1327216 – smbclient to non-windows server broken since BADLOCK fixes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1327216 - smbclient to non-windows server broken since BADLOCK fixes

Summary: smbclient to non-windows server broken since BADLOCK fixes

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	samba
Sub Component:
Version:	6.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Andreas Schneider
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1269194
TreeView+	depends on / blocked

Reported:	2016-04-14 13:28 UTC by Dennixx
Modified:	2021-06-10 11:16 UTC (History)
CC List:	20 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-08 12:50:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
smbclient on RHEL6 debug output (6.40 KB, text/plain) 2016-04-15 08:30 UTC, Dennixx	no flags	Details
smbclient on RHEL7 debug output (7.01 KB, text/plain) 2016-04-15 08:30 UTC, Dennixx	no flags	Details
maybe bogus patch to get DFS referral-chasing to work (945 bytes, patch) 2016-05-20 18:15 UTC, Buck Huppmann	no flags	Details \| Diff
View All

Description Dennixx 2016-04-14 13:28:33 UTC

Description of problem:
Since the BADLOCK updates for the samba packages I cannot run smbclient against non-windows systems (e.g. EMC VNX/Celerra or Netapp NAS's). When I connect to a Windows server (2003, 2008R2 of 2012R2) it runs file.

Version-Release number of selected component (if applicable):


How reproducible:
All samba versions for RHEL versions 5 6 and 7 seem to suffer.

Steps to Reproduce:
1.
2.
3.

Actual results:
RHEL 5/6:
--------
% smbclient //nas/sharename -W ad -U myusername
Enter myusername's password: 
ntlmssp3_handle_neg_flags: Got challenge flags[0x60898201] - possible downgrade detected! missing_flags[0x00000010] - NT_STATUS_RPC_SEC_PKG_ERROR
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?
--------
RHEL 7:
% smbclient //nas/sharename -W ad -U myusername
Enter myusername's password: 
ntlmssp_handle_neg_flags: Got challenge flags[0x60898201] - possible downgrade detected! missing_flags[0x00000010] - NT code 0x80090302
  NTLMSSP_NEGOTIATE_SIGN
SPNEGO(ntlmssp) login failed: NT code 0x80090302
session setup failed: NT code 0x80090302
--------

Expected results:
Until yesterday I could connect without any problems.


Additional info:
The 'allow dcerpc auth level connect' option in smb.conf doesn't seem to have any effect in smbclient.
downgrading the samba packages seems to fix it for now, but obviously isn't a permanent solution.

Comment 2 Orion Poplawski 2016-04-14 21:55:20 UTC

I can connect from an updated smbclient to an older samba server, but not to an updated samba server.

session setup failed: NT_STATUS_ACCESS_DENIED

[2016/04/14 15:46:15.862056,  0] rpc_client/cli_netlogon.c:623(rpccli_netlogon_sam_network_logon)
  rpccli_netlogon_sam_network_logon: credentials chain check failed
[2016/04/14 15:46:15.863256,  0] auth/auth_domain.c:331(domain_client_validate)
  domain_client_validate: unable to validate password for user USER in domain DOMAIN to Domain controller AD.DOMAIN.COM. Error was NT_STATUS_ACCESS_DENIED.

Comment 3 Sketch 2016-04-14 23:14:46 UTC

I've seen this as well.  However, it's not completely broken.  If you are joined to a domain and use kerberos credentials (-k option) instead of user/password, it works.  So it appears to be a problem that only occurs with user/password authentication.

Comment 4 Andreas Schneider 2016-04-15 08:16:25 UTC

Orion: Please do not hijack bugs with unrelated issues! The fix is to start winbind ...

To the reporter:

Please provide debug output of the smblcient tool.

smbclient //nas/sharename -W ad -U myusername -d10

However it looks like the smbclient requests signing but the server does not provide it packet integrity.

Comment 5 Dennixx 2016-04-15 08:30:11 UTC

Created attachment 1147499 [details]
smbclient on RHEL6 debug output

smbclient on RHEL6 debug output

Comment 6 Dennixx 2016-04-15 08:30:41 UTC

Created attachment 1147500 [details]
smbclient on RHEL7 debug output

smbclient on RHEL7 debug output

Comment 7 Andreas Schneider 2016-04-15 10:09:40 UTC

Looking at the logs from Dennixx Samba doesn't do anything wrong. It looks like your Windows Server is configured to not allow signing (NTLMSSP_NEGOTIATE_SIGN - which means checkin of packet integrity). The client request packet integrity to protect against MITM attacks. The Windows server removes the packet integrity flag (NTLMSSP_NEGOTIATE_SIGN), we correctly detect the downgrade and prevent to continue.

