[linux-cifs-client] failed connections to 2008r2 server in high security mode
Jimi Schwar
schwarj at mail.montclair.edu
Fri Apr 23 15:49:43 MDT 2010
On 4/23/10 4:18 PM, Rob Townley wrote:
> On Fri, Apr 23, 2010 at 2:16 PM, Jimi Schwar <schwarj at mail.montclair.edu> wrote:
>> On 4/23/10 12:36 PM, Shirish Pargaonkar wrote:
>>> On Fri, Apr 23, 2010 at 11:02 AM, Jimi Schwar
>>> <schwarj at mail.montclair.edu> wrote:
>>>> On 4/23/10 9:44 AM, Shirish Pargaonkar wrote:
>>>>> On Fri, Apr 23, 2010 at 5:40 AM, Jeff Layton <jlayton at samba.org> wrote:
>>>>>> On Thu, 22 Apr 2010 22:59:10 -0500
>>>>>> Shirish Pargaonkar <shirishpargaonkar at gmail.com> wrote:
>>>>>>
>>>>>>> On Thu, Apr 22, 2010 at 1:01 PM, Jimi Schwar <schwarj at mail.montclair.edu> wrote:
>>>>>>>> I am having a horrible time connecting to a Windows 2008r2 server that
>>>>>>>> requires signing and NTLMv2 from a RHEL 5 server. When trying to
>>>>>>>> connect I issue the following command:
>>>>>>>>
>>>>>>>> mount -t cifs //<servername>/<sharename> /mnt/cifs/ -o
>>>>>>>> user=<SERVERNAME>\\user,sec=ntlmv2i -vv
>>>>>>>>
>>>>>>>> After entering my password the verbose output is:
>>>>>>>>
>>>>>>>> mount.cifs kernel mount options:
>>>>>>>> unc=//<servername>\<sharename>,domain=<SERVERNAME>,ver=1,rw,user=<username>,,,,,,,,,,,,,,sec=ntlmv2i,ip=x.x.x.x,pass=********
>>>>>>>> mount error(22): Invalid argument
>>>>>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>>>>>>
>>>>>>>> I have tried every combination I can think of, replacing sec=ntlmv2i
>>>>>>>> with ntlmv2, and specifying sign, adding the domain name, trying actual
>>>>>>>> AD users instead of a local user, but all have failed. However I have
>>>>>>>> no problems at all connecting with smbclient. One thing I did notice is
>>>>>>>> that with the smbclient SPNEGO must be used to make a connection, when I
>>>>>>>> set it to "no" the connection always fails. I believe I have it
>>>>>>>> configured properly for the kernel.
>>>>>>>>
>>>>>>>> I have the following 2 lines in /etc/request-key.conf
>>>>>>>>
>>>>>>>> create cifs.spnego * * /usr/sbin/cifs.upcall %k
>>>>>>>> create dns_resolver * * /usr/sbin/cifs.upcall %k
>>>>>>>>
>>>>>>>> and I have keyutils installed. Can anyone tell me what I'm missing, as
>>>>>>>> I'm at a complete loss getting this connection to work.
>>>>>>>>
>>>>>>>> [root@]# yum list | grep keyutil
>>>>>>>> keyutils.x86_64 1.2-1.el5
>>>>>>>> installed
>>>>>>>> keyutils-libs.i386 1.2-1.el5
>>>>>>>> installed
>>>>>>>> keyutils-libs.x86_64 1.2-1.el5 installed
>>>>>>>>
>>>>>>>> Here is my kernel module info:
>>>>>>>>
>>>>>>>> [root@]# modinfo cifs
>>>>>>>> filename: /lib/modules/2.6.18-194.el5/kernel/fs/cifs/cifs.ko
>>>>>>>> version: 1.60RH
>>>>>>>> description: VFS to access servers complying with the SNIA CIFS
>>>>>>>> Specification e.g. Samba and Windows
>>>>>>>> license: GPL
>>>>>>>> author: Steve French <sfrench at us.ibm.com>
>>>>>>>> srcversion: 1E19234127C80DD280CE641
>>>>>>>> depends:
>>>>>>>> vermagic: 2.6.18-194.el5 SMP mod_unload gcc-4.1
>>>>>>>> parm: CIFSMaxBufSize:Network buffer size (not including
>>>>>>>> header). Default: 16384 Range: 8192 to 130048 (int)
>>>>>>>> parm: cifs_min_rcv:Network buffers in pool. Default: 4 Range:
>>>>>>>> 1 to 64 (int)
>>>>>>>> parm: cifs_min_small:Small network buffers in pool. Default:
>>>>>>>> 30 Range: 2 to 256 (int)
>>>>>>>> parm: cifs_max_pending:Simultaneous requests to server.
