[linux-cifs-client] failed connections to 2008r2 server in high security mode
Jimi Schwar
schwarj at mail.montclair.edu
Fri Apr 23 15:46:07 MDT 2010
On 4/23/10 4:35 PM, Shirish Pargaonkar wrote:
> On Fri, Apr 23, 2010 at 3:18 PM, Shirish Pargaonkar
> <shirishpargaonkar at gmail.com> wrote:
>> On Fri, Apr 23, 2010 at 2:16 PM, Jimi Schwar <schwarj at mail.montclair.edu> wrote:
>>> On 4/23/10 12:36 PM, Shirish Pargaonkar wrote:
>>>> On Fri, Apr 23, 2010 at 11:02 AM, Jimi Schwar
>>>> <schwarj at mail.montclair.edu> wrote:
>>>>> On 4/23/10 9:44 AM, Shirish Pargaonkar wrote:
>>>>>> On Fri, Apr 23, 2010 at 5:40 AM, Jeff Layton <jlayton at samba.org> wrote:
>>>>>>> On Thu, 22 Apr 2010 22:59:10 -0500
>>>>>>> Shirish Pargaonkar <shirishpargaonkar at gmail.com> wrote:
>>>>>>>
>>>>>>>> On Thu, Apr 22, 2010 at 1:01 PM, Jimi Schwar <schwarj at mail.montclair.edu> wrote:
>>>>>>>>> I am having a horrible time connecting to a Windows 2008r2 server that
>>>>>>>>> requires signing and NTLMv2 from a RHEL 5 server. When trying to
>>>>>>>>> connect I issue the following command:
>>>>>>>>>
>>>>>>>>> mount -t cifs //<servername>/<sharename> /mnt/cifs/ -o
>>>>>>>>> user=<SERVERNAME>\\user,sec=ntlmv2i -vv
>>>>>>>>>
>>>>>>>>> After entering my password the verbose output is:
>>>>>>>>>
>>>>>>>>> mount.cifs kernel mount options:
>>>>>>>>> unc=//<servername>\<sharename>,domain=<SERVERNAME>,ver=1,rw,user=<username>,,,,,,,,,,,,,,sec=ntlmv2i,ip=x.x.x.x,pass=********
>>>>>>>>> mount error(22): Invalid argument
>>>>>>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>>>>>>>
>>>>>>>>> I have tried every combination I can think of, replacing sec=ntlmv2i
>>>>>>>>> with ntlmv2, and specifying sign, adding the domain name, trying actual
>>>>>>>>> AD users instead of a local user, but all have failed. However I have
>>>>>>>>> no problems at all connecting with smbclient. One thing I did notice is
>>>>>>>>> that with the smbclient SPNEGO must be used to make a connection, when I
>>>>>>>>> set it to "no" the connection always fails. I believe I have it
>>>>>>>>> configured properly for the kernel.
>>>>>>>>>
>>>>>>>>> I have the following 2 lines in /etc/request-key.conf
>>>>>>>>>
>>>>>>>>> create cifs.spnego * * /usr/sbin/cifs.upcall %k
>>>>>>>>> create dns_resolver * * /usr/sbin/cifs.upcall %k
>>>>>>>>>
>>>>>>>>> and I have keyutils installed. Can anyone tell me what I'm missing, as
>>>>>>>>> I'm at a complete loss getting this connection to work.
>>>>>>>>>
>>>>>>>>> [root@]# yum list | grep keyutil
>>>>>>>>> keyutils.x86_64 1.2-1.el5
>>>>>>>>> installed
>>>>>>>>> keyutils-libs.i386 1.2-1.el5
>>>>>>>>> installed
>>>>>>>>> keyutils-libs.x86_64 1.2-1.el5 installed
>>>>>>>>>
>>>>>>>>> Here is my kernel module info:
>>>>>>>>>
>>>>>>>>> [root@]# modinfo cifs
>>>>>>>>> filename: /lib/modules/2.6.18-194.el5/kernel/fs/cifs/cifs.ko
>>>>>>>>> version: 1.60RH
>>>>>>>>> description: VFS to access servers complying with the SNIA CIFS
>>>>>>>>> Specification e.g. Samba and Windows
>>>>>>>>> license: GPL
>>>>>>>>> author: Steve French <sfrench at us.ibm.com>
>>>>>>>>> srcversion: 1E19234127C80DD280CE641
>>>>>>>>> depends:
>>>>>>>>> vermagic: 2.6.18-194.el5 SMP mod_unload gcc-4.1
>>>>>>>>> parm: CIFSMaxBufSize:Network buffer size (not including
>>>>>>>>> header). Default: 16384 Range: 8192 to 130048 (int)
>>>>>>>>> parm: cifs_min_rcv:Network buffers in pool. Default: 4 Range:
>>>>>>>>> 1 to 64 (int)
>>>>>>>>> parm: cifs_min_small:Small network buffers in pool. Default:
>>>>>>>>> 30 Range: 2 to 256 (int)
>>>>>>>>> parm: cifs_max_pending:Simultaneous requests to server.
