[PATCH] fix connection to Nintendo 3DS
Philippe Daouadi
blastrock0 at free.fr
Fri Jan 13 21:32:24 UTC 2017
On 2017-01-13 17:08, Christof Schmitt wrote:
> On Fri, Jan 13, 2017 at 12:39:39AM +0100, Philippe Daouadi wrote:
>> Hi,
>>
>> As you may (or may not) know, it is possible to open an access to the
>> internal microSD card of a 3DS through its configuration interface. The
>> access is a simple listening smb server over wifi.
>>
>> It works without problem when connecting from a real Windows system, but
>> it always fails when trying to connect through Samba with this message:
>>
>> session setup failed: NT_STATUS_INVALID_NETWORK_RESPONSE
>>
>> I didn't find any solution on the Internet, so I started gdb-ing and
>> wireshark-ing the issue.
>>
>> I managed to make it work, and it seems to come down to the
>> NTLMSSP_NEGOTIATE message that the client sends to the server. When
>> samba sends this message, it is wrapped into GSS-API with SPNEGO (I have
>> no idea what these mean). Windows doesn't do that and just send the
>> naked NTLMSSP packet.
>>
>> I'm attaching a patch that removes the SPNEGO from the authentication
>> chain while keeping the NTLMSSP. I'm pretty sure that this patch breaks
>> stuff (after all, it was made that way for a reason), but I don't have
>> the necessary knowledge of Samba's codebase to make this a configurable
>> option in smb.conf or a command-line switch.
>>
>> I'm leaving the patch here if someone wants to do it, I'm pretty sure
>> that they would make a bunch of linux users with Nintendo 3DSes happy :)
> There is also a config option in recent Samba versions to disable SPENGO
> on the client side:
>
> client use spnego (G)
>
> This variable controls whether Samba clients will try
> to use Simple and Protected NEGOciation (as specified
> by rfc2478) with supporting servers (including
> WindowsXP, Windows2000 and Samba 3.0) to agree upon an
> authentication mechanism. This enables Kerberos
> authentication in particular.
>
> When client NTLMv2 auth is also set to yes extended
> security (SPNEGO) is required in order to use NTLMv2
> only within NTLMSSP. This behavior was introduced with
> the patches for CVE-2016-2111.
>
> Default: client use spnego = yes
>
> Maybe that is all that is required here.
>
> Christof
I tried that, but it seems to disable NTLMSSP as well and falls back to
some more primitive authentication method. From what I can see with
wireshark, it only sends an "ANSI password" and a "unicode password"
field, which contain hashes. The 3DS seems to expect a "security blob"
with a NTLMSSP content. From what I understand, the second paragraph of
your quote explains that this is impossible and intended, though I'm not
sure what "NTLMv2" is.
Philippe
More information about the samba-technical
mailing list