>>>>>>>> Default: 50 Range: 2 to 256 (int)
>>>>>>>> module_sig:
>>>>>>>> 883f3504ba0377878ccfeaa942826a11233a309e20373ac358c1f44611144fd5c03072bacf60c50a0b0fd3052e2277cc786c308ad54cf16c85f0bf
>>>>>>>>
>>>>>>>> dmesg output of the connection:
>>>>>>>>
>>>>>>>> fs/cifs/cifsfs.c: Devname: //x.x.montclair.edu/sharename flags: 64
>>>>>>>> fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 28 with uid: 0
>>>>>>>> fs/cifs/connect.c: Domain name set
>>>>>>>> fs/cifs/connect.c: Username: user
>>>>>>>> fs/cifs/connect.c: UNC: \\x.x.montclair.edu\webhome ip: x.x.x.x
>>>>>>>> fs/cifs/connect.c: Socket created
>>>>>>>> fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58
>>>>>>>> fs/cifs/connect.c: Existing smb sess not found
>>>>>>>> fs/cifs/connect.c: Demultiplex PID: 6900
>>>>>>>> fs/cifs/cifssmb.c: secFlags 0x1005
>>>>>>>> fs/cifs/transport.c: For smb_command 114
>>>>>>>> fs/cifs/transport.c: Sending smb: total_len 82
>>>>>>>> | 0x00 0x00 0x00 0x4e 0xff 0x53 0x4d 0x42 | _ _ _ N ? S M B
>>>>>>>> | 0x72 0x00 0x00 0x00 0x00 0x00 0x01 0xc0 | r _ _ _ _ _ _ ?
>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a | _ _ _ _ _ _ ? _
>>>>>>>> | 0x00 0x00 0x01 0x00 0x00 0x2b 0x00 0x02 | _ _ _ _ _ + _ _
>>>>>>>> | 0x4c 0x4d 0x31 0x2e 0x32 0x58 0x30 0x30 | L M 1 . 2 X 0 0
>>>>>>>> | 0x32 0x00 0x02 0x4c 0x41 0x4e 0x4d 0x41 | 2 _ _ L A N M A
>>>>>>>> | 0x4e 0x32 0x2e 0x31 0x00 0x02 0x4e 0x54 | N 2 . 1 _ _ N T
>>>>>>>> | 0x20 0x4c 0x4d 0x20 0x30 0x2e 0x31 0x32 | L M 0 . 1 2
>>>>>>>> | 0x00 0x02 0x50 0x4f 0x53 0x49 0x58 0x20 | _ _ P O S I X
>>>>>>>> | 0x32 0x00 | 2 _
>>>>>>>> fs/cifs/connect.c: rfc1002 length 0x71
>>>>>>>> | 0x6d 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | m _ _ _ ? S M B
>>>>>>>> | 0x72 0x00 0x00 0x00 0x00 0x80 0x01 0xc0 | r _ _ _ _ _ _ ?
