Samba smbclient to NetApp Filer NTLMSSP negotiation problem.
Fred Zellinger
fzellinger at gmail.com
Thu Sep 4 17:15:01 GMT 2008
I am trying to use 'smbclient' (Version 3.0.28a) to connect to
servers/shares in an Active-Directory environment.
When I try to connect to a M$Windows file server, everything works just fine:
smbclient -U john_doe -W here.ad.mycompany.com -d 10 -I 10.1.19.234
//a_mswin_server/Image password_xyz -c quit
However, when I try to connect to a NetApp filer (Data On Tap Version
7.2.4), I have problems:
smbclient -U john_doe -W here.ad.mycompany.com -d 10 -I 10.17.21.61
//a_netapp_filer/Image password_xyz -c quit
Without debugging on, the main error is:
#----------------------------------------
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?
#----------------------------------------
With debugging turned on, I also get:
#---------------------------------------------------------------
spnego_parse_auth_response failed at 1
Failed to parse auth response
SPNEGO login failed: Invalid parameter
#---------------------------------------------------------------
I will include the full debug at the end of this message.
Our M$Windows Server and Active Directory environment is not using
Kerberos...so the message indicating that kinit needs to be performed
is mis-leading...kinit is not needed when connecting to the M$Windows
server successfully, and the NetApp filer should work the same way.
I had the NetApp sys-admin turn on some debugging flags on the NetApp
server side, and here is what he saw:
#---------------------------------------------------------------
[a_netapp_filer: auth.trace.spnegoAuthentication.statusMsg:info]:
AUTH: SPNEGO- Could not unpack NT LMSSP Authenticate token..
#---------------------------------------------------------------
It appears to me that Samba/NetApp are disagreeing about how NTLMSSP
tokens are supposed to be created/parsed. Is there a standard that
Samba/NetApp isn't following, or are they both just
reverse-engineering the MS NTLMSSP protocol differently?
We have been trying to get NetApp support to tell us how to get a
Samba->NetApp connection working, and they have given us a few generic
suggestions (using NTLMV2, etc), but they are reluctant to roll up
their sleeves and become Samba experts. So could someone who is a
Samba expert give me some pointers? Thanks in advance....here is the
full (censored) debug (-d 10) of my 'smbclient' connection attempt:
smbclient -U john_doe -W here.ad.mycompany.com -d 10 -I 10.1.19.234
//a_mswin_server/Image password_xyz -c quit
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter server string = %h server (Samba, Ubuntu)
doing parameter dns proxy = no
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter encrypt passwords = true
doing parameter passdb backend = tdbsam
doing parameter obey pam restrictions = yes
doing parameter invalid users = root
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter socket options = TCP_NODELAY
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_STANDALONE
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
added interface ip=10.1.2.102 bcast=10.1.15.255 nmask=255.255.240.0
Netbios name list:-
my_netbios_names[0]="GTX2"
Client started (version 3.0.28a).
Connecting to 10.17.21.61 at port 445
socket option SO_KEEPALIVE = 0
socket option SO_REUSEADDR = 0
socket option SO_BROADCAST = 0
socket option TCP_NODELAY = 1
socket option TCP_KEEPCNT = 9
socket option TCP_KEEPIDLE = 7200
socket option TCP_KEEPINTVL = 75
socket option IPTOS_LOWDELAY = 0
socket option IPTOS_THROUGHPUT = 0
socket option SO_SNDBUF = 16384
socket option SO_RCVBUF = 87380
socket option SO_SNDLOWAT = 1
socket option SO_RCVLOWAT = 1
socket option SO_SNDTIMEO = 0
socket option SO_RCVTIMEO = 0
session request ok
write_socket(4,194)
write_socket(4,194) wrote 194
got smb length of 164
size=164
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=152
smb_flg2=32769
smb_tid=0
smb_pid=31707
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]= 9 (0x9)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]= 256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]= 129 (0x81)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 256 (0x100)
smb_vwv[ 7]=46592 (0xB600)
smb_vwv[ 8]=56249 (0xDBB9)
smb_vwv[ 9]=64889 (0xFD79)
smb_vwv[10]= 211 (0xD3)
smb_vwv[11]=65152 (0xFE80)
smb_vwv[12]= 7269 (0x1C65)
smb_vwv[13]=45246 (0xB0BE)
smb_vwv[14]=51470 (0xC90E)
smb_vwv[15]=50177 (0xC401)
smb_vwv[16]= 255 (0xFF)
smb_bcc=95
[000] 15 00 00 00 65 DB 76 6A 22 88 50 52 8B 4A B0 46 ....e.vj ".PR.J.F
[010] 60 4D 06 06 2B 06 01 05 05 02 A0 43 30 41 A0 19 `M..+... ...C0A..
[020] 30 17 06 09 2A 86 48 82 F7 12 01 02 02 06 0A 2B 0...*.H. .......+
[030] 06 01 04 01 82 37 02 02 0A A3 24 30 22 A0 20 1B .....7.. ..$0". .
[040] 1E 73 70 72 6E 65 74 61 70 70 30 32 24 40 45 55
.a_netapp_filer at here.ad.mycompany.com
[050] 2E 41 44 2E 53 45 41 47 41 54 45 2E 43 4F 4D (censored)
size=164
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=152
smb_flg2=32769
smb_tid=0
smb_pid=31707
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]= 9 (0x9)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]= 256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]= 129 (0x81)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 256 (0x100)
smb_vwv[ 7]=46592 (0xB600)
smb_vwv[ 8]=56249 (0xDBB9)
smb_vwv[ 9]=64889 (0xFD79)
smb_vwv[10]= 211 (0xD3)
smb_vwv[11]=65152 (0xFE80)
smb_vwv[12]= 7269 (0x1C65)
smb_vwv[13]=45246 (0xB0BE)
smb_vwv[14]=51470 (0xC90E)
smb_vwv[15]=50177 (0xC401)
smb_vwv[16]= 255 (0xFF)
smb_bcc=95
[000] 15 00 00 00 65 DB 76 6A 22 88 50 52 8B 4A B0 46 ....e.vj ".PR.J.F
[010] 60 4D 06 06 2B 06 01 05 05 02 A0 43 30 41 A0 19 `M..+... ...C0A..
