[Samba] Regression: The 'net' command is now failing to login (UNKNOWN ENUM VALUE 1003?)

pisymbol . pisymbol at gmail.com
Thu May 26 11:23:16 UTC 2016 

On Wed, May 25, 2016 at 2:38 PM, pisymbol . <pisymbol at gmail.com> wrote:
> Hello:
>
> Platform: CentOS 6.7 x86-64
>
> $ rpm -qa | grep samba
> samba-common-3.6.23-30.el6_7.x86_64
> samba4-libs-4.2.10-6.el6_7.x86_64
> ie-samba-utils-3.6.13-7.x86_64
> samba-winbind-3.6.23-30.el6_7.x86_64
> samba-client-3.6.23-30.el6_7.x86_64
> samba-winbind-clients-3.6.23-30.el6_7.i686
> samba-winbind-clients-3.6.23-30.el6_7.x86_64
>
> Problems began after requiring SMB signing (I forgot the specifics but
> it was related to CVE-2016-2111 and the one before it I think).
>
>  I had to enable support for signatures on the NetApp (I'm using their
> latest patched 8.2.4P3D1 firmware too however it looks like it fails
> on older releases of OnTap as well) as per their KB. That worked for
> now making commands like rpcclient working.
>
> However, this now breaks the 'net' command:
>
> $ sudo net -d10 -U someuser%somepass -S <netapp hostname> share
> ....
> ntlmssp3_handle_neg_flags: Got challenge flags[0x60898205] - possible
> downgrade detected! missing_flags[0x00000010] -
> NT_STATUS_RPC_SEC_PKG_ERROR
> Got NTLMSSP neg_flags=0x00000010
>   NTLMSSP_NEGOTIATE_SIGN
> neg_flags[0x60088205]
> Got NTLMSSP neg_flags=0x60088205
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_NTLM2
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> SPNEGO login failed: NT_STATUS_RPC_SEC_PKG_ERROR
> lang_tdb_init: /usr/lib64/samba/en_US.UTF-8.msg: No such file or directory
> session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
> did you forget to run kinit?
>      NetShareEnum: struct NetShareEnum
>         out: struct NetShareEnum
>             buffer                   : *
>                 buffer                   : NULL
>             entries_read             : *
>                 entries_read             : 0x00000000 (0)
>             total_entries            : *
>                 total_entries            : 0x00000000 (0)
>             resume_handle            : *
>                 resume_handle            : 0x00000000 (0)
>             result                   : UNKNOWN_ENUM_VALUE (1003)
> return code = 1003
>
> What is UNKNOWN ENUM VALUE (1003)?


If I turn off spnego on the client, then the net command works but now
rpcclient doesn't:

Attempt to open gencache.tdb has failed.
internal_resolve_name: returning 1 addresses: 192.168.17.248:0
Running timed event "tevent_req_timedout" 0x246a968
Connecting to 192.168.17.248 at port 445
Socket options:
    SO_KEEPALIVE = 0
    SO_REUSEADDR = 0
    SO_BROADCAST = 0
    TCP_NODELAY = 1
    TCP_KEEPCNT = 9
    TCP_KEEPIDLE = 7200
    TCP_KEEPINTVL = 75
    IPTOS_LOWDELAY = 0
    IPTOS_THROUGHPUT = 0
    SO_REUSEPORT = 0
    SO_SNDBUF = 19800
    SO_RCVBUF = 87380
    SO_SNDLOWAT = 1
    SO_RCVLOWAT = 1
    Could not test socket option SO_SNDTIMEO.
    Could not test socket option SO_RCVTIMEO.
    TCP_QUICKACK = 1
Failed to load /var/lib/samba/lib/upcase.dat - No such file or directory
Failed to load /var/lib/samba/lib/lowcase.dat - No such file or directory
Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
Substituting charset 'UTF-8' for LOCALE
cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE
failed session setup with NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE


Can someone please explain to me why 'net' and 'rpcclient'
authenticate differently?

Note that I tried this on our NetApp with signing on and off.

-aps

More information about the samba mailing list