>>>>>>>>> Default: 50 Range: 2 to 256 (int)
>>>>>>>>> module_sig:
>>>>>>>>> 883f3504ba0377878ccfeaa942826a11233a309e20373ac358c1f44611144fd5c03072bacf60c50a0b0fd3052e2277cc786c308ad54cf16c85f0bf
>>>>>>>>>
>>>>>>>>> dmesg output of the connection:
>>>>>>>>>
>>>>>>>>> fs/cifs/cifsfs.c: Devname: //x.x.montclair.edu/sharename flags: 64
>>>>>>>>> fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 28 with uid: 0
>>>>>>>>> fs/cifs/connect.c: Domain name set
>>>>>>>>> fs/cifs/connect.c: Username: user
>>>>>>>>> fs/cifs/connect.c: UNC: \\x.x.montclair.edu\webhome ip: x.x.x.x
>>>>>>>>> fs/cifs/connect.c: Socket created
>>>>>>>>> fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58
>>>>>>>>> fs/cifs/connect.c: Existing smb sess not found
>>>>>>>>> fs/cifs/connect.c: Demultiplex PID: 6900
>>>>>>>>> fs/cifs/cifssmb.c: secFlags 0x1005
>>>>>>>>> fs/cifs/transport.c: For smb_command 114
>>>>>>>>> fs/cifs/transport.c: Sending smb: total_len 82
>>>>>>>>> | 0x00 0x00 0x00 0x4e 0xff 0x53 0x4d 0x42 | _ _ _ N ? S M B
>>>>>>>>> | 0x72 0x00 0x00 0x00 0x00 0x00 0x01 0xc0 | r _ _ _ _ _ _ ?
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a | _ _ _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x01 0x00 0x00 0x2b 0x00 0x02 | _ _ _ _ _ + _ _
>>>>>>>>> | 0x4c 0x4d 0x31 0x2e 0x32 0x58 0x30 0x30 | L M 1 . 2 X 0 0
>>>>>>>>> | 0x32 0x00 0x02 0x4c 0x41 0x4e 0x4d 0x41 | 2 _ _ L A N M A
>>>>>>>>> | 0x4e 0x32 0x2e 0x31 0x00 0x02 0x4e 0x54 | N 2 . 1 _ _ N T
>>>>>>>>> | 0x20 0x4c 0x4d 0x20 0x30 0x2e 0x31 0x32 | L M 0 . 1 2
>>>>>>>>> | 0x00 0x02 0x50 0x4f 0x53 0x49 0x58 0x20 | _ _ P O S I X
>>>>>>>>> | 0x32 0x00 | 2 _
>>>>>>>>> fs/cifs/connect.c: rfc1002 length 0x71
>>>>>>>>> | 0x6d 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | m _ _ _ ? S M B
>>>>>>>>> | 0x72 0x00 0x00 0x00 0x00 0x80 0x01 0xc0 | r _ _ _ _ _ _ ?
