/connect.c: Domain name set
>>>>>>>>>  fs/cifs/connect.c: Username: user
>>>>>>>>>  fs/cifs/connect.c: UNC: \\x.x.montclair.edu\webhome ip: x.x.x.x
>>>>>>>>>  fs/cifs/connect.c: Socket created
>>>>>>>>>  fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58
>>>>>>>>>  fs/cifs/connect.c: Existing smb sess not found
>>>>>>>>>  fs/cifs/connect.c: Demultiplex PID: 6900
>>>>>>>>>  fs/cifs/cifssmb.c: secFlags 0x1005
>>>>>>>>>  fs/cifs/transport.c: For smb_command 114
>>>>>>>>>  fs/cifs/transport.c: Sending smb:  total_len 82
>>>>>>>>> | 0x00 0x00 0x00 0x4e 0xff 0x53 0x4d 0x42  |  _ _ _ N ? S M B
>>>>>>>>> | 0x72 0x00 0x00 0x00 0x00 0x00 0x01 0xc0  |  r _ _ _ _ _ _ ?
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a  |  _ _ _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x01 0x00 0x00 0x2b 0x00 0x02  |  _ _ _ _ _ + _ _
>>>>>>>>> | 0x4c 0x4d 0x31 0x2e 0x32 0x58 0x30 0x30  |  L M 1 . 2 X 0 0
>>>>>>>>> | 0x32 0x00 0x02 0x4c 0x41 0x4e 0x4d 0x41  |  2 _ _ L A N M A
>>>>>>>>> | 0x4e 0x32 0x2e 0x31 0x00 0x02 0x4e 0x54  |  N 2 . 1 _ _ N T
>>>>>>>>> | 0x20 0x4c 0x4d 0x20 0x30 0x2e 0x31 0x32  |    L M   0 . 1 2
>>>>>>>>> | 0x00 0x02 0x50 0x4f 0x53 0x49 0x58 0x20  |  _ _ P O S I X
>>>>>>>>> | 0x32 0x00                                |  2 _
>>>>>>>>>  fs/cifs/connect.c: rfc1002 length 0x71
>>>>>>>>> | 0x6d 0x00 0x00 0x00 0xff 0x53 0x4d 0x42  |  m _ _ _ ? S M B
>>>>>>>>> | 0x72 0x00 0x00 0x00 0x00 0x80 0x01 0xc0  |  r _ _ _ _ _ _ ?
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a  |  _ _ _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x01 0x00 0x11 0x02 0x00 0x0f  |  _ _ _ _ _ _ _ _
>>>>>>>>> | 0x32 0x00 0x01 0x00 0x04 0x41 0x00 0x00  |  2 _ _ _ _ A _ _
>>>>>>>>> | 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>>>>>> | 0xfc 0xe3 0x01 0x00 0x8c 0x00 0x5c 0x77  |  ? ? _ _ _ _ \ w
>>>>>>>>> | 0x42 0xe2 0xca 0x01 0xf0 0x00 0x08 0x28  |  B ? ? _ ? _ _ (
>>>>>>>>> | 0x00 0x93 0x41 0xc6 0x0a 0x12 0xc3 0x01  |  _ _ A ? _ _ ? _
>>>>>>>>> | 0x89 0x41 0x00 0x44 0x00 0x00 0x00 0x43  |  _ A _ D _ _ _ C
>>>>>>>>> | 0x00 0x57 0x00 0x46 0x00 0x4c 0x00 0x50  |  _ W _ F _ L _ P
>>>>>>>>> | 0x00 0x52 0x00 0x53 0x00 0x56 0x00 0x52  |  _ R _ S _ V _ R
>>>>>>>>> | 0x00 0x31 0x00 0x57 0x00 0x38 0x00 0x00  |  _ 1 _ W _ 8 _ _
>>>>>>>>> | 0x00                                     |  _
>>>>>>>>> | 0x6d 0x00 0x00 0x00 0xff 0x53 0x4d 0x42  |  m _ _ _ ? S M B
>>>>>>>>> | 0x72 0x00 0x00 0x00 0x00 0x80 0x01 0xc0  |  r _ _ _ _ _ _ ?
