Bug 1327216
Summary: | smbclient to non-windows server broken since BADLOCK fixes | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dennixx <voetelink> | ||||||||
Component: | samba | Assignee: | Andreas Schneider <asn> | ||||||||
Status: | CLOSED NOTABUG | QA Contact: | qe-baseos-daemons | ||||||||
Severity: | urgent | Docs Contact: | |||||||||
Priority: | urgent | ||||||||||
Version: | 6.9 | CC: | abokovoy, asn, baumanmo, buckh, carnil, david.sanchez, edgars.jekabsons, gdeschner, jarrpa, magnus.moren, mark, m.a.young, michal.bruncko, redhat-bugzilla, ssn, stefan.zwijsen, stephan.wiesand, tbowling, troels, voetelink | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2016-08-08 12:50:23 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 1269194 | ||||||||||
Attachments: |
|
Description
Dennixx
2016-04-14 13:28:33 UTC
I can connect from an updated smbclient to an older samba server, but not to an updated samba server. session setup failed: NT_STATUS_ACCESS_DENIED [2016/04/14 15:46:15.862056, 0] rpc_client/cli_netlogon.c:623(rpccli_netlogon_sam_network_logon) rpccli_netlogon_sam_network_logon: credentials chain check failed [2016/04/14 15:46:15.863256, 0] auth/auth_domain.c:331(domain_client_validate) domain_client_validate: unable to validate password for user USER in domain DOMAIN to Domain controller AD.DOMAIN.COM. Error was NT_STATUS_ACCESS_DENIED. I've seen this as well. However, it's not completely broken. If you are joined to a domain and use kerberos credentials (-k option) instead of user/password, it works. So it appears to be a problem that only occurs with user/password authentication. Orion: Please do not hijack bugs with unrelated issues! The fix is to start winbind ... To the reporter: Please provide debug output of the smblcient tool. smbclient //nas/sharename -W ad -U myusername -d10 However it looks like the smbclient requests signing but the server does not provide it packet integrity. Created attachment 1147499 [details]
smbclient on RHEL6 debug output
smbclient on RHEL6 debug output
Created attachment 1147500 [details]
smbclient on RHEL7 debug output
smbclient on RHEL7 debug output
Looking at the logs from Dennixx Samba doesn't do anything wrong. It looks like your Windows Server is configured to not allow signing (NTLMSSP_NEGOTIATE_SIGN - which means checkin of packet integrity). The client request packet integrity to protect against MITM attacks. The Windows server removes the packet integrity flag (NTLMSSP_NEGOTIATE_SIGN), we correctly detect the downgrade and prevent to continue. Ah sorry, this is against: EMC VNX/Celerra or Netapp NAS I would talk to EMC and Netapp an ask them why they do not support packet integrity to protect against downgrades. I'll create a ticket at EMC for this (we have no support on our Netapp anymore). Can you confirm that this 'downgrade check' is something which has been added/enabled in only the latest releases (due to thoses BADLOCK 'fixes'?) Hi, Noticed the same issue on RHEL7 when going to a NAS share, after upgrading from samba-client v4.2.3 to v4.2.10 (the BadLock fix) smbclient connection succeeds, directory listing succeeds, but changing directory gives this error: ntlmssp_handle_neg_flags: Got challenge flags[0x60898205] - possible downgrade detected! missing_flags[0x00000010] - NT code 0x80090302 NTLMSSP_NEGOTIATE_SIGN SPNEGO(ntlmssp) login failed: NT code 0x80090302 session setup failed: NT code 0x80090302 I understand from Andreas this is due to the packet integrity flag. But this problem didn't occur before the samba BadLock fix was installed. Looks like this is "functionality" that was added in the fix? I would suppose it all keeps working like it was in v4.2.3 without having to look into the NAS packet integrity support all at once, just to solve the BadLock bug. The problem you see is the fix for https://www.samba.org/samba/security/CVE-2016-2110.html To state it better the security fix for CVE-2016-2110 is now able to detect downgrades. As you can see the NAS implementations have serious bugs smbclient is able to detect now. So, the only solution to be able to install the new samba rpm's and be able to mount NAS shares is to verify if packet integrity could be