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a | _ _ _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x01 0x00 0x11 0x02 0x00 0x0f | _ _ _ _ _ _ _ _
>>>>>>>>> | 0x32 0x00 0x01 0x00 0x04 0x41 0x00 0x00 | 2 _ _ _ _ A _ _
>>>>>>>>> | 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>>> | 0xfc 0xe3 0x01 0x00 0x8c 0x00 0x5c 0x77 | ? ? _ _ _ _ \ w
>>>>>>>>> | 0x42 0xe2 0xca 0x01 0xf0 0x00 0x08 0x28 | B ? ? _ ? _ _ (
>>>>>>>>> | 0x00 0x93 0x41 0xc6 0x0a 0x12 0xc3 0x01 | _ _ A ? _ _ ? _
>>>>>>>>> | 0x89 0x41 0x00 0x44 0x00 0x00 0x00 0x43 | _ A _ D _ _ _ C
>>>>>>>>> | 0x00 0x57 0x00 0x46 0x00 0x4c 0x00 0x50 | _ W _ F _ L _ P
>>>>>>>>> | 0x00 0x52 0x00 0x53 0x00 0x56 0x00 0x52 | _ R _ S _ V _ R
>>>>>>>>> | 0x00 0x31 0x00 0x57 0x00 0x38 0x00 0x00 | _ 1 _ W _ 8 _ _
>>>>>>>>> | 0x00 | _
>>>>>>>>> | 0x6d 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | m _ _ _ ? S M B
>>>>>>>>> | 0x72 0x00 0x00 0x00 0x00 0x80 0x01 0xc0 | r _ _ _ _ _ _ ?
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a | _ _ _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x01 0x00 0x11 0x02 0x00 0x0f | _ _ _ _ _ _ _ _
>>>>>>>>> | 0x32 0x00 0x01 0x00 0x04 0x41 0x00 0x00 | 2 _ _ _ _ A _ _
>>>>>>>>> | 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>>> | 0xfc 0xe3 0x01 0x00 0x8c 0x00 0x5c 0x77 | ? ? _ _ _ _ \ w
>>>>>>>>> | 0x42 0xe2 0xca 0x01 0xf0 0x00 0x08 0x28 | B ? ? _ ? _ _ (
>>>>>>>>> | 0x00 0x93 0x41 0xc6 0x0a 0x12 0xc3 0x01 | _ _ A ? _ _ ? _
>>>>>>>>> | 0x89 0x41 0x00 0x44 0x00 0x00 0x00 0x43 | _ A _ D _ _ _ C
>>>>>>>>> | 0x00 0x57 0x00 0x46 | _ W _ F
>>>>>>>>> fs/cifs/cifssmb.c: Dialect: 2
>>>>>>>>> fs/cifs/cifssmb.c: Must sign - secFlags 0x1005
>>>>>>>>> fs/cifs/cifssmb.c: negprot rc 0
>>>>>>>>> fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x1e3fc TimeAdjust:
>>>>>>>>> 14400
>>>>>>>>> fs/cifs/sess.c: sess setup type 3
>>>>>>>>> fs/cifs/transport.c: For smb_command 115
>>>>>>>>> fs/cifs/transport.c: Sending smb: total_len 270
>>>>>>>>> | 0x00 0x00 0x01 0x0a 0xff 0x53 0x4d 0x42 | _ _ _ _ ? S M B
>>>>>>>>> | 0x73 0x00 0x00 0x00 0x00 0x00 0x05 0xc0 | s _ _ _ _ _ _ ?
>>>>>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c | _ _ _ ( _ ? ? <
>>>>>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a | ? S _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x02 0x00 0x0d 0xff 0x00 0x00 | _ _ _ _ _ ? _ _
>>>>>>>>> | 0x00 0x58 0x40 0x32 0x00 0x00 0x00 0x00 | _ X @ 2 _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x34 0x00 0x00 | _ _ _ _ _ 4 _ _
>>>>>>>>> | 0x00 0x00 0x00 0xdc 0xc0 0x00 0x00 0xcd | _ _ _ ? ? _ _ ?
>>>>>>>>> | 0x00 | _
>>>>>>>>> fs/cifs/connect.c: rfc1002 length 0x27
>>>>>>>>> | 0x23 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | # _ _ _ ? S M B
>>>>>>>>> | 0x73 0x0d 0x00 0x00 0xc0 0x80 0x05 0xc0 | s _ _ _ ? _ _ ?
>>>>>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c | _ _ _ ( _ ? ? <
>>>>>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a | ? S _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x02 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _
>>>>>>>>> | 0x23 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | # _ _ _ ? S M B
>>>>>>>>> | 0x73 0x0d 0x00 0x00 0xc0 0x80 0x05 0xc0 | s _ _ _ ? _ _ ?
