[Samba] cannot connect without user/pass on Windows 10

Bram Matthys syzop at vulnscan.org
Thu Jan 26 15:30:28 UTC 2017 

Op 26-1-2017 om 15:01 schreef Rowland Penny via samba:
> On Thu, 26 Jan 2017 12:12:41 +0100
> Bram Matthys via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> A number of students are unable to connect to our print server from
>> their Windows 10 client laptop without entering a user/pass. More
>> precisely: If you try to connect manually to \\IP it says "Username
>> or password incorrect" and prompts to enter a username/password.
>> Despite the server setting to map all users to guest (see further
>> down). I did a packet dump and the client pc asks NTLMSSP_NEGOTIATE,
>> server replies with an NTLMSSP_CHALLENGE and then the client pc
>> simply hangs up (TCP RST).
>>
>> Now the (more) interesting bit: all this only happens when you use a
>> "microsoft account", not if you use a local account. With a local
>> account on the laptop start -> run -> \\IP will get you connected
>> without asking for a user / password and show the shared printers and
>> shares, as expected.
>>
>> Any ideas? Is this fixable on the server-side? Otherwise if that is
>> not possible, fixable on the client-side while still permitting
>> microsoft accounts?
>>
>> Packet dump (raw): https://www.vulnscan.org/tmp/cannotconnectsmb.pcap
>>
>> Packet dump (text) below:
>> 1 0.000000 10.0.6.178 -> 10.0.0.7 TCP 66 49939→445 [SYN] Seq=0
>> Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
>> 2 0.000049 10.0.0.7 -> 10.0.6.178 TCP 66 445→49939 [SYN, ACK] Seq=0
>> Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
>> 3 0.002343 10.0.6.178 -> 10.0.0.7 TCP 60 49939→445 [ACK] Seq=1 Ack=1
>> Win=65536 Len=0
>> 4 0.002514 10.0.6.178 -> 10.0.0.7 SMB 213 Negotiate Protocol Request
>> 5 0.002528 10.0.0.7 -> 10.0.6.178 TCP 54 445→49939 [ACK] Seq=1
>> Ack=160 Win=30336 Len=0
>> 6 0.009462 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
>> 7 0.011702 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
>> 8 0.011936 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol Response
>> 9 0.016597 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup Request,
>> NTLMSSP_NEGOTIATE
>> 10 0.017098 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
>> Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
>> 11 0.020411 10.0.6.178 -> 10.0.0.7 TCP 60 49939→445 [RST, ACK]
>> Seq=504 Ack=710 Win=0 Len=0
>> 12 0.023889 10.0.6.178 -> 10.0.0.7 TCP 66 49940→445 [SYN] Seq=0
>> Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
>> 13 0.023932 10.0.0.7 -> 10.0.6.178 TCP 66 445→49940 [SYN, ACK] Seq=0
>> Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
>> 14 0.026880 10.0.6.178 -> 10.0.0.7 TCP 60 49940→445 [ACK] Seq=1 Ack=1
>> Win=65536 Len=0
>> 15 0.026922 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
>> 16 0.026941 10.0.0.7 -> 10.0.6.178 TCP 54 445→49940 [ACK] Seq=1
>> Ack=179 Win=30336 Len=0
>> 17 0.032177 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol
>> Response 18 0.034870 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup
>> Request, NTLMSSP_NEGOTIATE
>> 19 0.035490 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
>> Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
>> 20 0.038742 10.0.6.178 -> 10.0.0.7 TCP 60 49940→445 [RST, ACK]
>> Seq=345 Ack=504 Win=0 Len=0
>> 21 0.202080 10.0.6.178 -> 10.0.0.7 TCP 66 49941→445 [SYN] Seq=0
>> Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
>> 22 0.202145 10.0.0.7 -> 10.0.6.178 TCP 66 445→49941 [SYN, ACK] Seq=0
>> Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
>> 23 0.204434 10.0.6.178 -> 10.0.0.7 TCP 60 49941→445 [ACK] Seq=1 Ack=1
>> Win=65536 Len=0
>> 24 0.204484 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
>> 25 0.204503 10.0.0.7 -> 10.0.6.178 TCP 54 445→49941 [ACK] Seq=1
>> Ack=179 Win=30336 Len=0
>> 26 0.212382 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol
>> Response 27 0.214883 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup
>> Request, NTLMSSP_NEGOTIATE
>> 28 0.215544 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
>> Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
>> 29 0.218612 10.0.6.178 -> 10.0.0.7 TCP 60 49941→445 [RST, ACK]
>> Seq=345 Ack=504 Win=0 Len=0
>> 30 0.222053 10.0.6.178 -> 10.0.0.7 TCP 66 49942→445 [SYN] Seq=0
>> Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
>> 31 0.222120 10.0.0.7 -> 10.0.6.178 TCP 66 445→49942 [SYN, ACK] Seq=0
>> Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
>> 32 0.224036 10.0.6.178 -> 10.0.0.7 TCP 60 49942→445 [ACK] Seq=1 Ack=1
>> Win=65536 Len=0
>> 33 0.224074 10.0.6.178 -> 10.0.0.7 SMB2 232 Negotiate Protocol Request
>> 34 0.224086 10.0.0.7 -> 10.0.6.178 TCP 54 445→49942 [ACK] Seq=1
>> Ack=179 Win=30336 Len=0
>> 35 0.230810 10.0.0.7 -> 10.0.6.178 SMB2 260 Negotiate Protocol
>> Response 36 0.233314 10.0.6.178 -> 10.0.0.7 SMB2 220 Session Setup
>> Request, NTLMSSP_NEGOTIATE
>> 37 0.234009 10.0.0.7 -> 10.0.6.178 SMB2 351 Session Setup Response,
>> Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
>> 38 0.237069 10.0.6.178 -> 10.0.0.7 TCP 60 49942→445 [RST, ACK]
>> Seq=345 Ack=504 Win=0 Len=0
>>
>> Server config:
>> [global]
>> workgroup = MLHJ
>> interfaces = anet jnet print wifi lo
>> bind interfaces only = Yes
>> server role = standalone server
>> map to guest = Bad User
>> obey pam restrictions = Yes
>> syslog = 0
>> log file = /var/log/samba/smb.log
>> printcap name = /etc/printcap
>> dns proxy = No
>> panic action = /usr/share/samba/panic-action %d
>> idmap config * : backend = tdb
>> printing = bsd
>> print command = /usr/local/scripts/print "%p" "%s" "%I" "%m" "%U"
>> "%J"
>> 2>&1|logger -p lpr.debug -t samba-print
>>
>>
>> [printers]
>> comment = All Printers
>> path = /var/spool/samba
>> create mask = 0700
>> guest ok = Yes
>> printable = Yes
>> print ok = Yes
>> browseable = No
>>
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/printers
>> guest ok = Yes
>>
>> # smbd -V
>> Version 4.2.14-Debian
>>
>> Regards,
>>
>> Bram
>>
> Do your users exist on the printserver ?
>
> If you look in 'man smb.conf' under 'map to guest (G)' you will find
> this:
>
> Bad User - Means user logins with an invalid password are
> rejected, unless the username does not exist, in which case it
> is treated as a guest login and mapped into the guest
> account.
>
> So, if the user does exist and uses an incorrect password it will be
> rejected, but if the user doesn't exist, it will be SILENTLY mapped to
> guest.
>
> Rowland
>

Right, I understand what you are after, but no: the user does not exist 
on the server.

Also, looking at the packet dump, the username isn't even sent (yet).

Best regards,

Bram

More information about the samba mailing list