supported on NAS? There will be no solution from samba side, since this is works as designed? Other question: is this only with smbclient to NAS share, or also with CIFS mounts? (In reply to Andreas Schneider from comment #4) > Orion: Please do not hijack bugs with unrelated issues! The fix is to start > winbind ... Apologies, I thought they we related. Starting winbind fixes it. (In reply to Stefan Zwijsen from comment #13) > So, the only solution to be able to install the new samba rpm's and be able > to mount NAS shares is to verify if packet integrity could be supported on > NAS? > There will be no solution from samba side, since this is works as designed? > > Other question: is this only with smbclient to NAS share, or also with CIFS > mounts? using mount.cifs with sec=ntlmssp or sec=ntlmsspi or sec=krb5 or sec=krb5i would work against servers enhanced to prevent Badlock-type of issues, depending on your particular situation. I assume EMC/NetApp would eventually support this too. I created a case (78705916) at EMC and they did some investigation. I also sent them 2 wireshark traces, one with the updated smbclient (smbclient.nok.pcapng), and one with a downgraded smbclient which functions file (smbclient.ok.pcapng). Their response is now: ----- In more detailed, the Celerra software functioned equivalently in the traffic of the smbclient.nok.pcapng and smbclient.ok.pcapng network traffic capture file. Although the Celerra software functioned equivalently, the Samba software in the traffic of the smbclient.nok.pcapng network traffic capture file did not reply to the NTLMSSP_CHALLENGE-type Session Setup AndX response packet from the Celerra with a NTMPSSP_AUTH-type Session Setup AndX request. Instead the Samba client broke the CIFS TCP connection with a TCP FIN segment after the NTLMSSP_CHALLENGE-type Session Setup AndX response packet in the traffic of the smbclient.nok.pcapng network traffic capture file. You must procure support for the Samba software to determine why the Samba software broke the CIFS TCP connection in reply to the NTLMSSP_CHALLENGE-type Session Setup AndX response instead of continuing with the normal CIFS authentication processing of sending a NTLMSSP_AUTH-type Session Setup AndX request. ----- Sounds they are blaming samba now, and I'm caught in the middle :-( Any comments? Can we see the traces? According to your smbclient RHEL7 log, Samba client asked for signed connection but the server side did want to downgrade the connection to unsigned. This is exactly the behavior prevented by Badlock fixes. If secure connection is downgraded to insecure one, a man in the middle attack can be performed against unsigned connection. Samba with fixes against Badlock bug does not support this insecure behavior now. FYI - For NetApp there is now a KB article for follow up, that can be found here: https://kb.netapp.com/support/index?page=content&id=9010080 (In reply to Alexander Bokovoy from comment #17) > Can we see the traces? I sent them via e-mail Dennis Thanks to Dennixx, I can see in the traces that NetApp indeed downgrades Negotiate response to unsigned smbclient asked as part of Negotiate request: Negotiate Flags: 0x62088215 0... .... .... .... .... .... .... .... = Negotiate 56: Not set .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set ..1. .... .... .... .... .... .... .... = Negotiate 128: Set ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set .... ..1. .... .... .... .... .... .... = Negotiate Version: Set .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set .... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set .... .... .... .0.. .... .... .... .... = Target Type Share: Not set .... .... .... ..0. .... .... .... .... = Target Type Server: Not set .... .... .... ...0 .... .... .... .... = Target Type Domain: Not set .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set .... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set .... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set .... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set .... .... .... .... .... .... .... .1.. = Request Target: Set .