>>>>>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c | _ _ _ ( _ ? ? <
>>>>>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a | ? S _ _ _ _ ? _
>>>>>>>>> | 0x00 0x00 0x02 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x58 0x40 0x32 0x00 0x00 0x00 0x00 | _ X @ 2 _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x18 0x00 0x18 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0xdc 0xc0 0x00 0x00 0xc9 | _ _ _ ? ? _ _ ?
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>>> | _ _ _ _ _ _ _ _
>>>>>>>>> CIFS VFS: Unexpected SMB signature
>>>>>>>>> Status code returned 0xc000000d NT_STATUS_INVALID_PARAMETER
>>>>>>>>> fs/cifs/netmisc.c: Mapping smb error code 87 to POSIX err -22
>>>>>>>>> fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
>>>>>>>>> fs/cifs/sess.c: ssetup rc from sendrecv2 is -22
>>>>>>>>> fs/cifs/sess.c: ssetup freeing small buf ffff81006ef78300
>>>>>>>>> CIFS VFS: Send error in SessSetup = -22
>>>>>>>>> fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 28) rc = -22
>>>>>>>>> CIFS VFS: cifs_mount failed w/return code = -22
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> linux-cifs-client mailing list
>>>>>>>>> linux-cifs-client at lists.samba.org
>>>>>>>>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>>>>>>>>>
>>>>>>>>
>>>>>>>> It is broken. I have coded to send SPNEGO ntlmv2 authentication but
>>>>>>>> somehow am getting error of
>>>>>>>> Invalid parameter, the response does not tell which parameter though.
>>>>>>>>
>>>>>>>
>>>>>>> I think this is actually a bug in win2k8/vista:
>>>>>>>
>>>>>>> http://support.microsoft.com/kb/957441
>>>>>>>
>>>>>>> ...though it wouldn't be an issue if NTLMSSP/SPNEGO worked properly.
>>>>>>>
>>>>>>> --
>>>>>>> Jeff Layton <jlayton at samba.org>
>>>>>>>
>>>>>>
>>>>>> The bug does not mention Windows7, I have a Windows 7 box, so will try first
>>>>>> authenticating with it instead of Windows 2008 Server.
>>>>>> Also, I am not sure how essential SPNEGO is i.e. would Raw NTLMSSP with
>>>>>> NTLMv2 authentication mechanism suffice instead of SPNEGO NTLMSSP ntlmv2.
>>>>>> I also need to figure out how to tell smbclient talk ntlmv2 NTLMSSP
>>>>>> without SPNEGO,
>>>>>> by default it is SPNEGO NTLMSSP which I have been able to use against
>>>>>> a Windows7 box.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Shirish
>>>>>
>>>>> I have tried sec=ntlmssp, which from the doc says is experimental, and
>>>>> it failed as well. Adding the registry key mentioned in the KB did
>>>>> allow me to mount the share without issue on both 2008 and 2008r2, so
>>>>> thanks Jeff, you rock.
>>>>
>>>> Two things, first, I think with sec=ntlmssp, you are using ntlmv1 in the current
>>>> cifs code. Can you please verify that?
>>>> And second, why is not smbclient bothered with this registry key presense or
>>>> absense?
>>>>
>>>>>
>>>>> Also, I know this is out of place for the conversation, but I also set
>>>>> up kerberos auth and it negotiated properly to auth to the share.
>>>>>
>>>>> If you guys want me to provide more feedback, please let me know what
>>>>> you need. Thanks for the help you've both provided so far.
>>>>>
>>>>> Jimi
>>>>> _______________________________________________
>>>>> linux-cifs-client mailing list
>>>>> linux-cifs-client at lists.samba.org
>>>>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>>>>>
>>>
>>> I believe that the sec=ntlmssp is doing NTLMv1. I'm not 100% sure, but
>>> I did see NTLM 0.12 in the first portion of the mount.cifs dmesg output,
>>> which is ntlmv1 from what I've read.
>>>
>>> Here is a long debug session of connecting to the server using SPNEGO
>>> and the smbclient. It looks like it negotiates NTLMv2 without issue.
>>> Do you know if cifs.upcall handles NTLMSSP negotiation, or does it only
>>> handle things when using kerberos?
