Samba smbclient to NetApp (Data ONTAP) Filer SPNEGO/NTLMSSP token negotiation problem

R.C Dagevos rdagevos at xs4all.nl
Wed Sep 10 13:55:55 GMT 2008 

Allthough I don't use Nettap I just can't help it to say that this truly
is one of the best write-up stories I've heard and to be recognisable in
the past few years :-)

Thnx there Fred!


> Hello,
>
> I am posting an answer to a question I asked of this list several days
> ago.  I am trying to include enough keywords describing my problem in
> the hopes that anyone having the same problem will find this and save
> themselves weeks of debugging effort.
>
> I am using linux samba smbclient and/or linux-cifs mount.cifs to
> connect to a NetApp filer.  AFAIK my problems have nothing to do with
> Samba version (within the 3.X series) or NetApp filer version (within
> the 7.X series).
>
> Our network uses Microsoft Active Directory for authentication.  For
> the purposes of the examples below, my AD username is my_username, my
> AD domain is my_domain.my_company.com.  The server 'the_server'
> happened to be in some other domain 'other_domain', but that appears
> to be irrelevent.
>
> When I try a simple 'smbclient' command:
>
> smbclient -U my_domain.my_company.com/my_username%mypassword
> //the_server/some_share
>
> I get an error message:
>
> session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
> did you forget to run kinit?
>
> If I increase the debugging level of smbclient (-d 10), I get some
> other interesting messages towards the end:
>
> spnego_parse_auth_response failed at 1
> Failed to parse auth response
> SPNEGO login failed: Invalid parameter
>
>
> At this point, any sane person would run off investigating kerberos
> authentication and SPNEGO, then start fiddling with NTLMv2 vs NTLMv1
> and SMB signed versus unsigned authentication tokens.  Also, this
> person would try all possible combinations of command line options to
> smbclient, trying to explicitly specify IP addresses and different
> workgroups/domains, combinations of upper/lower case spellings and
> perhaps dig into strange character sets.
>
> Also, there would be some MicroSoft fileserver nearby, and smbclient
> would work with it JUST FINE(!!!) with nearly all permutations of
> smbclient commands.
>
> Next, you would contact NetApp support.  They would claim CIFS
> compliance and tell you to use a CIFS client.  So, you research
> linux-cifs and the mount.cifs command.  linux-cifs is integrated into
> the linux kernel, but its codebase and capabilities aren't really
> different from Samba...they are effectively siblings....debugging
> mount.cifs is just a lot harder.
>
> Next, you might get your local NetApp filer admin to turn on debugging
> on the server.  The server admin would tell you they were seeing
> messages like this:
>
> auth.trace.spnegoAuthentication.statusMsg:info]: AUTH: SPNEGO- Could
> not unpack NTLMSSP Authenticate token
>
> The fact that NTLMSSP authentication tokens weren't being parsed
> properly would lead you to believe that there must be something wrong
> with how Samba<->NetApp perceive certain authentication mechanisms
> should be implemented.  Obviously either Samba or NetApp isn't
> following some (undocumented) standard.
>
> Here you will remain for the next few weeks, pouring over network
> traces pulling out your hair and cursing anyone with the word
> 'support' in their job title for their ineptitude.
>
> Alas, you may be lucky enough to try running smbclient this way:
>
> smbclient -U my_domain/my_username%mypassword //the_server/some_share
>
> The mere removal of my_company.com from the 'domain' specification
> will cause NetApp to cooperate at all levels.  Even mount.cifs will
> work just fine.
>
> Apparently, the NetApp filer doesn't like the 'extended' full domain
> my_domain.my_company.com, and will only parse the short my_domain
> properly.  This is OK, but during the debugging process where you
> tried to connect to a Microsoft fileserver and
> my_domain.my_company.com worked just fine, you believed that NetApp
> should accept the extended domain too.
>
> Also, you may have been lucky enough to have someone in support to
> point you to NetApp's bugs 50610 and 57032:
> http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=50610
> http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=57032
>
> Of course, you need a now.netapp.com account to see those bugs, and
> unless you have one because you bought some NetApp products or someone
> lent you their account, you cannot see that.  Those bug reports apply
> to the MSWindows 'net use' command, and unless you were really smart
> (I am not), you wouldn't realize exactly how they applied to the Linux
> SAMBA smbclient command.  (And, NetApp support would not have found
> this bug easily either, because it is filed under Microsoft
> networking, and you are using Linux Samba).
>
> So, I hope that this post is found by people who need it out on the
> internet, and the world becomes a better place.
>

More information about the smb-clients mailing list