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set note 'Negotiate Sign : Set'. NetApp responded: Negotiate Flags: 0x60898201 0... .... .... .... .... .... .... .... = Negotiate 56: Not set .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set ..1. .... .... .... .... .... .... .... = Negotiate 128: Set ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set .... ..0. .... .... .... .... .... .... = Negotiate Version: Not set .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set .... .... .... .0.. .... .... .... .... = Target Type Share: Not set .... .... .... ..0. .... .... .... .... = Target Type Server: Not set .... .... .... ...1 .... .... .... .... = Target Type Domain: Set .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set .... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set .... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set .... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set .... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set .... .... .... .... .... .... .... .0.. = Request Target: Not set .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set Note 'Negotiate sign: Not set'. According to MS-NLMP specification, 2.2.2.5, "D (1 bit): If set, requests session key negotiation for message signatures. If the client sends NTLMSSP_NEGOTIATE_SIGN to the server in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_SIGN to the client in the CHALLENGE_MESSAGE." As we can see, the client asked for NTLMSSP_NEGOTIATE_SIGN but the server did not return it. According to MS-NLMP 3.1.5.1.2, when client receives CHALLENGE_MESSAGE from the server, "it MUST determine if the features selected by the server are strong enough for the client authentication policy. If not, the client MUST return an error to the calling application." So I would say Samba smbclient behaves according to the spec here -- it requested signing of the negotiation and server did not follow the request, so the client chose to drop the connection, as required by the MS-NLMP spec. Thanks Alexander, I've sent your findings to EMC support and await their response. note: the traces were taken against an EMC VNC (Celerra), not a Netapp. Correction: it is EMC, not NetApp (what I was thinking about...), sorry. Native OS: EMC-SNAS:T8.1.8.12 I received the following from EMC support: ----- There is no fix as of now for the vulnerability but enabling that param should restore access after the SAMBA server has been upgraded per SAMBA resolution for the vulnerability. This basically fixes the signing issue when singing is not mandatory (prior it would not respond correctly). To add the param follow the below procedure : param NTsec.ntlmsspFlags force=0x10 Add or modify a server parameter for a single Data Mover Steps to add or modify a server parameter for a single Data Mover are: 1. Log in to the Control Station. 2. Go to the directory that contains the server parameter file for the Data Mover by using this command syntax: $ cd /nas/server/slot_<x> where: <x> = slot number for the Data Mover Example: To go to the directory that contains the parameter file for server_2, type: $ cd /nas/server/slot_2 3. Open the param file by using a text editor, such as vi. 4. Add a parameter by appending the following line to the file: param <facility> <parameter>=<value> where: <facility> = name of the facility (case-sensitive) to which the parameter applies <parameter> = name of the server parameter (case-sensitive) to set <value> = value for the parameter Or to modify a parameter, locate the entry for the parameter and replace the current value with the new value. Example: To set the cifs facility gpo parameter to 1, add or modify the following line in the param file: param cifs gpo=1 5. Save your changes and close the param file. 6. Confirm the parameter entry in the file, by typing: $ more param The contents of the param file appear. 7. If the parameter change does not take effect until the Data Mover is rebooted, use the procedure Reboot a Data Mover below: Reboot a Data Mover 1. From Unisphere, select System > Data Movers. 2. Select the Data Mover, and click Reboot. 