[PATCH] fix connection to Nintendo 3DS

Christof Schmitt cs at samba.org
Fri Jan 13 16:08:39 UTC 2017


On Fri, Jan 13, 2017 at 12:39:39AM +0100, Philippe Daouadi wrote:
> Hi,
> 
> As you may (or may not) know, it is possible to open an access to the
> internal microSD card of a 3DS through its configuration interface. The
> access is a simple listening smb server over wifi.
> 
> It works without problem when connecting from a real Windows system, but
> it always fails when trying to connect through Samba with this message:
> 
> session setup failed: NT_STATUS_INVALID_NETWORK_RESPONSE
> 
> I didn't find any solution on the Internet, so I started gdb-ing and
> wireshark-ing the issue.
> 
> I managed to make it work, and it seems to come down to the
> NTLMSSP_NEGOTIATE message that the client sends to the server. When
> samba sends this message, it is wrapped into GSS-API with SPNEGO (I have
> no idea what these mean). Windows doesn't do that and just send the
> naked NTLMSSP packet.
> 
> I'm attaching a patch that removes the SPNEGO from the authentication
> chain while keeping the NTLMSSP. I'm pretty sure that this patch breaks
> stuff (after all, it was made that way for a reason), but I don't have
> the necessary knowledge of Samba's codebase to make this a configurable
> option in smb.conf or a command-line switch.
> 
> I'm leaving the patch here if someone wants to do it, I'm pretty sure
> that they would make a bunch of linux users with Nintendo 3DSes happy :)

There is also a config option in recent Samba versions to disable SPENGO
on the client side:

       client use spnego (G)

           This variable controls whether Samba clients will try
           to use Simple and Protected NEGOciation (as specified
           by rfc2478) with supporting servers (including
           WindowsXP, Windows2000 and Samba 3.0) to agree upon an
           authentication mechanism. This enables Kerberos
           authentication in particular.

           When client NTLMv2 auth is also set to yes extended
           security (SPNEGO) is required in order to use NTLMv2
           only within NTLMSSP. This behavior was introduced with
           the patches for CVE-2016-2111.

           Default: client use spnego = yes

Maybe that is all that is required here.

Christof



More information about the samba-technical mailing list