>>>
>>> ############################
>>> # SMBCLIENT CONNECTION #
>>> ############################
>>> [root@]# smbclient -v //server.montclair.edu/Test -U Administrator -W
>>> SERVER -d 5 -S yes
>>> INFO: Current debug levels:
>>> all: True/5
>>> tdb: False/0
>>> printdrivers: False/0
>>> lanman: False/0
>>> smb: False/0
>>> rpc_parse: False/0
>>> rpc_srv: False/0
>>> rpc_cli: False/0
>>> passdb: False/0
>>> sam: False/0
>>> auth: False/0
>>> winbind: False/0
>>> vfs: False/0
>>> idmap: False/0
>>> quota: False/0
>>> acls: False/0
>>> locking: False/0
>>> msdfs: False/0
>>> dmapi: False/0
>>> registry: False/0
>>> lp_load_ex: refreshing parameters
>>> Initialising global parameters
>>> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
>>> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
>>> Processing section "[global]"
>>> doing parameter workgroup = MYGROUP
>>> doing parameter server string = testbox.montclair.edu
>>> doing parameter netbios name = testbox
>>> handle_netbios_name: set global_myname to: TESTBOX
>>> doing parameter client ntlmv2 auth = yes
>>> doing parameter client signing = auto
>>> doing parameter client use spnego = yes
>>> doing parameter client lanman auth = no
>>> doing parameter lanman auth = no
>>> doing parameter security = user
>>> doing parameter passdb backend = tdbsam
>>> doing parameter use spnego = yes
>>> doing parameter domain master = no
>>> doing parameter local master = no
>>> doing parameter wins support = no
>>> pm_process() returned Yes
>>> Attempting to register new charset UCS-2LE
>>> Registered charset UCS-2LE
>>> Attempting to register new charset UTF-16LE
>>> Registered charset UTF-16LE
>>> Attempting to register new charset UCS-2BE
>>> Registered charset UCS-2BE
>>> Attempting to register new charset UTF-16BE
>>> Registered charset UTF-16BE
>>> Attempting to register new charset UTF8
>>> Registered charset UTF8
>>> Attempting to register new charset UTF-8
>>> Registered charset UTF-8
>>> Attempting to register new charset ASCII
>>> Registered charset ASCII
>>> Attempting to register new charset 646
>>> Registered charset 646
>>> Attempting to register new charset ISO-8859-1
>>> Registered charset ISO-8859-1
>>> Attempting to register new charset UCS2-HEX
>>> Registered charset UCS2-HEX
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> added interface eth0 ip=fe80::250:56ff:fe84:7c8e%eth0
>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>> added interface eth0 ip=130.68.4.102 bcast=130.68.4.255
>>> netmask=255.255.255.0
>>> Netbios name list:-
>>> my_netbios_names[0]="TESTBOX"
>>> Client started (version 3.5.2).
>>> Enter Administrator's password:
>>> Opening cache file at /var/lib/samba/gencache.tdb
>>> Opening cache file at /var/lib/samba/gencache_notrans.tdb
>>> sitename_fetch: No stored sitename for
>>> name harp.montclair.edu#20 found.