Comment 8 Andreas Schneider 2016-04-15 10:20:39 UTC

Ah sorry, this is against: EMC VNX/Celerra or Netapp NAS

I would talk to EMC and Netapp an ask them why they do not support packet integrity to protect against downgrades.

Comment 9 Dennixx 2016-04-15 11:03:12 UTC

I'll create a ticket at EMC for this (we have no support on our Netapp anymore).

Can you confirm that this 'downgrade check' is something which has been added/enabled in only the latest releases (due to thoses BADLOCK 'fixes'?)

Comment 10 Stefan Zwijsen 2016-04-15 12:34:45 UTC

Hi,

Noticed the same issue on RHEL7 when going to a NAS share, after upgrading from samba-client v4.2.3 to v4.2.10 (the BadLock fix)

smbclient connection succeeds, directory listing succeeds, but changing directory gives this error:

ntlmssp_handle_neg_flags: Got challenge flags[0x60898205] - possible downgrade detected! missing_flags[0x00000010] - NT code 0x80090302
  NTLMSSP_NEGOTIATE_SIGN
SPNEGO(ntlmssp) login failed: NT code 0x80090302
session setup failed: NT code 0x80090302

I understand from Andreas this is due to the packet integrity flag.
But this problem didn't occur before the samba BadLock fix was installed.

Looks like this is "functionality" that was added in the fix?
I would suppose it all keeps working like it was in v4.2.3 without having to look into the NAS packet integrity support all at once, just to solve the BadLock bug.

Comment 11 Andreas Schneider 2016-04-15 13:42:13 UTC

The problem you see is the fix for https://www.samba.org/samba/security/CVE-2016-2110.html

Comment 12 Andreas Schneider 2016-04-15 13:52:10 UTC

To state it better the security fix for CVE-2016-2110 is now able to detect downgrades. As you can see the NAS implementations have serious bugs smbclient is able to detect  now.

Comment 13 Stefan Zwijsen 2016-04-15 14:20:00 UTC

So, the only solution to be able to install the new samba rpm's and be able to mount NAS shares is to verify if packet integrity could be supported on NAS?
There will be no solution from samba side, since this is works as designed?

Other question: is this only with smbclient to NAS share, or also with CIFS mounts?

Comment 14 Orion Poplawski 2016-04-15 16:11:16 UTC

(In reply to Andreas Schneider from comment #4)
> Orion: Please do not hijack bugs with unrelated issues! The fix is to start
> winbind ...

Apologies, I thought they we related.  Starting winbind fixes it.

Comment 15 Alexander Bokovoy 2016-04-16 18:42:29 UTC

(In reply to Stefan Zwijsen from comment #13)
> So, the only solution to be able to install the new samba rpm's and be able
> to mount NAS shares is to verify if packet integrity could be supported on
> NAS?
> There will be no solution from samba side, since this is works as designed?
> 
> Other question: is this only with smbclient to NAS share, or also with CIFS
> mounts?
using mount.cifs with sec=ntlmssp or sec=ntlmsspi or sec=krb5 or sec=krb5i would work against servers enhanced to prevent Badlock-type of issues, depending on your particular situation. I assume EMC/NetApp would eventually support this too.

Comment 16 Dennixx 2016-04-21 16:48:46 UTC

I created a case (78705916) at EMC and they did some investigation. I also sent them 2 wireshark traces, one with the updated smbclient (smbclient.nok.pcapng), and one with a downgraded smbclient which functions file (smbclient.ok.pcapng).

Their response is now:

-----
In more detailed, the Celerra software functioned equivalently in the traffic of the smbclient.nok.pcapng and smbclient.ok.pcapng network traffic capture file. Although the Celerra software functioned equivalently, the Samba software in the traffic of the smbclient.nok.pcapng network traffic capture file did not reply to the NTLMSSP_CHALLENGE-type Session Setup AndX response packet from the Celerra with a NTMPSSP_AUTH-type Session Setup AndX request. Instead the Samba client broke the CIFS TCP connection with a TCP FIN segment after the NTLMSSP_CHALLENGE-type Session Setup AndX response packet in the traffic of the smbclient.nok.pcapng network traffic capture file.