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a  |  _ _ _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x01 0x00 0x11 0x02 0x00 0x0f  |  _ _ _ _ _ _ _ _
>>>>>>>>> | 0x32 0x00 0x01 0x00 0x04 0x41 0x00 0x00  |  2 _ _ _ _ A _ _
>>>>>>>>> | 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>>>>>> | 0xfc 0xe3 0x01 0x00 0x8c 0x00 0x5c 0x77  |  ? ? _ _ _ _ \ w
>>>>>>>>> | 0x42 0xe2 0xca 0x01 0xf0 0x00 0x08 0x28  |  B ? ? _ ? _ _ (
>>>>>>>>> | 0x00 0x93 0x41 0xc6 0x0a 0x12 0xc3 0x01  |  _ _ A ? _ _ ? _
>>>>>>>>> | 0x89 0x41 0x00 0x44 0x00 0x00 0x00 0x43  |  _ A _ D _ _ _ C
>>>>>>>>> | 0x00 0x57 0x00 0x46                      |  _ W _ F
>>>>>>>>>  fs/cifs/cifssmb.c: Dialect: 2
>>>>>>>>>  fs/cifs/cifssmb.c: Must sign - secFlags 0x1005
>>>>>>>>>  fs/cifs/cifssmb.c: negprot rc 0
>>>>>>>>>  fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x1e3fc TimeAdjust:
>>>>>>>>> 14400
>>>>>>>>>  fs/cifs/sess.c: sess setup type 3
>>>>>>>>>  fs/cifs/transport.c: For smb_command 115
>>>>>>>>>  fs/cifs/transport.c: Sending smb:  total_len 270
>>>>>>>>> | 0x00 0x00 0x01 0x0a 0xff 0x53 0x4d 0x42  |  _ _ _ _ ? S M B
>>>>>>>>> | 0x73 0x00 0x00 0x00 0x00 0x00 0x05 0xc0  |  s _ _ _ _ _ _ ?
>>>>>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c  |  _ _ _ ( _ ? ? <
>>>>>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a  |  ? S _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x02 0x00 0x0d 0xff 0x00 0x00  |  _ _ _ _ _ ? _ _
>>>>>>>>> | 0x00 0x58 0x40 0x32 0x00 0x00 0x00 0x00  |  _ X @ 2 _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x34 0x00 0x00  |  _ _ _ _ _ 4 _ _
>>>>>>>>> | 0x00 0x00 0x00 0xdc 0xc0 0x00 0x00 0xcd  |  _ _ _ ? ? _ _ ?
>>>>>>>>> | 0x00                                     |  _
>>>>>>>>>  fs/cifs/connect.c: rfc1002 length 0x27
>>>>>>>>> | 0x23 0x00 0x00 0x00 0xff 0x53 0x4d 0x42  |  # _ _ _ ? S M B
>>>>>>>>> | 0x73 0x0d 0x00 0x00 0xc0 0x80 0x05 0xc0  |  s _ _ _ ? _ _ ?
>>>>>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c  |  _ _ _ ( _ ? ? <
>>>>>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a  |  ? S _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x02 0x00 0x00 0x00 0x00       |  _ _ _ _ _ _ _
>>>>>>>>> | 0x23 0x00 0x00 0x00 0xff 0x53 0x4d 0x42  |  # _ _ _ ? S M B
>>>>>>>>> | 0x73 0x0d 0x00 0x00 0xc0 0x80 0x05 0xc0  |  s _ _ _ ? _ _ ?
>>>>>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c  |  _ _ _ ( _ ? ? <
>>>>>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a  |  ? S _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x02 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x58 0x40 0x32 0x00 0x00 0x00 0x00  |  _ X @ 2 _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x18 0x00 0x18 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0xdc 0xc0 0x00 0x00 0xc9  |  _ _ _ ? ? _ _ ?
