[PATCH] fix connection to Nintendo 3DS
Christof Schmitt
cs at samba.org
Fri Jan 13 16:08:39 UTC 2017
On Fri, Jan 13, 2017 at 12:39:39AM +0100, Philippe Daouadi wrote:
> Hi,
>
> As you may (or may not) know, it is possible to open an access to the
> internal microSD card of a 3DS through its configuration interface. The
> access is a simple listening smb server over wifi.
>
> It works without problem when connecting from a real Windows system, but
> it always fails when trying to connect through Samba with this message:
>
> session setup failed: NT_STATUS_INVALID_NETWORK_RESPONSE
>
> I didn't find any solution on the Internet, so I started gdb-ing and
> wireshark-ing the issue.
>
> I managed to make it work, and it seems to come down to the
> NTLMSSP_NEGOTIATE message that the client sends to the server. When
> samba sends this message, it is wrapped into GSS-API with SPNEGO (I have
> no idea what these mean). Windows doesn't do that and just send the
> naked NTLMSSP packet.
>
> I'm attaching a patch that removes the SPNEGO from the authentication
> chain while keeping the NTLMSSP. I'm pretty sure that this patch breaks
> stuff (after all, it was made that way for a reason), but I don't have
> the necessary knowledge of Samba's codebase to make this a configurable
> option in smb.conf or a command-line switch.
>
> I'm leaving the patch here if someone wants to do it, I'm pretty sure
> that they would make a bunch of linux users with Nintendo 3DSes happy :)
There is also a config option in recent Samba versions to disable SPENGO
on the client side:
client use spnego (G)
This variable controls whether Samba clients will try
to use Simple and Protected NEGOciation (as specified
by rfc2478) with supporting servers (including
WindowsXP, Windows2000 and Samba 3.0) to agree upon an
authentication mechanism. This enables Kerberos
authentication in particular.
When client NTLMv2 auth is also set to yes extended
security (SPNEGO) is required in order to use NTLMv2
only within NTLMSSP. This behavior was introduced with
the patches for CVE-2016-2111.
Default: client use spnego = yes
Maybe that is all that is required here.
Christof
More information about the samba-technical
mailing list