Bug 1372611
| Summary: | NetAPP SMB servers don't negotiate NTLMSSP_SIGN for SESSION KEY setup | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Toralf <bugzilla> | ||||
| Component: | samba | Assignee: | Andreas Schneider <asn> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Robin Hack <rhack> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.8 | CC: | asn, bugzilla, gdeschner, jarrpa, rhack | ||||
| Target Milestone: | rc | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | samba-3.6.23-36.el6_9 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-03-21 10:15:08 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Toralf
2016-09-02 08:18:20 UTC
Please provide the output of 'testparm -s' and 'smbclient -d10 //server/filesys/' connecting with your user. You might need to specify the username with -U Also what Windows Server do you connected to? Which version of Windows? $ testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_STANDALONE
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
client signing = required
idmap config * : backend = tdb
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
$ smbclient -d10 //server/filesys -U toralf.lund -W domain
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = MYGROUP
doing parameter server string = Samba Server Version %v
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter security = user
doing parameter passdb backend = tdbsam
doing parameter load printers = yes
doing parameter cups options = raw
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_STANDALONE
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80::3e97:eff:fe26:3a3f%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface wlan0 ip=fe80::6267:20ff:fefd:893c%wlan0 bcast=fe80::ffff:ffff:ffff:ffff%wlan0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.30.40.167 bcast=10.30.47.255 netmask=255.255.240.0
Netbios name list:-
my_netbios_names[0]="OSL-71465"
Client started (version 3.6.23-36.el6_8).
Enter toralf.lund's password:
Opening cache file at /var/lib/samba/gencache.tdb
tdb(/var/lib/samba/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied
gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only.
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for
internal_resolve_name: looking up server#20 (sitename (null))
no entry for server#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name server<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name server<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
resolve_wins: Attempting wins lookup for name server<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name server<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for server#20: 10.30.16.231
Adding cache entry with key = NBT/SERVER#20 and timeout = Tue Sep 6 16:33:01 2016
(660 seconds ahead)
internal_resolve_name: returning 1 addresses: 10.30.16.231:0
Running timed event "tevent_req_timedout" 0x7f1d7820ea20
Connecting to 10.30.16.231 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 19800
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
session request ok
Substituting charset 'UTF-8' for LOCALE
Doing spnego session setup (blob length=101)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=oslna20b$@DOMAIN
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x60088215 (1611170325)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
0: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x000f (15)
DomainNameMaxLen : 0x000f (15)
DomainName : *
DomainName : 'DOMAIN'
WorkstationLen : 0x0009 (9)
WorkstationMaxLen : 0x0009 (9)
Workstation : *
Workstation : 'OSL-71465'
Got challenge flags:
Got NTLMSSP neg_flags=0x60898205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
ntlmssp3_handle_neg_flags: Got challenge flags[0x60898205] - possible downgrade detected! missing_flags[0x00000010] - NT_STATUS_RPC_SEC_PKG_ERROR
Got NTLMSSP neg_flags=0x00000010
NTLMSSP_NEGOTIATE_SIGN
neg_flags[0x60088205]
Got NTLMSSP neg_flags=0x60088205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: NT_STATUS_RPC_SEC_PKG_ERROR
lang_tdb_init: /usr/lib64/samba/en_GB.utf8.msg: No such file or directory
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?
I'll have to get back to you later on the Windows version etc., as this is not information that's generally available. We're just provided with server and share names that we may connect to.
You have set 'client signing = requried', but the server doesn't provide signing support for normal SMB connections. I do not see a bug here. Does it work if you remove 'client signing = required'? I didn't notice that in the testparam output. I haven't really set the option, though, unless I'm missing something obvious. I can't find any mention of "client signing" in my original /etc/samba/smb.conf, and if I add the line client signing = disabled under [global], 'testparam -s' still says "client signing = required". I'll add attach my current smb.conf... Created attachment 1199075 [details]
SAMBA config
Is your Windows server patch and includes the BADLOCK patches? Which version of Windows do you run? Which SMB server are you connecting to? I've registered a ticket with our IT support department where I ask for this information, but haven't got an answer yet. Do you know of any other way I can find the data? I don't have login access to the server in question... The response from the support people: Hi Toralf, The server is a Netapp running Ontap 8.2.4. Your NetAPP server doesn't support signing. You have to turn it on. smbclient requests signing and the server removes the flag. It correctly detects that it has been removed! See: https://www.samba.org/samba/security/CVE-2016-2110.html and https://library.netapp.com/ecmdocs/ECMP1196993/html/GUID-0C291FD0-68D3-4DAE-A493-9958EA4C70DC.html I don't really agree with that. As far as I know, I didn't tell the software to request signing, and it shouldn't force it on me. Also, a man-in-the-middle attack is very unlikely, as I'm on an access controlled network behind a strong firewall. A change like this really makes it hard to use Samba, and Linux, in real life, where you don't just connect to your little hobby servers which you have total control over yourself, but the resources you need to access are managed by someone else entirely, and you have little or no influence on how they are configured. Remember that I also tried connecting with "client signing = disabled" - see Comment 8. As Alexander already stated in another bug and which also applies here: According to [MS-NLMP] specification, 2.2.2.5, "D (1 bit): If set, requests session key negotiation for message signatures. If the client sends NTLMSSP_NEGOTIATE_SIGN to the server in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_SIGN to the client in the CHALLENGE_MESSAGE." As we can see, the client asked for NTLMSSP_NEGOTIATE_SIGN but the server did not return it. According to MS-NLMP 3.1.5.1.2, when client receives CHALLENGE_MESSAGE from the server, "it MUST determine if the features selected by the server are strong enough for the client authentication policy. If not, the client MUST return an error to the calling application." So I would say Samba smbclient behaves according to the spec here -- it requested signing of the negotiation and server did not follow the request, so the client chose to drop the connection, as required by the MS-NLMP specification. In order that your server complies to the specification of [MS-NLMP] it MUST support signing (also known as Message Integrity). The smb.conf states for "client signing": This controls whether the client is allowed or required to use SMB signing. This option has nothing to do with NTLMSSP message integrity. Could you test with RHEL7? OK, but isn't there a way to tell smbclient NOT to ask for NTLMSSP_NEGOTIATE_SIGN? Also, why does "testparm -s" report client signing = required when smb.conf has client signing = disabled ? I'll try to see if there is machine somewhere that has been upgraded to version 7. To make it clear again: Samba is not at fault here. It is NetAPP not implementing the protocol correctly. However I will look into a work around. I think it is only for establishing the session key, maybe we can relax the requirement here. I need to evaluate that. NOTE: This will be a workaround on Samba side about to work around a bug in the implementation of NetAPP NAS! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0662.html |