Windows 2019 Server getting Invalid signature with Samba 4.7.11

Krishna Harathi krishna.harathi at storagecraft.com
Tue Jul 14 18:26:36 UTC 2020 

I am continuing to investigate why a client is getting an “invalid signature” error.

Sequence of events

  *   Smbd generated a STATUS_NETWORK_SESSION_EXPIRED for a read request
  *   Client requested for a session (re)setup of the current/existing section (shown below)
  *   Smbd responded with STATUS_SUCCESS but response not signed (signature with zeros) (shown below)
  *   Windows SMBClient noted the “invalid signature” event (disruptive to client application)
  *   Next, there was a new session setup request
  *   Followed by smbd response with STATUS_SUCCESS with signature

From the Windows client event log, I see that there is a SMBClient/security event ID 31013  “the signing validation failed” corresponding to the time when smbd sent the session re-setup request. This caused the disconnect and disruption to application.

From the tcpdump, I see that this disconnect is followed by a new session setup request and a smbd setup response that had the response signed as expected. As far as I can tell the re-setup and the new-setup request has the same session and security parameters and flags (except for the non-zero sessionID in the re-setup request).

My question at this time is (I am not an expert in this area), is the signature expected in the re-setup of existing section? Is there a issue/fix in smbd in this area?

Any help in this issue is appreciated. I am working on re-creating this issue in-house, so will have more details. Please let me know what else to provide that will help.

Re-setup request

Transmission Control Protocol, Src Port: 27677, Dst Port: 445, Seq: 165006660, Ack: 277437573, Len: 1893
NetBIOS Session Service
    Message Type: Session message (0x00)
    Length: 1889
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        Channel Sequence: 0
        Reserved: 0000
        Command: Session Setup (1)
        Credits requested: 0
        Flags: 0x00000010, Priority
        Chain Offset: 0x00000000
        Message ID: Unknown (7934934)
        Process Id: 0x0000feff
        Tree Id: 0x00000000
        Session Id: 0x00000000da3fcdd8
            [Authenticated in Frame: 309144]
        Signature: 00000000000000000000000000000000
        [Response in: 309144]
    Session Setup Request (0x01)
        [Preauth Hash: 9a815bcc876ca46f7727e17e42381a43e8229fde444c55a1…]
        StructureSize: 0x0019
            0000 0000 0001 100. = Fixed Part Length: 12
            .... .... .... ...1 = Dynamic Part: True
        Flags: 0
            .... ...0 = Session Binding Request: False
        Security mode: 0x01, Signing enabled
            .... ...1 = Signing enabled: True
            .... ..0. = Signing required: False
        Capabilities: 0x00000001, DFS
        Channel: None (0x00000000)
        Previous Session Id: 0x0000000000000000
[Packet size limited during capture: SMB2 truncated]


Re-setup response –

Transmission Control Protocol, Src Port: 445, Dst Port: 27677, Seq: 277437573, Ack: 165008553, Len: 239
NetBIOS Session Service
    Message Type: Session message (0x00)
    Length: 235
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        NT Status: STATUS_SUCCESS (0x00000000)
        Command: Session Setup (1)
        Credits granted: 1
        Flags: 0x00000011, Response, Priority
        Chain Offset: 0x00000000
        Message ID: Unknown (7934934)
        Process Id: 0x0000feff
        Tree Id: 0x00000000
        Session Id: 0x00000000da3fcdd8
            [Authenticated in Frame: 309144]
        Signature: 00000000000000000000000000000000
        [Response to: 309142]
        [Time from request: 0.003150000 seconds]
    Session Setup Response (0x01)
        [Preauth Hash: 9a815bcc876ca46f7727e17e42381a43e8229fde444c55a1…]
        StructureSize: 0x0009
            0000 0000 0000 100. = Fixed Part Length: 4
            .... .... .... ...1 = Dynamic Part: True
        Session Flags: 0x0000
            .... .... .... ...0 = Guest: False
            .... .... .... ..0. = Null: False
            .... .... .... .0.. = Encrypt: False
        Blob Offset: 0x00000048
        Blob Length: 163
        Security Blob: a181a030819da0030a0100a10b06092a864882f712010202…
            GSS-API Generic Security Service Application Program Interface
                Unknown header (class=2, pc=1, tag=1)
                    [Expert Info (Warning/Protocol): Unknown header (class=2, pc=1, tag=1)]
                        [Unknown header (class=2, pc=1, tag=1)]
                        [Severity level: Warning]
                        [Group: Protocol]

Regards.
Krishna Harathi


From: Krishna Harathi <krishna.harathi at storagecraft.com>
Date: Thursday, May 28, 2020 at 4:25 PM
To: Andrew Bartlett via samba-technical <samba-technical at lists.samba.org>
Subject: Windows 2019 Server getting Invalid signature with Samba 4.7.11

We are using Samba 4.7.11.

Windows 2019  Server SQL Backup  workload is failing (randomly) after running 5 to 6 hours with “invalid signature”, an instance of failure shown below.

Write on "XXXX.bak” failed: 0x80090006(Invalid Signature.)  Msg 3013, Level 16, State 1, Server YYYY, Line 1  BACKUP DATABASE is terminating abnormally.  Outcome: Failed  Duration: 08:06:20  Date and time: 2020-05-25 01:06:21     Date and time: 2020-05-25 01:06:21.  Process Exit Code 1.  The step failed.

I searched Samba buzilla and found https://bugzilla.samba.org/show_bug.cgi?id=13427 but the fix is already in 4.7.11.

Is this a known issue or fix? Any help to resolve this is appreciated.

Thanks.

Regards.
Krishna Harathi

More information about the samba-technical mailing list