>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a | _ _ _ _ _ _ ? _
>>>>>>>> | 0x00 0x00 0x01 0x00 0x11 0x02 0x00 0x0f | _ _ _ _ _ _ _ _
>>>>>>>> | 0x32 0x00 0x01 0x00 0x04 0x41 0x00 0x00 | 2 _ _ _ _ A _ _
>>>>>>>> | 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>> | 0xfc 0xe3 0x01 0x00 0x8c 0x00 0x5c 0x77 | ? ? _ _ _ _ \ w
>>>>>>>> | 0x42 0xe2 0xca 0x01 0xf0 0x00 0x08 0x28 | B ? ? _ ? _ _ (
>>>>>>>> | 0x00 0x93 0x41 0xc6 0x0a 0x12 0xc3 0x01 | _ _ A ? _ _ ? _
>>>>>>>> | 0x89 0x41 0x00 0x44 0x00 0x00 0x00 0x43 | _ A _ D _ _ _ C
>>>>>>>> | 0x00 0x57 0x00 0x46 0x00 0x4c 0x00 0x50 | _ W _ F _ L _ P
>>>>>>>> | 0x00 0x52 0x00 0x53 0x00 0x56 0x00 0x52 | _ R _ S _ V _ R
>>>>>>>> | 0x00 0x31 0x00 0x57 0x00 0x38 0x00 0x00 | _ 1 _ W _ 8 _ _
>>>>>>>> | 0x00 | _
>>>>>>>> | 0x6d 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | m _ _ _ ? S M B
>>>>>>>> | 0x72 0x00 0x00 0x00 0x00 0x80 0x01 0xc0 | r _ _ _ _ _ _ ?
>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0xf3 0x1a | _ _ _ _ _ _ ? _
>>>>>>>> | 0x00 0x00 0x01 0x00 0x11 0x02 0x00 0x0f | _ _ _ _ _ _ _ _
>>>>>>>> | 0x32 0x00 0x01 0x00 0x04 0x41 0x00 0x00 | 2 _ _ _ _ A _ _
>>>>>>>> | 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>> | 0xfc 0xe3 0x01 0x00 0x8c 0x00 0x5c 0x77 | ? ? _ _ _ _ \ w
>>>>>>>> | 0x42 0xe2 0xca 0x01 0xf0 0x00 0x08 0x28 | B ? ? _ ? _ _ (
>>>>>>>> | 0x00 0x93 0x41 0xc6 0x0a 0x12 0xc3 0x01 | _ _ A ? _ _ ? _
>>>>>>>> | 0x89 0x41 0x00 0x44 0x00 0x00 0x00 0x43 | _ A _ D _ _ _ C
>>>>>>>> | 0x00 0x57 0x00 0x46 | _ W _ F
>>>>>>>> fs/cifs/cifssmb.c: Dialect: 2
>>>>>>>> fs/cifs/cifssmb.c: Must sign - secFlags 0x1005
>>>>>>>> fs/cifs/cifssmb.c: negprot rc 0
>>>>>>>> fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x1e3fc TimeAdjust:
>>>>>>>> 14400
>>>>>>>> fs/cifs/sess.c: sess setup type 3
>>>>>>>> fs/cifs/transport.c: For smb_command 115
>>>>>>>> fs/cifs/transport.c: Sending smb: total_len 270
>>>>>>>> | 0x00 0x00 0x01 0x0a 0xff 0x53 0x4d 0x42 | _ _ _ _ ? S M B
>>>>>>>> | 0x73 0x00 0x00 0x00 0x00 0x00 0x05 0xc0 | s _ _ _ _ _ _ ?
>>>>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c | _ _ _ ( _ ? ? <
>>>>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a | ? S _ _ _ _ ? _
>>>>>>>> | 0x00 0x00 0x02 0x00 0x0d 0xff 0x00 0x00 | _ _ _ _ _ ? _ _
>>>>>>>> | 0x00 0x58 0x40 0x32 0x00 0x00 0x00 0x00 | _ X @ 2 _ _ _ _
>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x34 0x00 0x00 | _ _ _ _ _ 4 _ _
>>>>>>>> | 0x00 0x00 0x00 0xdc 0xc0 0x00 0x00 0xcd | _ _ _ ? ? _ _ ?
>>>>>>>> | 0x00 | _
>>>>>>>> fs/cifs/connect.c: rfc1002 length 0x27
>>>>>>>> | 0x23 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | # _ _ _ ? S M B
>>>>>>>> | 0x73 0x0d 0x00 0x00 0xc0 0x80 0x05 0xc0 | s _ _ _ ? _ _ ?