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  |  _ _ _ _ _ _ _ _
>>>>>>>>>  |  _ _ _ _ _ _ _ _
>>>>>>>>>  CIFS VFS: Unexpected SMB signature
>>>>>>>>> Status code returned 0xc000000d NT_STATUS_INVALID_PARAMETER
>>>>>>>>>  fs/cifs/netmisc.c: Mapping smb error code 87 to POSIX err -22
>>>>>>>>>  fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
>>>>>>>>>  fs/cifs/sess.c: ssetup rc from sendrecv2 is -22
>>>>>>>>>  fs/cifs/sess.c: ssetup freeing small buf ffff81006ef78300
>>>>>>>>>  CIFS VFS: Send error in SessSetup = -22
>>>>>>>>>  fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 28) rc = -22
>>>>>>>>>  CIFS VFS: cifs_mount failed w/return code = -22
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> linux-cifs-client mailing list
>>>>>>>>> linux-cifs-client at lists.samba.org
>>>>>>>>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>>>>>>>>>
>>>>>>>>
>>>>>>>> It is broken.  I have coded to send SPNEGO ntlmv2 authentication but
>>>>>>>> somehow am getting error of
>>>>>>>> Invalid  parameter, the response does not tell which parameter though.
>>>>>>>>
>>>>>>>
>>>>>>> I think this is actually a bug in win2k8/vista:
>>>>>>>
>>>>>>>   http://support.microsoft.com/kb/957441
>>>>>>>
>>>>>>> ...though it wouldn't be an issue if NTLMSSP/SPNEGO worked properly.
>>>>>>>
>>>>>>> --
>>>>>>> Jeff Layton <jlayton at samba.org>
>>>>>>>
>>>>>>
>>>>>> The bug does not mention Windows7, I have a Windows 7 box, so will try first
>>>>>> authenticating with it instead of Windows 2008 Server.
>>>>>> Also, I am not sure how essential SPNEGO is i.e. would Raw NTLMSSP with
>>>>>> NTLMv2 authentication mechanism suffice instead of SPNEGO NTLMSSP ntlmv2.
>>>>>> I also need to figure out how to tell smbclient talk ntlmv2 NTLMSSP
>>>>>> without SPNEGO,
>>>>>> by default it is SPNEGO NTLMSSP which I have been able to use against
>>>>>> a Windows7 box.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Shirish
>>>>>
>>>>> I have tried sec=ntlmssp, which from the doc says is experimental, and
>>>>> it failed as well.  Adding the registry key mentioned in the KB did
>>>>> allow me to mount the share without issue on both 2008 and 2008r2, so
>>>>> thanks Jeff, you rock.
>>>>
>>>> Two things, first, I think with sec=ntlmssp, you are using ntlmv1 in the current
>>>> cifs code. Can you please verify that?
>>>> And second, why is not smbclient bothered with this registry key presense or
>>>> absense?
>>>>
>>>>>
>>>>> Also, I know this is out of place for the conversation, but I also set
>>>>> up kerberos auth and it negotiated properly to auth to the share.
>>>>>
>>>>> If you guys want me to provide more feedback, please let me know what
>>>>> you need.  Thanks for the help you've both provided so far.
>>>>>
>>>>> Jimi
>>>>> _______________________________________________
>>>>> linux-cifs-client mailing list
>>>>> linux-cifs-client at lists.samba.org
>>>>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>>>>>
>>>
>>> I believe that the sec=ntlmssp is doing NTLMv1.  I'm not 100% sure, but
>>> I did see NTLM 0.12 in the first portion of the mount.cifs dmesg output,
>>> which is ntlmv1 from what I've read.
>>>
>>> Here is a long debug session of connecting to the server using SPNEGO
>>> and the smbclient.  It looks like it negotiates NTLMv2 without issue.
>>> Do you know if cifs.upcall handles NTLMSSP negotiation, or does it only
>>> handle things when using kerberos?
