[Samba] smbclient fails NT_STATUS_INVALID_HANDLE with Windows 7 KB4480970

Sun Jan 13 01:00:08 UTC 2019

smbclient/mount.cifs stopped working when connecting to a Windows 7
server. The Windows machine is not part of a domain and smbclient is
authenticating with one of its local accounts. Upon uninstalling the
January Windows security patch (KB4480970) from the server, everything
works again. The tests below are with a custom compiled copy of the
latest smbclient (4.9.4) for troubleshooting purposes but the
distribution-packaged version exhibits the same behavior.

Here is the failing connection with KB4480970 installed:
$ ./smbclient -d 3 -s /dev/null //192.168.0.3/xxxxx -U xxxxx%xxxxx
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
mkdir failed on directory /usr/local/samba/var/lock: No such file or directory
cmdline_messaging_context: Unable to initialize messaging context.
Unable to initialize messaging context
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
added interface eth0 ip=2601:14e:c080:e47:eda1:9444:d39f:d852 bcast=
netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.0.101 bcast=192.168.0.255 netmask=255.255.255.0
Client started (version 4.9.4).
Connecting to 192.168.0.3 at port 445
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: An invalid HANDLE was specified.
session setup failed: NT_STATUS_INVALID_HANDLE

and here is a successful connection after removing the patch:
$ ./smbclient -d 3 -s /dev/null //192.168.0.3/xxxxx -U xxxxx%xxxxx
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
mkdir failed on directory /usr/local/samba/var/lock: No such file or directory
cmdline_messaging_context: Unable to initialize messaging context.
Unable to initialize messaging context
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
added interface eth0 ip=2601:14e:c080:e47:eda1:9444:d39f:d852 bcast=
netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.0.101 bcast=192.168.0.255 netmask=255.255.255.0
Client started (version 4.9.4).
Connecting to 192.168.0.3 at port 445
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Try "help" to get a list of possible commands.
smb: \>

Thanks