>>>>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c | _ _ _ ( _ ? ? <
>>>>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a | ? S _ _ _ _ ? _
>>>>>>>> | 0x00 0x00 0x02 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _
>>>>>>>> | 0x23 0x00 0x00 0x00 0xff 0x53 0x4d 0x42 | # _ _ _ ? S M B
>>>>>>>> | 0x73 0x0d 0x00 0x00 0xc0 0x80 0x05 0xc0 | s _ _ _ ? _ _ ?
>>>>>>>> | 0x00 0x00 0x8f 0x28 0x1d 0xb0 0xcf 0x3c | _ _ _ ( _ ? ? <
>>>>>>>> | 0xd6 0x53 0x00 0x00 0x00 0x00 0xf3 0x1a | ? S _ _ _ _ ? _
>>>>>>>> | 0x00 0x00 0x02 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>> | 0x00 0x58 0x40 0x32 0x00 0x00 0x00 0x00 | _ X @ 2 _ _ _ _
>>>>>>>> | 0x00 0x00 0x00 0x18 0x00 0x18 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>> | 0x00 0x00 0x00 0xdc 0xc0 0x00 0x00 0xc9 | _ _ _ ? ? _ _ ?
>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>> | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 | _ _ _ _ _ _ _ _
>>>>>>>> | _ _ _ _ _ _ _ _
>>>>>>>> CIFS VFS: Unexpected SMB signature
>>>>>>>> Status code returned 0xc000000d NT_STATUS_INVALID_PARAMETER
>>>>>>>> fs/cifs/netmisc.c: Mapping smb error code 87 to POSIX err -22
>>>>>>>> fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
>>>>>>>> fs/cifs/sess.c: ssetup rc from sendrecv2 is -22
>>>>>>>> fs/cifs/sess.c: ssetup freeing small buf ffff81006ef78300
>>>>>>>> CIFS VFS: Send error in SessSetup = -22
>>>>>>>> fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 28) rc = -22
>>>>>>>> CIFS VFS: cifs_mount failed w/return code = -22
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> linux-cifs-client mailing list
>>>>>>>> linux-cifs-client at lists.samba.org
>>>>>>>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>>>>>>>>
>>>>>>>
>>>>>>> It is broken. I have coded to send SPNEGO ntlmv2 authentication but
>>>>>>> somehow am getting error of
>>>>>>> Invalid parameter, the response does not tell which parameter though.
>>>>>>>
>>>>>>
>>>>>> I think this is actually a bug in win2k8/vista:
>>>>>>
>>>>>> http://support.microsoft.com/kb/957441
>>>>>>
>>>>>> ...though it wouldn't be an issue if NTLMSSP/SPNEGO worked properly.
>>>>>>
>>>>>> --
>>>>>> Jeff Layton <jlayton at samba.org>
>>>>>>
>>>>>
>>>>> The bug does not mention Windows7, I have a Windows 7 box, so will try first
>>>>> authenticating with it instead of Windows 2008 Server.
>>>>> Also, I am not sure how essential SPNEGO is i.e. would Raw NTLMSSP with
>>>>> NTLMv2 authentication mechanism suffice instead of SPNEGO NTLMSSP ntlmv2.
>>>>> I also need to figure out how to tell smbclient talk ntlmv2 NTLMSSP
>>>>> without SPNEGO,
>>>>> by default it is SPNEGO NTLMSSP which I have been able to use against
>>>>> a Windows7 box.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Shirish
>>>>
>>>> I have tried sec=ntlmssp, which from the doc says is experimental, and
>>>> it failed as well. Adding the registry key mentioned in the KB did
>>>> allow me to mount the share without issue on both 2008 and 2008r2, so
>>>> thanks Jeff, you rock.
>>>
>>> Two things, first, I think with sec=ntlmssp, you are using ntlmv1 in the current
>>> cifs code. Can you please verify that?
>>> And second, why is not smbclient bothered with this registry key presense or
>>> absense?
>>>
>>>>
>>>> Also, I know this is out of place for the conversation, but I also set
>>>> up kerberos auth and it negotiated properly to auth to the share.
>>>>
>>>> If you guys want me to provide more feedback, please let me know what
>>>> you need. Thanks for the help you've both provided so far.