>>>
>>> ############################
>>> #   SMBCLIENT CONNECTION   #
>>> ############################
>>> [root@]# smbclient -v //server.montclair.edu/Test -U Administrator -W
>>> SERVER -d 5 -S yes
>>> INFO: Current debug levels:
>>>  all: True/5
>>>  tdb: False/0
>>>  printdrivers: False/0
>>>  lanman: False/0
>>>  smb: False/0
>>>  rpc_parse: False/0
>>>  rpc_srv: False/0
>>>  rpc_cli: False/0
>>>  passdb: False/0
>>>  sam: False/0
>>>  auth: False/0
>>>  winbind: False/0
>>>  vfs: False/0
>>>  idmap: False/0
>>>  quota: False/0
>>>  acls: False/0
>>>  locking: False/0
>>>  msdfs: False/0
>>>  dmapi: False/0
>>>  registry: False/0
>>> lp_load_ex: refreshing parameters
>>> Initialising global parameters
>>> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
>>> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
>>> Processing section "[global]"
>>> doing parameter workgroup = MYGROUP
>>> doing parameter server string = testbox.montclair.edu
>>> doing parameter netbios name = testbox
>>> handle_netbios_name: set global_myname to: TESTBOX
>>> doing parameter client ntlmv2 auth = yes
>>> doing parameter client signing = auto
>>> doing parameter client use spnego = yes
>>> doing parameter client lanman auth = no
>>> doing parameter lanman auth = no
>>> doing parameter security = user
>>> doing parameter passdb backend = tdbsam
>>> doing parameter use spnego = yes
>>> doing parameter domain master = no
>>> doing parameter local master = no
>>> doing parameter wins support = no
>>> pm_process() returned Yes
>>> Attempting to register new charset UCS-2LE
>>> Registered charset UCS-2LE
>>> Attempting to register new charset UTF-16LE
>>> Registered charset UTF-16LE
>>> Attempting to register new charset UCS-2BE
>>> Registered charset UCS-2BE
>>> Attempting to register new charset UTF-16BE
>>> Registered charset UTF-16BE
>>> Attempting to register new charset UTF8
>>> Registered charset UTF8
>>> Attempting to register new charset UTF-8
>>> Registered charset UTF-8
>>> Attempting to register new charset ASCII
>>> Registered charset ASCII
>>> Attempting to register new charset 646
>>> Registered charset 646
>>> Attempting to register new charset ISO-8859-1
>>> Registered charset ISO-8859-1
>>> Attempting to register new charset UCS2-HEX
>>> Registered charset UCS2-HEX
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> added interface eth0 ip=fe80::250:56ff:fe84:7c8e%eth0
>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>> added interface eth0 ip=130.68.4.102 bcast=130.68.4.255
>>> netmask=255.255.255.0
>>> Netbios name list:-
>>> my_netbios_names[0]="TESTBOX"
>>> Client started (version 3.5.2).
>>> Enter Administrator's password:
>>> Opening cache file at /var/lib/samba/gencache.tdb
>>> Opening cache file at /var/lib/samba/gencache_notrans.tdb
>>> sitename_fetch: No stored sitename for
>>> name harp.montclair.edu#20 found.
>>> Connecting to 130.68.4.82 at port 445
>>> Socket options:
>>>        SO_KEEPALIVE = 0
>>>        SO_REUSEADDR = 0
>>>        SO_BROADCAST = 0
>>>        TCP_NODELAY = 1
>>>        TCP_KEEPCNT = 9
>>>        TCP_KEEPIDLE = 7200
>>>        TCP_KEEPINTVL = 75
>>>        IPTOS_LOWDELAY = 0
>>>        IPTOS_THROUGHPUT = 0
>>>        SO_SNDBUF = 16384
>>>        SO_RCVBUF = 87380
>>>        SO_SNDLOWAT = 1