3. Click OK to send a reboot message to the selected Data Movers. While the reboot is in progress,refreshing Data Movers shows the rebooting Data Mover in various states as they appear in the Status column. ----- I haven't been able to test this yet. I've applied the workaround from my previous comment on our EMC, and it seems to solve the issue. I can connect with both the patched and the unpatched smbclient just fine now. Also I haven't received any indications of issues with other clients (Windows systems for example). Hi, After applied the workaround, it worked for RH6 but RH7 continues failing. RH6 versions working OK: samba-client-3.6.23-30.el6_8.x86_64 OK samba-client-3.6.23-35.el6_8.x86_64 OK RH7 versions: samba-client-4.2.3-12.el7_2.x86_64 OK samba-client-4.2.10-6.el7_2.x86_64 FAILS Debug output: smbclient -W adm.ehu.es -L gorde.ehu.es -U lgsfeacd -d 10 INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 Processing section "[global]" doing parameter workgroup = MYGROUP doing parameter server string = Samba Server Version %v doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = user doing parameter passdb backend = tdbsam doing parameter load printers = yes doing parameter cups options = raw pm_process() returned Yes lp_servicenumber: couldn't find homes added interface ens192 ip=158.227.1.8 bcast=158.227.1.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="HORDEPRU" Client started (version 4.2.10). Enter lgsfeacd's password: Opening cache file at /var/lib/samba/gencache.tdb Opening cache file at /var/lib/samba/gencache_notrans.tdb sitename_fetch: No stored sitename for internal_resolve_name: looking up gorde.ehu.es#20 (sitename (null)) name gorde.ehu.es#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs Connecting to 10.10.60.12 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 87040 SO_RCVBUF = 367360 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 session request ok Doing spnego session setup (blob length=85) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=n1discopaspdi$@ADM.EHU.ES GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0x62088215 (1644724757) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : * DomainName : '' WorkstationLen : 0x0000 (0) WorkstationMaxLen : 0x0000 (0) Workstation : * Workstation : '' Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) ProductBuild : 0x0000 (0) Reserved: ARRAY(3) [0] : 0x00 (0) [1] : 0x00 (0) [2] : 0x00 (0) NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) Got challenge flags: Got NTLMSSP neg_flags=0x60898211 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128[root@hordepru ~]# smbclient -W adm.ehu.es -L gorde.ehu.es -U lgsfeacd -d 10 INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 Processing section "[global]" doing parameter workgroup = MYGROUP doing parameter server string = Samba Server Version %v doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = user doing parameter passdb backend = tdbsam doing parameter load printers = yes doing parameter cups options = raw pm_process() returned Yes lp_servicenumber: couldn't find homes added interface ens192 ip=158.227.1.8 bcast=158.227.1.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="HORDEPRU" Client started (version 4.2.10). Enter lgsfeacd's password: Opening cache file at /var/lib/samba/gencache.tdb Opening cache file at /var/lib/samba/gencache_notrans.tdb sitename_fetch: No stored sitename for internal_resolve_name: looking up gorde.ehu.es#20 (sitename (null)) name gorde.ehu.es#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs Connecting to 10.10.60.12 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 87040 SO_RCVBUF = 367360 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 session request ok Doing spnego session setup (blob length=85) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=n1discopaspdi$@ADM.EHU.ES GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0x62088215 (1644724757) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : * DomainName : '' WorkstationLen : 0x0000 (0) WorkstationMaxLen : 0x0000 (0) Workstation : * Workstation : '' Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) ProductBuild : 0x0000 (0) Reserved: ARRAY(3) [0] : 0x00 (0) [1] : 0x00 (0) [2] : 0x00 (0) NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) Got challenge flags: Got NTLMSSP neg_flags=0x60898211 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH BAD SIG NTLM2: wanted signature of [0000] 01 00 00 00 84 28 CB 93 07 B3 4D 85 00 00 00 00 .....