You must procure support for the Samba software to determine why the Samba software broke the CIFS TCP connection in reply to the NTLMSSP_CHALLENGE-type Session Setup AndX response instead of continuing with the normal CIFS authentication processing of sending a NTLMSSP_AUTH-type Session Setup AndX request.
-----

Sounds they are blaming samba now, and I'm caught in the middle :-(

Any comments?

Comment 17 Alexander Bokovoy 2016-04-21 17:15:27 UTC

Can we see the traces? 

According to your smbclient RHEL7 log, Samba client asked for signed connection but the server side did want to downgrade the connection to unsigned. This is exactly the behavior prevented by Badlock fixes. If secure connection is downgraded to insecure one, a man in the middle attack can be performed against unsigned connection. 

Samba with fixes against Badlock bug does not support this insecure behavior now.

Comment 18 Stefan Zwijsen 2016-04-22 08:36:48 UTC

FYI - For NetApp there is now a KB article for follow up, that can be found here:
https://kb.netapp.com/support/index?page=content&id=9010080

Comment 19 Dennixx 2016-04-22 09:20:04 UTC

(In reply to Alexander Bokovoy from comment #17)
> Can we see the traces? 

I sent them via e-mail

Dennis

Comment 20 Alexander Bokovoy 2016-04-22 09:49:34 UTC

Thanks to Dennixx, I can see in the traces that NetApp indeed downgrades Negotiate response to unsigned

smbclient asked as part of Negotiate request:
                          Negotiate Flags: 0x62088215
                                0... .... .... .... .... .... .... .... = Negotiate 56: Not set
                                .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
                                ..1. .... .... .... .... .... .... .... = Negotiate 128: Set
                                ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
                                .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
                                .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
                                .... ..1. .... .... .... .... .... .... = Negotiate Version: Set
                                .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
                                .... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set
                                .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set
                                .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
                                .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set
                                .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set
                                .... .... .... .0.. .... .... .... .... = Target Type Share: Not set
                                .... .... .... ..0. .... .... .... .... = Target Type Server: Not set
                                .... .... .... ...0 .... .... .... .... = Target Type Domain: Not set
                                .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
                                .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set
                                .... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set
                                .... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set
                                .... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set
                                .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set
                                .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
                                .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set
                                .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
                                .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set
                                .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set
                                .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set
                                .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
                                .... .... .... .... .... .... .... .1.. = Request Target: Set
                                .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set
                                .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set

note 'Negotiate Sign : Set'.

NetApp responded:

                            Negotiate Flags: 0x60898201
                                0... .... .... .... .... .... .... .... = Negotiate 56: Not set
                                .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
                                ..1. .... .... .... .... .... .... .... = Negotiate 128: Set
                                ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
                                .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
                                .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
                                .... ..0. .... .... .... .... .... .... = Negotiate Version: Not set
                                .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
                                .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set
                                .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set
                                .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
                                .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set
                                .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set
                                .... .... .... .0.. .... .... .... .... = Target Type Share: Not set
                                .... .... .... ..0. .... .... .... .... = Target Type Server: Not set
                                .... .... .... ...1 .... .... .... .... = Target Type Domain: Set
                                .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
                                .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set
                                .... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set
                                .... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set
                                .... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set
                                .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set
                                .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
                                .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set
                                .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
                                .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set
                                .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set
                                .... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set
                                .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
                                .... .... .... .... .... .... .... .0.. = Request Target: Not set
                                .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set
                                .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set

Note 'Negotiate sign: Not set'.

According to MS-NLMP specification, 2.2.2.5, "D (1 bit): If set, requests session key negotiation for message signatures. If the client sends NTLMSSP_NEGOTIATE_SIGN to the server in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_SIGN to the client in the CHALLENGE_MESSAGE." 

As we can see, the client asked for NTLMSSP_NEGOTIATE_SIGN but the server did not return it. According to MS-NLMP 3.1.5.1.2, when client receives CHALLENGE_MESSAGE from the server, "it MUST determine if the features selected by the server are strong enough for the client authentication policy. If not, the client MUST return an error to the calling application."

So I would say Samba smbclient behaves according to the spec here -- it requested signing of the negotiation and server did not follow the request, so the client chose to drop the connection, as required by the MS-NLMP spec.

Comment 21 Dennixx 2016-04-22 10:06:46 UTC

Thanks Alexander, I've sent your findings to EMC support and await their response.

note: the traces were taken against an EMC VNC (Celerra), not a Netapp.

Comment 22 Alexander Bokovoy 2016-04-22 10:18:03 UTC

Correction: it is EMC, not NetApp (what I was thinking about...), sorry.