>>>>
>>>> Jimi
>>>> _______________________________________________
>>>> linux-cifs-client mailing list
>>>> linux-cifs-client at lists.samba.org
>>>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>>>>
>>
>> I believe that the sec=ntlmssp is doing NTLMv1. I'm not 100% sure, but
>> I did see NTLM 0.12 in the first portion of the mount.cifs dmesg output,
>> which is ntlmv1 from what I've read.
>>
>> Here is a long debug session of connecting to the server using SPNEGO
>> and the smbclient. It looks like it negotiates NTLMv2 without issue.
>> Do you know if cifs.upcall handles NTLMSSP negotiation, or does it only
>> handle things when using kerberos?
>>
>> ############################
>> # SMBCLIENT CONNECTION #
>> ############################
>> [root@]# smbclient -v //server.montclair.edu/Test -U Administrator -W
>> SERVER -d 5 -S yes
>> INFO: Current debug levels:
>> all: True/5
>> tdb: False/0
>> printdrivers: False/0
>> lanman: False/0
>> smb: False/0
>> rpc_parse: False/0
>> rpc_srv: False/0
>> rpc_cli: False/0
>> passdb: False/0
>> sam: False/0
>> auth: False/0
>> winbind: False/0
>> vfs: False/0
>> idmap: False/0
>> quota: False/0
>> acls: False/0
>> locking: False/0
>> msdfs: False/0
>> dmapi: False/0
>> registry: False/0
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
>> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
>> Processing section "[global]"
>> doing parameter workgroup = MYGROUP
>> doing parameter server string = testbox.montclair.edu
>> doing parameter netbios name = testbox
>> handle_netbios_name: set global_myname to: TESTBOX
>> doing parameter client ntlmv2 auth = yes
>> doing parameter client signing = auto
>> doing parameter client use spnego = yes
>> doing parameter client lanman auth = no
>> doing parameter lanman auth = no
>> doing parameter security = user
>> doing parameter passdb backend = tdbsam
>> doing parameter use spnego = yes
>> doing parameter domain master = no
>> doing parameter local master = no
>> doing parameter wins support = no
>> pm_process() returned Yes
>> Attempting to register new charset UCS-2LE
>> Registered charset UCS-2LE
>> Attempting to register new charset UTF-16LE
>> Registered charset UTF-16LE
>> Attempting to register new charset UCS-2BE
>> Registered charset UCS-2BE
>> Attempting to register new charset UTF-16BE
>> Registered charset UTF-16BE
>> Attempting to register new charset UTF8
>> Registered charset UTF8
>> Attempting to register new charset UTF-8
>> Registered charset UTF-8
>> Attempting to register new charset ASCII
>> Registered charset ASCII
>> Attempting to register new charset 646
>> Registered charset 646
>> Attempting to register new charset ISO-8859-1
>> Registered charset ISO-8859-1
>> Attempting to register new charset UCS2-HEX
>> Registered charset UCS2-HEX
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> added interface eth0 ip=fe80::250:56ff:fe84:7c8e%eth0
>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>> added interface eth0 ip=130.68.4.102 bcast=130.68.4.255
>> netmask=255.255.255.0
>> Netbios name list:-
>> my_netbios_names[0]="TESTBOX"
>> Client started (version 3.5.2).
>> Enter Administrator's password:
>> Opening cache file at /var/lib/samba/gencache.tdb
>> Opening cache file at /var/lib/samba/gencache_notrans.tdb
>> sitename_fetch: No stored sitename for
>> name harp.montclair.edu#20 found.
