[PATCH] fix connection to Nintendo 3DS

Philippe Daouadi blastrock0 at free.fr
Fri Jan 13 21:32:24 UTC 2017


On 2017-01-13 17:08, Christof Schmitt wrote:
> On Fri, Jan 13, 2017 at 12:39:39AM +0100, Philippe Daouadi wrote:
>> Hi,
>>
>> As you may (or may not) know, it is possible to open an access to the
>> internal microSD card of a 3DS through its configuration interface. The
>> access is a simple listening smb server over wifi.
>>
>> It works without problem when connecting from a real Windows system, but
>> it always fails when trying to connect through Samba with this message:
>>
>> session setup failed: NT_STATUS_INVALID_NETWORK_RESPONSE
>>
>> I didn't find any solution on the Internet, so I started gdb-ing and
>> wireshark-ing the issue.
>>
>> I managed to make it work, and it seems to come down to the
>> NTLMSSP_NEGOTIATE message that the client sends to the server. When
>> samba sends this message, it is wrapped into GSS-API with SPNEGO (I have
>> no idea what these mean). Windows doesn't do that and just send the
>> naked NTLMSSP packet.
>>
>> I'm attaching a patch that removes the SPNEGO from the authentication
>> chain while keeping the NTLMSSP. I'm pretty sure that this patch breaks
>> stuff (after all, it was made that way for a reason), but I don't have
>> the necessary knowledge of Samba's codebase to make this a configurable
>> option in smb.conf or a command-line switch.
>>
>> I'm leaving the patch here if someone wants to do it, I'm pretty sure
>> that they would make a bunch of linux users with Nintendo 3DSes happy :)
> There is also a config option in recent Samba versions to disable SPENGO
> on the client side:
>
>         client use spnego (G)
>
>             This variable controls whether Samba clients will try
>             to use Simple and Protected NEGOciation (as specified
>             by rfc2478) with supporting servers (including
>             WindowsXP, Windows2000 and Samba 3.0) to agree upon an
>             authentication mechanism. This enables Kerberos
>             authentication in particular.
>
>             When client NTLMv2 auth is also set to yes extended
>             security (SPNEGO) is required in order to use NTLMv2
>             only within NTLMSSP. This behavior was introduced with
>             the patches for CVE-2016-2111.
>
>             Default: client use spnego = yes
>
> Maybe that is all that is required here.
>
> Christof
I tried that, but it seems to disable NTLMSSP as well and falls back to 
some more primitive authentication method. From what I can see with 
wireshark, it only sends an "ANSI password" and a "unicode password" 
field, which contain hashes. The 3DS seems to expect a "security blob" 
with a NTLMSSP content. From what I understand, the second paragraph of 
your quote explains that this is impossible and intended, though I'm not 
sure what "NTLMv2" is.

Philippe



More information about the samba-technical mailing list