>>> Connecting to 130.68.4.82 at port 445
>>> Socket options:
>>> SO_KEEPALIVE = 0
>>> SO_REUSEADDR = 0
>>> SO_BROADCAST = 0
>>> TCP_NODELAY = 1
>>> TCP_KEEPCNT = 9
>>> TCP_KEEPIDLE = 7200
>>> TCP_KEEPINTVL = 75
>>> IPTOS_LOWDELAY = 0
>>> IPTOS_THROUGHPUT = 0
>>> SO_SNDBUF = 16384
>>> SO_RCVBUF = 87380
>>> SO_SNDLOWAT = 1
>>> SO_RCVLOWAT = 1
>>> SO_SNDTIMEO = 0
>>> SO_RCVTIMEO = 0
>>> TCP_QUICKACK = 1
>>> session request ok
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Substituting charset 'UTF-8' for LOCALE
>>> Doing spnego session setup (blob length=46)
>>> got OID=1.3.6.1.4.1.311.2.2.10
>>> got principal=<null>
>>> size=382
>>> smb_com=0x73
>>> smb_rcls=22
>>> smb_reh=0
>>> smb_err=49152
>>> smb_flg=136
>>> smb_flg2=51205
>>> smb_tid=0
>>> smb_pid=23940
>>> smb_uid=2048
>>> smb_mid=2
>>> smt_wct=4
>>> smb_vwv[ 0]= 255 (0xFF)
>>> smb_vwv[ 1]= 382 (0x17E)
>>> smb_vwv[ 2]= 0 (0x0)
>>> smb_vwv[ 3]= 159 (0x9F)
>>> smb_bcc=339
>>> size=382
>>> smb_com=0x73
>>> smb_rcls=22
>>> smb_reh=0
>>> smb_err=49152
>>> smb_flg=136
>>> smb_flg2=51205
>>> smb_tid=0
>>> smb_pid=23940
>>> smb_uid=2048
>>> smb_mid=2
>>> smt_wct=4
>>> smb_vwv[ 0]= 255 (0xFF)
>>> smb_vwv[ 1]= 382 (0x17E)
>>> smb_vwv[ 2]= 0 (0x0)
>>> smb_vwv[ 3]= 159 (0x9F)
>>> smb_bcc=339
>>> Got challenge flags:
>>> Got NTLMSSP neg_flags=0x628a8215
>>> NTLMSSP_NEGOTIATE_UNICODE
>>> NTLMSSP_REQUEST_TARGET
>>> NTLMSSP_NEGOTIATE_SIGN
>>> NTLMSSP_NEGOTIATE_NTLM
>>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>> NTLMSSP_NEGOTIATE_NTLM2
>>> NTLMSSP_NEGOTIATE_TARGET_INFO
>>> NTLMSSP_NEGOTIATE_VERSION
>>> NTLMSSP_NEGOTIATE_128
>>> NTLMSSP_NEGOTIATE_KEY_EXCH
>>> NTLMSSP: Set final flags:
>>> Got NTLMSSP neg_flags=0x60088215
>>> NTLMSSP_NEGOTIATE_UNICODE
>>> NTLMSSP_REQUEST_TARGET
>>> NTLMSSP_NEGOTIATE_SIGN
>>> NTLMSSP_NEGOTIATE_NTLM
>>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>> NTLMSSP_NEGOTIATE_NTLM2
>>> NTLMSSP_NEGOTIATE_128
>>> NTLMSSP_NEGOTIATE_KEY_EXCH
>>> NTLMSSP Sign/Seal - Initialising with flags:
>>> Got NTLMSSP neg_flags=0x60088215
>>> NTLMSSP_NEGOTIATE_UNICODE
>>> NTLMSSP_REQUEST_TARGET
>>> NTLMSSP_NEGOTIATE_SIGN
>>> NTLMSSP_NEGOTIATE_NTLM
>>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>> NTLMSSP_NEGOTIATE_NTLM2
>>> NTLMSSP_NEGOTIATE_128
>>> NTLMSSP_NEGOTIATE_KEY_EXCH
>>> size=232
>>> smb_com=0x73
>>> smb_rcls=0
>>> smb_reh=0
>>> smb_err=0
>>> smb_flg=136
>>> smb_flg2=51205
>>> smb_tid=0
>>> smb_pid=23940
>>> smb_uid=2048
>>> smb_mid=3
>>> smt_wct=4
>>> smb_vwv[ 0]= 255 (0xFF)
>>> smb_vwv[ 1]= 232 (0xE8)
>>> smb_vwv[ 2]= 0 (0x0)
>>> smb_vwv[ 3]= 9 (0x9)
>>> smb_bcc=189
>>> size=232
>>> smb_com=0x73
>>> smb_rcls=0
>>> smb_reh=0
>>> smb_err=0
>>> smb_flg=136
>>> smb_flg2=51205
>>> smb_tid=0
>>> smb_pid=23940
>>> smb_uid=2048
>>> smb_mid=3
>>> smt_wct=4
>>> smb_vwv[ 0]= 255 (0xFF)
>>> smb_vwv[ 1]= 232 (0xE8)
>>> smb_vwv[ 2]= 0 (0x0)
>>> smb_vwv[ 3]= 9 (0x9)
>>> smb_bcc=189
>>> Domain=[SERVER] OS=[Windows Server (R) 2008 Standard 6002 Service Pack
>>> 2] Server=[Windows Server (R) 2008 Standard 6.0]
>>> session setup ok
>>> tconx ok
>>> smb: \> quit
>>> size=35
>>> smb_com=0x71
>>> smb_rcls=0
>>> smb_reh=0
>>> smb_err=0
>>> smb_flg=136
>>> smb_flg2=51205
>>> smb_tid=2048
>>> smb_pid=23940
>>> smb_uid=2048
>>> smb_mid=5
>>> smt_wct=0
>>> smb_bcc=0
>>>
>>> _______________________________________________
>>> linux-cifs-client mailing list
>>> linux-cifs-client at lists.samba.org
>>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>>>
>>
>> cifs upcall does not handle ntlm authentication, ntlm/ssp is all
>> within kernel, in cifs module.