>> Connecting to 130.68.4.82 at port 445
>> Socket options:
>> SO_KEEPALIVE = 0
>> SO_REUSEADDR = 0
>> SO_BROADCAST = 0
>> TCP_NODELAY = 1
>> TCP_KEEPCNT = 9
>> TCP_KEEPIDLE = 7200
>> TCP_KEEPINTVL = 75
>> IPTOS_LOWDELAY = 0
>> IPTOS_THROUGHPUT = 0
>> SO_SNDBUF = 16384
>> SO_RCVBUF = 87380
>> SO_SNDLOWAT = 1
>> SO_RCVLOWAT = 1
>> SO_SNDTIMEO = 0
>> SO_RCVTIMEO = 0
>> TCP_QUICKACK = 1
>> session request ok
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Doing spnego session setup (blob length=46)
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=<null>
>> size=382
>> smb_com=0x73
>> smb_rcls=22
>> smb_reh=0
>> smb_err=49152
>> smb_flg=136
>> smb_flg2=51205
>> smb_tid=0
>> smb_pid=23940
>> smb_uid=2048
>> smb_mid=2
>> smt_wct=4
>> smb_vwv[ 0]= 255 (0xFF)
>> smb_vwv[ 1]= 382 (0x17E)
>> smb_vwv[ 2]= 0 (0x0)
>> smb_vwv[ 3]= 159 (0x9F)
>> smb_bcc=339
>> size=382
>> smb_com=0x73
>> smb_rcls=22
>> smb_reh=0
>> smb_err=49152
>> smb_flg=136
>> smb_flg2=51205
>> smb_tid=0
>> smb_pid=23940
>> smb_uid=2048
>> smb_mid=2
>> smt_wct=4
>> smb_vwv[ 0]= 255 (0xFF)
>> smb_vwv[ 1]= 382 (0x17E)
>> smb_vwv[ 2]= 0 (0x0)
>> smb_vwv[ 3]= 159 (0x9F)
>> smb_bcc=339
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x628a8215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_TARGET_INFO
>> NTLMSSP_NEGOTIATE_VERSION
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> size=232
>> smb_com=0x73
>> smb_rcls=0
>> smb_reh=0
>> smb_err=0
>> smb_flg=136
>> smb_flg2=51205
>> smb_tid=0
>> smb_pid=23940
>> smb_uid=2048
>> smb_mid=3
>> smt_wct=4
>> smb_vwv[ 0]= 255 (0xFF)
>> smb_vwv[ 1]= 232 (0xE8)
>> smb_vwv[ 2]= 0 (0x0)
>> smb_vwv[ 3]= 9 (0x9)
>> smb_bcc=189
>> size=232
>> smb_com=0x73
>> smb_rcls=0
>> smb_reh=0
>> smb_err=0
>> smb_flg=136
>> smb_flg2=51205
>> smb_tid=0
>> smb_pid=23940
>> smb_uid=2048
>> smb_mid=3
>> smt_wct=4
>> smb_vwv[ 0]= 255 (0xFF)
>> smb_vwv[ 1]= 232 (0xE8)
>> smb_vwv[ 2]= 0 (0x0)
>> smb_vwv[ 3]= 9 (0x9)
>> smb_bcc=189
>> Domain=[SERVER] OS=[Windows Server (R) 2008 Standard 6002 Service Pack
>> 2] Server=[Windows Server (R) 2008 Standard 6.0]
>> session setup ok
>> tconx ok
>> smb: \> quit
>> size=35
>> smb_com=0x71
>> smb_rcls=0
>> smb_reh=0
>> smb_err=0
>> smb_flg=136
>> smb_flg2=51205
>> smb_tid=2048
>> smb_pid=23940
>> smb_uid=2048
>> smb_mid=5
>> smt_wct=0
>> smb_bcc=0
>>
>> _______________________________________________
>> linux-cifs-client mailing list
>> linux-cifs-client at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>>
>
> First, i have been sticking with security = ADS. Since you have
> security=user, may be none of this helps.
>
> i am under the impression that kerberos is tried first and then ntlmv2.
> However not sure offhand if your version of cifs supports sec=krb5i or
> even sec=krb5.
>
> Have you tried anything like:
> mount -t cifs //server/share /mnt/test -o sec=krb5i
>
> client schannel = Auto
> server schannel = Auto
>
> lanman auth = No
> ntlm auth = No
> client NTLMv2 auth = Yes
> client lanman auth = No
> client plaintext auth = No
In the output from the message above I was only trying to display the
output of SPNEGO and NTLMv2 working with smbclient.
When I have kerberos configured everything works properly with both
mount.cifs and smbclient. But I'll take a look at the security=ADS
setting as it may be better to use for my laptop.
Jimi
More information about the linux-cifs-client
mailing list