>>>        SO_RCVLOWAT = 1
>>>        SO_SNDTIMEO = 0
>>>        SO_RCVTIMEO = 0
>>>        TCP_QUICKACK = 1
>>>  session request ok
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Doing spnego session setup (blob length=46)
>>> got OID=1.3.6.1.4.1.311.2.2.10
>>> got principal=<null>
>>> size=382
>>> smb_com=0x73
>>> smb_rcls=22
>>> smb_reh=0
>>> smb_err=49152
>>> smb_flg=136
>>> smb_flg2=51205
>>> smb_tid=0
>>> smb_pid=23940
>>> smb_uid=2048
>>> smb_mid=2
>>> smt_wct=4
>>> smb_vwv[ 0]=  255 (0xFF)
>>> smb_vwv[ 1]=  382 (0x17E)
>>> smb_vwv[ 2]=    0 (0x0)
>>> smb_vwv[ 3]=  159 (0x9F)
>>> smb_bcc=339
>>> size=382
>>> smb_com=0x73
>>> smb_rcls=22
>>> smb_reh=0
>>> smb_err=49152
>>> smb_flg=136
>>> smb_flg2=51205
>>> smb_tid=0
>>> smb_pid=23940
>>> smb_uid=2048
>>> smb_mid=2
>>> smt_wct=4
>>> smb_vwv[ 0]=  255 (0xFF)
>>> smb_vwv[ 1]=  382 (0x17E)
>>> smb_vwv[ 2]=    0 (0x0)
>>> smb_vwv[ 3]=  159 (0x9F)
>>> smb_bcc=339
>>> Got challenge flags:
>>> Got NTLMSSP neg_flags=0x628a8215
>>>  NTLMSSP_NEGOTIATE_UNICODE
>>>  NTLMSSP_REQUEST_TARGET
>>>  NTLMSSP_NEGOTIATE_SIGN
>>>  NTLMSSP_NEGOTIATE_NTLM
>>>  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>>  NTLMSSP_NEGOTIATE_NTLM2
>>>  NTLMSSP_NEGOTIATE_TARGET_INFO
>>>  NTLMSSP_NEGOTIATE_VERSION
>>>  NTLMSSP_NEGOTIATE_128
>>>  NTLMSSP_NEGOTIATE_KEY_EXCH
>>> NTLMSSP: Set final flags:
>>> Got NTLMSSP neg_flags=0x60088215
>>>  NTLMSSP_NEGOTIATE_UNICODE
>>>  NTLMSSP_REQUEST_TARGET
>>>  NTLMSSP_NEGOTIATE_SIGN
>>>  NTLMSSP_NEGOTIATE_NTLM
>>>  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>>  NTLMSSP_NEGOTIATE_NTLM2
>>>  NTLMSSP_NEGOTIATE_128
>>>  NTLMSSP_NEGOTIATE_KEY_EXCH
>>> NTLMSSP Sign/Seal - Initialising with flags:
>>> Got NTLMSSP neg_flags=0x60088215
>>>  NTLMSSP_NEGOTIATE_UNICODE
>>>  NTLMSSP_REQUEST_TARGET
>>>  NTLMSSP_NEGOTIATE_SIGN
>>>  NTLMSSP_NEGOTIATE_NTLM
>>>  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>>  NTLMSSP_NEGOTIATE_NTLM2
>>>  NTLMSSP_NEGOTIATE_128
>>>  NTLMSSP_NEGOTIATE_KEY_EXCH
>>> size=232
>>> smb_com=0x73
>>> smb_rcls=0
>>> smb_reh=0
>>> smb_err=0
>>> smb_flg=136
>>> smb_flg2=51205
>>> smb_tid=0
>>> smb_pid=23940
>>> smb_uid=2048
>>> smb_mid=3
>>> smt_wct=4
>>> smb_vwv[ 0]=  255 (0xFF)
>>> smb_vwv[ 1]=  232 (0xE8)
>>> smb_vwv[ 2]=    0 (0x0)
>>> smb_vwv[ 3]=    9 (0x9)
>>> smb_bcc=189
>>> size=232
>>> smb_com=0x73
>>> smb_rcls=0
>>> smb_reh=0
>>> smb_err=0
>>> smb_flg=136
>>> smb_flg2=51205
>>> smb_tid=0
>>> smb_pid=23940
>>> smb_uid=2048
>>> smb_mid=3
>>> smt_wct=4
>>> smb_vwv[ 0]=  255 (0xFF)
>>> smb_vwv[ 1]=  232 (0xE8)
>>> smb_vwv[ 2]=    0 (0x0)
>>> smb_vwv[ 3]=    9 (0x9)
>>> smb_bcc=189
>>> Domain=[SERVER] OS=[Windows Server (R) 2008 Standard 6002 Service Pack
>>> 2] Server=[Windows Server (R) 2008 Standard 6.0]
>>>  session setup ok
>>>  tconx ok
>>> smb: \> quit
>>> size=35
>>> smb_com=0x71
>>> smb_rcls=0
>>> smb_reh=0
>>> smb_err=0
>>> smb_flg=136
>>> smb_flg2=51205
>>> smb_tid=2048
>>> smb_pid=23940
>>> smb_uid=2048
>>> smb_mid=5
>>> smt_wct=0
>>> smb_bcc=0
>>>
>>> _______________________________________________
>>> linux-cifs-client mailing list
>>> linux-cifs-client at lists.samba.org
>>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>>>
>>
>> cifs upcall does not handle ntlm authentication, ntlm/ssp is all
>> within kernel, in cifs module.