>>
>> Something that cifs client sends somehow does not register at the
>> server as ntlmssp logon.
>> Somehow in case of cifs, logon process at the server is not NtLmSsp meaning the
>> ntlmssp authentication package received at the server lacks something
>> (in security blob) to not
>> get identified as ntlmssp, may be workstation name.
>>
>> Here is the difference between an unsuccessful cifs (network) network
>> logon and a successful smbclient
>> network logon using ntlmv2 within ntlmssp within spnego.
>>
>> cifs (failure)
>>
>> Log Name: Security
>> Source: Microsoft-Windows-Security-Auditing
>> Date: 2/16/2010 11:50:41 PM
>> Event ID: 4625
>> Task Category: Logon
>> Level: Information
>> Keywords: Audit Failure
>> User: N/A
>> Computer: cifstest7
>> Description:
>> An account failed to log on.
>> Subject:
>> Security ID: NULL SID
>> Account Name: -
>> Account Domain: -
>> Logon ID: 0x0
>> Logon Type: 3
>> Account For Which Logon Failed:
>> Security ID: NULL SID
>> Account Name: root
>> Account Domain:
>> Failure Information:
>> Failure Reason: An Error occured during Logon.
>> Status: 0xc0000225
>> Sub Status: 0x0
>> Process Information:
>> Caller Process ID: 0x0
>> Caller Process Name: -
>> Network Information:
>> Workstation Name:
>> Source Network Address: 1.2.3.456
>> Source Port: 59215
>> Detailed Authentication Information:
>> Logon Process:
>> Authentication Package: NTLM
>> Transited Services: -
>> Package Name (NTLM only): -
>> Key Length: 0
>>
>> and this is smbclient (succcess)
>>
>> Log Name: Security
>> Source: Microsoft-Windows-Security-Auditing
>> Date: 2/16/2010 11:15:37 PM
>> Event ID: 4624
>> Task Category: Logon
>> Level: Information
>> Keywords: Audit Success
>> User: N/A
>> Computer: cifstest7
>> Description:
>> An account was successfully logged on.
>> Subject:
>> Security ID: NULL SID
>> Account Name: -
>> Account Domain: -
>> Logon ID: 0x0
>> Logon Type: 3
>> New Logon:
>> Security ID: cifstest7\root
>> Account Name: root
>> Account Domain: cifstest7
>> Logon ID: 0x1fae3cd
>> Logon GUID: {00000000-0000-0000-0000-000000000000}
>> Process Information:
>> Process ID: 0x0
>> Process Name: -
>> Network Information:
>> Workstation Name: CIFSTEST6
>> Source Network Address: 1.2.3.456
>> Source Port: 50821
>> Detailed Authentication Information:
>> Logon Process: NtLmSsp
>> Authentication Package: NTLM
>> Transited Services: -
>> Package Name (NTLM only): NTLM V2
>> Key Length: 128
>>
>
> I am not coding all (actually none) of the attributes in ntlmssp
> authetication request, may be that is what
> server does not like (and complains as invalid parameter). Will have
> to try that next.
>
> Regards,
>
> Shirish
I think you may be correct on that. From my debug of sec=ntlmssp it
looks like it is only trying to negotiate NTLMv1 and not NTLMv2. The
smbclient negotiates NTLMv2 just fine.
Once again, thanks for your help guys. I have 2 functional ways of
making the connections now. 1) revert the server to the old style using
the registry key, and 2) via kerberos auth. I just need to decide which
one has the least security/administrative overhead associated with it.
Jimi
More information about the linux-cifs-client
mailing list