[020] 30 17 06 09 2A 86 48 82 F7 12 01 02 02 06 0A 2B 0...*.H. .......+
[030] 06 01 04 01 82 37 02 02 0A A3 24 30 22 A0 20 1B .....7.. ..$0". .
[040] 1E 73 70 72 6E 65 74 61 70 70 30 32 24 40 45 55
.a_netapp_filer at here.ad.mycompany.com
[050] 2E 41 44 2E 53 45 41 47 41 54 45 2E 43 4F 4D (censored)
Doing spnego session setup (blob length=95)
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=a_netapp_filer at here.ad.mycompany.com
write_socket(4,172)
write_socket(4,172) wrote 172
got smb length of 536
size=536
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=152
smb_flg2=51207
smb_tid=0
smb_pid=31707
smb_uid=2048
smb_mid=2
smt_wct=4
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]= 0 (0x0)
smb_vwv[ 3]= 419 (0x1A3)
smb_bcc=493
[000] A1 82 01 9F 30 82 01 9B A0 03 0A 01 01 A1 0C 06 ....0... ........
[010] 0A 2B 06 01 04 01 82 37 02 02 0A A2 81 C1 04 81 .+.....7 ........
[020] BE 4E 54 4C 4D 53 53 50 00 02 00 00 00 04 00 04 .NTLMSSP ........
[030] 00 30 00 00 00 05 82 89 60 B2 AA 05 44 5A 0B 2C .0...... `...DZ.,
[040] 07 00 00 00 00 00 00 00 00 8A 00 8A 00 34 00 00 ........ .....4..
(domain and server name censored)
[0E0] 81 C1 04 81 BE 4E 54 4C 4D 53 53 50 00 02 00 00 .....NTL MSSP....
[0F0] 00 04 00 04 00 30 00 00 00 05 82 89 60 B2 AA 05 .....0.. ....`...
[100] 44 5A 0B 2C 07 00 00 00 00 00 00 00 00 8A 00 8A DZ.,.... ........
(domain and server name censored)
[1A0] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s
[1B0] 00 20 00 35 00 2E 00 30 00 00 00 57 00 69 00 6E . .5...0 ...W.i.n
[1C0] 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 30 .d.o.w.s . .2.0.0
[1D0] 00 30 00 20 00 4C 00 41 00 4E 00 20 00 4D 00 61 .0. .L.A .N. .M.a
[1E0] 00 6E 00 61 00 67 00 65 00 72 00 00 00 .n.a.g.e .r...
size=536
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=152
smb_flg2=51207
smb_tid=0
smb_pid=31707
smb_uid=2048
smb_mid=2
smt_wct=4
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]= 0 (0x0)
smb_vwv[ 3]= 419 (0x1A3)
smb_bcc=493
[000] A1 82 01 9F 30 82 01 9B A0 03 0A 01 01 A1 0C 06 ....0... ........
[010] 0A 2B 06 01 04 01 82 37 02 02 0A A2 81 C1 04 81 .+.....7 ........
[020] BE 4E 54 4C 4D 53 53 50 00 02 00 00 00 04 00 04 .NTLMSSP ........
[030] 00 30 00 00 00 05 82 89 60 B2 AA 05 44 5A 0B 2C .0...... `...DZ.,
[040] 07 00 00 00 00 00 00 00 00 8A 00 8A 00 34 00 00 ........ .....4..
(domain and server name censored)
[0E0] 81 C1 04 81 BE 4E 54 4C 4D 53 53 50 00 02 00 00 .....NTL MSSP....
[0F0] 00 04 00 04 00 30 00 00 00 05 82 89 60 B2 AA 05 .....0.. ....`...
[100] 44 5A 0B 2C 07 00 00 00 00 00 00 00 00 8A 00 8A DZ.,.... ........
(domain and server name censored)
[1A0] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s
[1B0] 00 20 00 35 00 2E 00 30 00 00 00 57 00 69 00 6E . .5...0 ...W.i.n
[1C0] 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 30 .d.o.w.s . .2.0.0
[1D0] 00 30 00 20 00 4C 00 41 00 4E 00 20 00 4D 00 61 .0. .L.A .N. .M.a
[1E0] 00 6E 00 61 00 67 00 65 00 72 00 00 00 .n.a.g.e .r...
Got challenge flags:
Got NTLMSSP neg_flags=0x60898205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_CHAL_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP challenge set by NTLM2
challenge is:
[000] 92 6D 8B B1 88 20 A8 DE .m... ..
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
write_socket(4,274)
write_socket(4,274) wrote 274
got smb length of 35
size=35
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=49153
smb_tid=0
smb_pid=31707
smb_uid=0
smb_mid=3
smt_wct=0
smb_bcc=0
size=35
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=49153
smb_tid=0
smb_pid=31707
smb_uid=0
smb_mid=3
smt_wct=0
smb_bcc=0
spnego_parse_auth_response failed at 1
Failed to parse auth response
SPNEGO login failed: Invalid parameter
lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?
More information about the smb-clients
mailing list