Samba smbclient to NetApp Filer NTLMSSP negotiation problem.

Fred Zellinger fzellinger at gmail.com
Thu Sep 4 17:15:01 GMT 2008 

I am trying to use 'smbclient' (Version 3.0.28a) to connect to
servers/shares in an Active-Directory environment.

When I try to connect to a M$Windows file server, everything works just fine:
smbclient -U john_doe -W here.ad.mycompany.com -d 10 -I 10.1.19.234
//a_mswin_server/Image password_xyz -c quit

However, when I try to connect to a NetApp filer (Data On Tap Version
7.2.4), I have problems:
smbclient -U john_doe -W here.ad.mycompany.com -d 10 -I 10.17.21.61
//a_netapp_filer/Image password_xyz -c quit

Without debugging on, the main error is:
#----------------------------------------
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?
#----------------------------------------

With debugging turned on, I also get:
#---------------------------------------------------------------
spnego_parse_auth_response failed at 1
Failed to parse auth response
SPNEGO login failed: Invalid parameter
#---------------------------------------------------------------

I will include the full debug at the end of this message.

Our M$Windows Server and Active Directory environment is not using
Kerberos...so the message indicating that kinit needs to be performed
is mis-leading...kinit is not needed when connecting to the M$Windows
server successfully, and the NetApp filer should work the same way.

I had the NetApp sys-admin turn on some debugging flags on the NetApp
server side, and here is what he saw:
#---------------------------------------------------------------
[a_netapp_filer: auth.trace.spnegoAuthentication.statusMsg:info]:
AUTH: SPNEGO- Could not unpack NT  LMSSP Authenticate token..
#---------------------------------------------------------------

It appears to me that Samba/NetApp are disagreeing about how NTLMSSP
tokens are supposed to be created/parsed.  Is there a standard that
Samba/NetApp isn't following, or are they both just
reverse-engineering the MS NTLMSSP protocol differently?

We have been trying to get NetApp support to tell us how to get a
Samba->NetApp connection working, and they have given us a few generic
suggestions (using NTLMV2, etc), but they are reluctant to roll up
their sleeves and become Samba experts.  So could someone who is a
Samba expert give me some pointers?  Thanks in advance....here is the
full (censored) debug (-d 10) of my 'smbclient' connection attempt:

smbclient -U john_doe -W here.ad.mycompany.com -d 10 -I 10.1.19.234
//a_mswin_server/Image password_xyz -c quit
INFO: Current debug levels:
  all: True/10
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
  quota: False/0
  acls: False/0
  locking: False/0
  msdfs: False/0
  dmapi: False/0
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter server string = %h server (Samba, Ubuntu)
doing parameter dns proxy = no
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter encrypt passwords = true
doing parameter passdb backend = tdbsam
doing parameter obey pam restrictions = yes
doing parameter invalid users = root
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter socket options = TCP_NODELAY
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_STANDALONE
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
added interface ip=10.1.2.102 bcast=10.1.15.255 nmask=255.255.240.0
Netbios name list:-
my_netbios_names[0]="GTX2"
Client started (version 3.0.28a).
Connecting to 10.17.21.61 at port 445
socket option SO_KEEPALIVE = 0
socket option SO_REUSEADDR = 0
socket option SO_BROADCAST = 0
socket option TCP_NODELAY = 1
socket option TCP_KEEPCNT = 9
socket option TCP_KEEPIDLE = 7200
socket option TCP_KEEPINTVL = 75
socket option IPTOS_LOWDELAY = 0
socket option IPTOS_THROUGHPUT = 0
socket option SO_SNDBUF = 16384
socket option SO_RCVBUF = 87380
socket option SO_SNDLOWAT = 1
socket option SO_RCVLOWAT = 1
socket option SO_SNDTIMEO = 0
socket option SO_RCVTIMEO = 0
 session request ok
write_socket(4,194)
write_socket(4,194) wrote 194
got smb length of 164
size=164
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=152
smb_flg2=32769
smb_tid=0
smb_pid=31707
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    9 (0x9)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=  129 (0x81)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]=46592 (0xB600)
smb_vwv[ 8]=56249 (0xDBB9)
smb_vwv[ 9]=64889 (0xFD79)
smb_vwv[10]=  211 (0xD3)
smb_vwv[11]=65152 (0xFE80)
smb_vwv[12]= 7269 (0x1C65)
smb_vwv[13]=45246 (0xB0BE)
smb_vwv[14]=51470 (0xC90E)
smb_vwv[15]=50177 (0xC401)
smb_vwv[16]=  255 (0xFF)
smb_bcc=95
[000] 15 00 00 00 65 DB 76 6A  22 88 50 52 8B 4A B0 46  ....e.vj ".PR.J.F
[010] 60 4D 06 06 2B 06 01 05  05 02 A0 43 30 41 A0 19  `M..+... ...C0A..
[020] 30 17 06 09 2A 86 48 82  F7 12 01 02 02 06 0A 2B  0...*.H. .......+
[030] 06 01 04 01 82 37 02 02  0A A3 24 30 22 A0 20 1B  .....7.. ..$0". .
[040] 1E 73 70 72 6E 65 74 61  70 70 30 32 24 40 45 55
.a_netapp_filer at here.ad.mycompany.com
[050] 2E 41 44 2E 53 45 41 47  41 54 45 2E 43 4F 4D     (censored)
size=164
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=152
smb_flg2=32769
smb_tid=0
smb_pid=31707
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    9 (0x9)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=  129 (0x81)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]=46592 (0xB600)
smb_vwv[ 8]=56249 (0xDBB9)
smb_vwv[ 9]=64889 (0xFD79)
smb_vwv[10]=  211 (0xD3)
smb_vwv[11]=65152 (0xFE80)
smb_vwv[12]= 7269 (0x1C65)
smb_vwv[13]=45246 (0xB0BE)
smb_vwv[14]=51470 (0xC90E)
smb_vwv[15]=50177 (0xC401)
smb_vwv[16]=  255 (0xFF)
smb_bcc=95
[000] 15 00 00 00 65 DB 76 6A  22 88 50 52 8B 4A B0 46  ....e.vj ".PR.J.F
[010] 60 4D 06 06 2B 06 01 05  05 02 A0 43 30 41 A0 19  `M..+... ...C0A..
[020] 30 17 06 09 2A 86 48 82  F7 12 01 02 02 06 0A 2B  0...*.H. .......+
[030] 06 01 04 01 82 37 02 02  0A A3 24 30 22 A0 20 1B  .....7.. ..$0". .
[040] 1E 73 70 72 6E 65 74 61  70 70 30 32 24 40 45 55
.a_netapp_filer at here.ad.mycompany.com
[050] 2E 41 44 2E 53 45 41 47  41 54 45 2E 43 4F 4D     (censored)