(.. ..M..... BAD SIG: got signature of [0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 06 00 06 00 NTLMSSP. ........ [0010] 30 00 00 00 11 82 89 60 E7 47 B8 0A B0 E7 60 22 0......` .G....`" [0020] 00 00 00 00 00 00 00 00 78 00 78 00 36 00 00 00 ........ x.x.6... [0030] 41 00 44 00 4D 00 02 00 06 00 41 00 44 00 4D 00 A.D.M... ..A.D.M. [0040] 01 00 1A 00 4E 00 31 00 44 00 49 00 53 00 43 00 ....N.1. D.I.S.C. [0050] 4F 00 50 00 41 00 53 00 50 00 44 00 49 00 04 00 O.P.A.S. P.D.I... [0060] 14 00 61 00 64 00 6D 00 2E 00 65 00 68 00 75 00 ..a.d.m. ..e.h.u. [0070] 2E 00 65 00 73 00 03 00 30 00 6E 00 31 00 64 00 ..e.s... 0.n.1.d. [0080] 69 00 73 00 63 00 6F 00 70 00 61 00 73 00 70 00 i.s.c.o. p.a.s.p. [0090] 64 00 69 00 2E 00 61 00 64 00 6D 00 2E 00 65 00 d.i...a. d.m...e. [00A0] 68 00 75 00 2E 00 65 00 73 00 00 00 00 00 h.u...e. s..... NTLMSSP NTLM2 packet check failed due to invalid signature! GENSEC SPNEGO: failed to verify mechListMIC: NT_STATUS_ACCESS_DENIED SPNEGO login failed: Access denied session setup failed: NT_STATUS_ACCESS_DENIED NTLMSSP_NEGOTIATE_KEY_EXCH BAD SIG NTLM2: wanted signature of [0000] 01 00 00 00 84 28 CB 93 07 B3 4D 85 00 00 00 00 .....(.. ..M..... BAD SIG: got signature of [0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 06 00 06 00 NTLMSSP. ........ [0010] 30 00 00 00 11 82 89 60 E7 47 B8 0A B0 E7 60 22 0......` .G....`" [0020] 00 00 00 00 00 00 00 00 78 00 78 00 36 00 00 00 ........ x.x.6... [0030] 41 00 44 00 4D 00 02 00 06 00 41 00 44 00 4D 00 A.D.M... ..A.D.M. [0040] 01 00 1A 00 4E 00 31 00 44 00 49 00 53 00 43 00 ....N.1. D.I.S.C. [0050] 4F 00 50 00 41 00 53 00 50 00 44 00 49 00 04 00 O.P.A.S. P.D.I... [0060] 14 00 61 00 64 00 6D 00 2E 00 65 00 68 00 75 00 ..a.d.m. ..e.h.u. [0070] 2E 00 65 00 73 00 03 00 30 00 6E 00 31 00 64 00 ..e.s... 0.n.1.d. [0080] 69 00 73 00 63 00 6F 00 70 00 61 00 73 00 70 00 i.s.c.o. p.a.s.p. [0090] 64 00 69 00 2E 00 61 00 64 00 6D 00 2E 00 65 00 d.i...a. d.m...e. [00A0] 68 00 75 00 2E 00 65 00 73 00 00 00 00 00 h.u...e. s..... NTLMSSP NTLM2 packet check failed due to invalid signature! GENSEC SPNEGO: failed to verify mechListMIC: NT_STATUS_ACCESS_DENIED SPNEGO login failed: Access denied session setup failed: NT_STATUS_ACCESS_DENIED A zstream update for RHEL7 to fix several regressions will be released soon. Created attachment 1160026 [details]
maybe bogus patch to get DFS referral-chasing to work
Here's a patch that restored smbclient for me (chasing a
DFS referral from a Windows domain DFS server to a NetApp
filer). I just have no idea if it just completely compro-
mises the security added by the downgrade-attack mitiga-
tions that broke smbclient for me
What the rationale in the patch is is that if the client
"wants" session-keying, then, sure, request signing, but
don't require it unless the client actually "wants" sign-
ing itself and not just as a prereq for the "wanted"
session-keying
Maybe that's just completely wrong, but i blame the mish-
mash of complementary and conflicting options in the proto-
col layers' negotiation stages for giving me an excuse to
be lazy and just throw this out there and hope somebody
else figures out if it's not completely wrong and maybe
try to do something with it
I would maybe alternately do that on samba-technical, but
the code i spent any time looking at, for RHEL 5 (samba3x
package), is probably old enough to be beneath their con-
tempt and not something that they are likely to want to
think about the finer points of
(In reply to myself from comment #30) looking at this commit to samba's (v4-2-stable) git: https://git.samba.org/?p=samba.git;a=commit;h=abbb1ab296b6f891bd73ea95ddab02da0b7ec79b the commitdiff seems to also reduce the requirement for signing to a negotiable feature when session keying is requsted, so ... maybe my submitted patch isn't totally off the wall Looks like this issue is fixed for RHEL 7 via bz1333794 as described in errata notes https://access.redhat.com/errata/RHBA-2016:1257. Not sure yet about RHEL 6. Closing as this is a bug in the vendors NAS implementation. |