[linux-cifs-client] Linux CIFS NTLMSSP mount failing against win2k8

Jeff Layton jlayton at samba.org
Sun Apr 11 04:41:03 MDT 2010

On Sat, 10 Apr 2010 23:09:01 -0500
Shirish Pargaonkar <shirishpargaonkar at gmail.com> wrote:

> On Sat, Apr 10, 2010 at 5:17 PM, Jeff Layton <jlayton at samba.org> wrote:
> > I've been playing with NTLMSSP today in CIFS, and have run across a
> > problem. The Session Setup using Raw NTLMSSP succeeds, but then afterward
> > the tree connect fails with STATUS_ACCESS_DENIED. The odd thing is that
> > if authenticate as the same user using krb5, then it works fine.
> > smbclient does SPNEGO encapsulated NTLMSSP and the tree connect it does
> > works fine as well.
> >
> > Attached is a capture that shows two "mount attempts". The first one
> > fails (that the Linux CIFS one). The second succeeds -- that's the
> > Linux CIFS one.
> >
> > The code I'm using is slightly modified so that the tree connect is
> > closer to identical to what smbclient does. That doesn't get around the
> > problem though. I assume that there must be something wrong with the
> > session setup, but since it succeeds it seems like it ought to work...
> >
> > Does anyone have any clue as to what the problem is? Or does anyone
> > know how to make win2k8 tell me why it's refusing the tree connect? The
> > event viewer seems to be pretty useless for this, but maybe I'm just
> > not looking in the right place?
> >
> > --
> > Jeff Layton <jlayton at samba.org>
> >
> Jeff,
> You can see if this code change,
>   cifs_MD5_update(&context, (char *)&key->data, 16);
> insetead of
>  cifs_MD5_update(&context, (char *)&key->data, key->len);
> in function cifs_calculate_signature() works.

Thanks. With Steve's help last night, I figured out that the problem is
with the signing key. When I stopped the server from requiring signing,
then I can mount. So what seems to be happening is that the NTLMSSP
session setup works, but when we go to sign the first packet (the tree
connect), the server rejects it.

It looks like this code is still just stubs and the session key is just
zeroed out regardless of whether signing is done:

        sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
        sec_blob->SessionKey.Length = 0;
        sec_blob->SessionKey.MaximumLength = 0;

...samba 3.4 however seems to be fine with this, even when I request
signing so there may be a samba bug related to this as well.

I think we need to put a key in that field and may need to alter the
flags (i.e. add the key exchange flag, etc). It's not 100% clear to me
what exactly needs to go in that field though, and what flags we need
to have set at each stage. I'll note that the negotiation flags that
smbclient uses are very different from what we're sending. smbclient
also sends a 16 byte key as the session key.

Jeff Layton <jlayton at samba.org>

More information about the samba-technical mailing list