>>
>> Something that cifs client sends somehow does not register at the
>> server as ntlmssp logon.
>> Somehow in case of cifs, logon process at the server is not NtLmSsp meaning the
>> ntlmssp authentication package received at the server lacks something
>> (in security blob) to not
>> get identified as ntlmssp, may be workstation name.
>>
>> Here is the difference between an unsuccessful cifs (network) network
>> logon and a successful smbclient
>> network logon using ntlmv2 within ntlmssp within spnego.
>>
>> cifs  (failure)
>>
>> Log Name:      Security
>> Source:        Microsoft-Windows-Security-Auditing
>> Date:          2/16/2010 11:50:41 PM
>> Event ID:      4625
>> Task Category: Logon
>> Level:         Information
>> Keywords:      Audit Failure
>> User:          N/A
>> Computer:      cifstest7
>> Description:
>> An account failed to log on.
>> Subject:
>>  Security ID:  NULL SID
>>  Account Name:  -
>>  Account Domain:  -
>>  Logon ID:  0x0
>> Logon Type:   3
>> Account For Which Logon Failed:
>>  Security ID:  NULL SID
>>  Account Name:  root
>>  Account Domain:
>> Failure Information:
>>  Failure Reason:  An Error occured during Logon.
>>  Status:   0xc0000225
>>  Sub Status:  0x0
>> Process Information:
>>  Caller Process ID: 0x0
>>  Caller Process Name: -
>> Network Information:
>>  Workstation Name:
>>  Source Network Address: 1.2.3.456
>>  Source Port:  59215
>> Detailed Authentication Information:
>>  Logon Process:
>>  Authentication Package: NTLM
>>  Transited Services: -
>>  Package Name (NTLM only): -
>>  Key Length:  0
>>
>> and this is smbclient (succcess)
>>
>> Log Name:      Security
>> Source:        Microsoft-Windows-Security-Auditing
>> Date:          2/16/2010 11:15:37 PM
>> Event ID:      4624
>> Task Category: Logon
>> Level:         Information
>> Keywords:      Audit Success
>> User:          N/A
>> Computer:      cifstest7
>> Description:
>> An account was successfully logged on.
>> Subject:
>>  Security ID:  NULL SID
>>  Account Name:  -
>>  Account Domain:  -
>>  Logon ID:  0x0
>> Logon Type:   3
>> New Logon:
>>  Security ID:  cifstest7\root
>>  Account Name:  root
>>  Account Domain:  cifstest7
>>  Logon ID:  0x1fae3cd
>>  Logon GUID:  {00000000-0000-0000-0000-000000000000}
>> Process Information:
>>  Process ID:  0x0
>>  Process Name:  -
>> Network Information:
>>  Workstation Name: CIFSTEST6
>>  Source Network Address: 1.2.3.456
>>  Source Port:  50821
>> Detailed Authentication Information:
>>  Logon Process:  NtLmSsp
>>  Authentication Package: NTLM
>>  Transited Services: -
>>  Package Name (NTLM only): NTLM V2
>>  Key Length:  128
>>
> 
> I am not coding all (actually none) of the attributes in ntlmssp
> authetication request, may be that is what
> server does not like (and complains as invalid parameter). Will have
> to try that next.
> 
> Regards,
> 
> Shirish

I think you may be correct on that.  From my debug of sec=ntlmssp it
looks like it is only trying to negotiate NTLMv1 and not NTLMv2.  The
smbclient negotiates NTLMv2 just fine.

Once again, thanks for your help guys.  I have 2 functional ways of
making the connections now.  1) revert the server to the old style using
the registry key, and 2) via kerberos auth.  I just need to decide which
one has the least security/administrative overhead associated with it.

Jimi



More information about the linux-cifs-client mailing list