Doing spnego session setup (blob length=95)
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=a_netapp_filer at here.ad.mycompany.com
write_socket(4,172)
write_socket(4,172) wrote 172
got smb length of 536
size=536
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=152
smb_flg2=51207
smb_tid=0
smb_pid=31707
smb_uid=2048
smb_mid=2
smt_wct=4
smb_vwv[ 0]=  255 (0xFF)
smb_vwv[ 1]=    0 (0x0)
smb_vwv[ 2]=    0 (0x0)
smb_vwv[ 3]=  419 (0x1A3)
smb_bcc=493
[000] A1 82 01 9F 30 82 01 9B  A0 03 0A 01 01 A1 0C 06  ....0... ........
[010] 0A 2B 06 01 04 01 82 37  02 02 0A A2 81 C1 04 81  .+.....7 ........
[020] BE 4E 54 4C 4D 53 53 50  00 02 00 00 00 04 00 04  .NTLMSSP ........
[030] 00 30 00 00 00 05 82 89  60 B2 AA 05 44 5A 0B 2C  .0...... `...DZ.,
[040] 07 00 00 00 00 00 00 00  00 8A 00 8A 00 34 00 00  ........ .....4..
(domain and server name censored)
[0E0] 81 C1 04 81 BE 4E 54 4C  4D 53 53 50 00 02 00 00  .....NTL MSSP....
[0F0] 00 04 00 04 00 30 00 00  00 05 82 89 60 B2 AA 05  .....0.. ....`...
[100] 44 5A 0B 2C 07 00 00 00  00 00 00 00 00 8A 00 8A  DZ.,.... ........
(domain and server name censored)
[1A0] 00 00 00 57 00 69 00 6E  00 64 00 6F 00 77 00 73  ...W.i.n .d.o.w.s
[1B0] 00 20 00 35 00 2E 00 30  00 00 00 57 00 69 00 6E  . .5...0 ...W.i.n
[1C0] 00 64 00 6F 00 77 00 73  00 20 00 32 00 30 00 30  .d.o.w.s . .2.0.0
[1D0] 00 30 00 20 00 4C 00 41  00 4E 00 20 00 4D 00 61  .0. .L.A .N. .M.a
[1E0] 00 6E 00 61 00 67 00 65  00 72 00 00 00           .n.a.g.e .r...
size=536
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=152
smb_flg2=51207
smb_tid=0
smb_pid=31707
smb_uid=2048
smb_mid=2
smt_wct=4
smb_vwv[ 0]=  255 (0xFF)
smb_vwv[ 1]=    0 (0x0)
smb_vwv[ 2]=    0 (0x0)
smb_vwv[ 3]=  419 (0x1A3)
smb_bcc=493
[000] A1 82 01 9F 30 82 01 9B  A0 03 0A 01 01 A1 0C 06  ....0... ........
[010] 0A 2B 06 01 04 01 82 37  02 02 0A A2 81 C1 04 81  .+.....7 ........
[020] BE 4E 54 4C 4D 53 53 50  00 02 00 00 00 04 00 04  .NTLMSSP ........
[030] 00 30 00 00 00 05 82 89  60 B2 AA 05 44 5A 0B 2C  .0...... `...DZ.,
[040] 07 00 00 00 00 00 00 00  00 8A 00 8A 00 34 00 00  ........ .....4..
(domain and server name censored)
[0E0] 81 C1 04 81 BE 4E 54 4C  4D 53 53 50 00 02 00 00  .....NTL MSSP....
[0F0] 00 04 00 04 00 30 00 00  00 05 82 89 60 B2 AA 05  .....0.. ....`...
[100] 44 5A 0B 2C 07 00 00 00  00 00 00 00 00 8A 00 8A  DZ.,.... ........
(domain and server name censored)
[1A0] 00 00 00 57 00 69 00 6E  00 64 00 6F 00 77 00 73  ...W.i.n .d.o.w.s
[1B0] 00 20 00 35 00 2E 00 30  00 00 00 57 00 69 00 6E  . .5...0 ...W.i.n
[1C0] 00 64 00 6F 00 77 00 73  00 20 00 32 00 30 00 30  .d.o.w.s . .2.0.0
[1D0] 00 30 00 20 00 4C 00 41  00 4E 00 20 00 4D 00 61  .0. .L.A .N. .M.a
[1E0] 00 6E 00 61 00 67 00 65  00 72 00 00 00           .n.a.g.e .r...
Got challenge flags:
Got NTLMSSP neg_flags=0x60898205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_CHAL_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP challenge set by NTLM2
challenge is:
[000] 92 6D 8B B1 88 20 A8 DE                           .m... ..
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
write_socket(4,274)
write_socket(4,274) wrote 274
got smb length of 35
size=35
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=49153
smb_tid=0
smb_pid=31707
smb_uid=0
smb_mid=3
smt_wct=0
smb_bcc=0
size=35
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=49153
smb_tid=0
smb_pid=31707
smb_uid=0
smb_mid=3
smt_wct=0
smb_bcc=0
spnego_parse_auth_response failed at 1
Failed to parse auth response
SPNEGO login failed: Invalid parameter
lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?

More information about the smb-clients mailing list