Native OS: EMC-SNAS:T8.1.8.12

Comment 23 Dennixx 2016-05-02 08:01:17 UTC

I received the following from EMC support:
-----
There is no fix as of now for the vulnerability but enabling that param should restore access after the SAMBA server has been upgraded per SAMBA resolution for the vulnerability. This basically fixes the signing issue when singing is not mandatory (prior it would not respond correctly).

To add the param follow the below procedure :

param NTsec.ntlmsspFlags force=0x10

Add or modify a server parameter for a single Data Mover
Steps to add or modify a server parameter for a single Data Mover are:
1. Log in to the Control Station.
2. Go to the directory that contains the server parameter file for the Data Mover by using
this command syntax:
$ cd /nas/server/slot_<x>
where:
<x> = slot number for the Data Mover
Example:
To go to the directory that contains the parameter file for server_2, type:
$ cd /nas/server/slot_2
3. Open the param file by using a text editor, such as vi.
4. Add a parameter by appending the following line to the file:
param <facility> <parameter>=<value>
where:
<facility> = name of the facility (case-sensitive) to which the parameter applies
<parameter> = name of the server parameter (case-sensitive) to set
<value> = value for the parameter
Or to modify a parameter, locate the entry for the parameter and replace the current
value with the new value.
Example:
To set the cifs facility gpo parameter to 1, add or modify the following line in the param
file:
param cifs gpo=1
5. Save your changes and close the param file.
6. Confirm the parameter entry in the file, by typing:
$ more param
The contents of the param file appear.
7. If the parameter change does not take effect until the Data Mover is rebooted, use the
procedure Reboot a Data Mover below:

Reboot a Data Mover
1. From Unisphere, select System > Data Movers.
2. Select the Data Mover, and click Reboot.
3. Click OK to send a reboot message to the selected Data Movers. While the reboot is in progress,refreshing Data Movers shows the rebooting Data Mover in various states as they appear in the Status column.
-----

I haven't been able to test this yet.

Comment 24 Dennixx 2016-05-12 07:50:05 UTC

I've applied the workaround from my previous comment on our EMC, and it seems to solve the issue. I can connect with both the patched and the unpatched smbclient just fine now. Also I haven't received any indications of issues with other clients (Windows systems for example).

Comment 25 David 2016-05-19 11:45:07 UTC

Hi,

After applied the workaround, it worked for RH6 but RH7 continues failing.

RH6 versions working OK:
samba-client-3.6.23-30.el6_8.x86_64 OK
samba-client-3.6.23-35.el6_8.x86_64 OK

RH7 versions:

samba-client-4.2.3-12.el7_2.x86_64 OK
samba-client-4.2.10-6.el7_2.x86_64 FAILS

Debug output:

smbclient -W adm.ehu.es -L gorde.ehu.es -U lgsfeacd -d 10
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
   scavenger: 10
   dns: 10
   ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
   scavenger: 10
   dns: 10
   ldb: 10
Processing section "[global]"
doing parameter workgroup = MYGROUP
doing parameter server string = Samba Server Version %v
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter security = user
doing parameter passdb backend = tdbsam
doing parameter load printers = yes
doing parameter cups options = raw
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface ens192 ip=158.227.1.8 bcast=158.227.1.255  
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="HORDEPRU"
Client started (version 4.2.10).
Enter lgsfeacd's password:
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for
internal_resolve_name: looking up gorde.ehu.es#20 (sitename (null))
name gorde.ehu.es#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 10.10.60.12 at port 445
Socket options:
         SO_KEEPALIVE = 0
         SO_REUSEADDR = 0
         SO_BROADCAST = 0
         TCP_NODELAY = 1
         TCP_KEEPCNT = 9
         TCP_KEEPIDLE = 7200
         TCP_KEEPINTVL = 75
         IPTOS_LOWDELAY = 0
         IPTOS_THROUGHPUT = 0
         SO_REUSEPORT = 0
         SO_SNDBUF = 87040
         SO_RCVBUF = 367360
         SO_SNDLOWAT = 1
         SO_RCVLOWAT = 1
         SO_SNDTIMEO = 0
         SO_RCVTIMEO = 0
         TCP_QUICKACK = 1
         TCP_DEFER_ACCEPT = 0
  session request ok
Doing spnego session setup (blob length=85)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=n1discopaspdi$@ADM.EHU.ES
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
      negotiate: struct NEGOTIATE_MESSAGE
         Signature                : 'NTLMSSP'
         MessageType              : NtLmNegotiate (1)
         NegotiateFlags           : 0x62088215 (1644724757)
                1: NTLMSSP_NEGOTIATE_UNICODE
                0: NTLMSSP_NEGOTIATE_OEM
                1: NTLMSSP_REQUEST_TARGET
                1: NTLMSSP_NEGOTIATE_SIGN
                0: NTLMSSP_NEGOTIATE_SEAL
                0: NTLMSSP_NEGOTIATE_DATAGRAM
                0: NTLMSSP_NEGOTIATE_LM_KEY
                0: NTLMSSP_NEGOTIATE_NETWARE
                1: NTLMSSP_NEGOTIATE_NTLM
                0: NTLMSSP_NEGOTIATE_NT_ONLY
                0: NTLMSSP_ANONYMOUS
                0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
                0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
                0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
                1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
                0: NTLMSSP_TARGET_TYPE_DOMAIN
                0: NTLMSSP_TARGET_TYPE_SERVER
                0: NTLMSSP_TARGET_TYPE_SHARE
                1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
                0: NTLMSSP_NEGOTIATE_IDENTIFY
                0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
                0: NTLMSSP_NEGOTIATE_TARGET_INFO
                1: NTLMSSP_NEGOTIATE_VERSION
                1: NTLMSSP_NEGOTIATE_128
                1: NTLMSSP_NEGOTIATE_KEY_EXCH
                0: NTLMSSP_NEGOTIATE_56
         DomainNameLen            : 0x0000 (0)
         DomainNameMaxLen         : 0x0000 (0)
         DomainName               : *
             DomainName               : ''
         WorkstationLen           : 0x0000 (0)
         WorkstationMaxLen        : 0x0000 (0)
         Workstation              : *
             Workstation              : ''
         Version: struct ntlmssp_VERSION
             ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
             ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
             ProductBuild             : 0x0000 (0)
             Reserved: ARRAY(3)
                 [0]                      : 0x00 (0)
                 [1]                      : 0x00 (0)
                 [2]                      : 0x00 (0)
             NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
Got challenge flags:
Got NTLMSSP neg_flags=0x60898211
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_TARGET_TYPE_DOMAIN
   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
   NTLMSSP_NEGOTIATE_TARGET_INFO
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
   NTLMSSP_NEGOTIATE_VERSION
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
   NTLMSSP_NEGOTIATE_VERSION
   NTLMSSP_NEGOTIATE_128[root@hordepru ~]# smbclient -W adm.ehu.es -L gorde.ehu.es -U lgsfeacd -d 10
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
   scavenger: 10
   dns: 10
   ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
   scavenger: 10
   dns: 10
   ldb: 10
Processing section "[global]"
doing parameter workgroup = MYGROUP
doing parameter server string = Samba Server Version %v
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter security = user
doing parameter passdb backend = tdbsam
doing parameter load printers = yes
doing parameter cups options = raw
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface ens192 ip=158.227.1.8 bcast=158.227.1.255  
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="HORDEPRU"
Client started (version 4.2.10).
Enter lgsfeacd's password:
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for
internal_resolve_name: looking up gorde.ehu.es#20 (sitename (null))
name gorde.ehu.es#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 10.10.60.12 at port 445
Socket options:
         SO_KEEPALIVE = 0
         SO_REUSEADDR = 0
         SO_BROADCAST = 0
         TCP_NODELAY = 1
         TCP_KEEPCNT = 9
         TCP_KEEPIDLE = 7200
         TCP_KEEPINTVL = 75
         IPTOS_LOWDELAY = 0
         IPTOS_THROUGHPUT = 0
         SO_REUSEPORT = 0
         SO_SNDBUF = 87040
         SO_RCVBUF = 367360
         SO_SNDLOWAT = 1
         SO_RCVLOWAT = 1
         SO_SNDTIMEO = 0
         SO_RCVTIMEO = 0
         TCP_QUICKACK = 1
         TCP_DEFER_ACCEPT = 0
  session request ok
Doing spnego session setup (blob length=85)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=n1discopaspdi$@ADM.EHU.ES
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
      negotiate: struct NEGOTIATE_MESSAGE
         Signature                : 'NTLMSSP'
         MessageType              : NtLmNegotiate (1)
         NegotiateFlags           : 0x62088215 (1644724757)
                1: NTLMSSP_NEGOTIATE_UNICODE
                0: NTLMSSP_NEGOTIATE_OEM
                1: NTLMSSP_REQUEST_TARGET
                1: NTLMSSP_NEGOTIATE_SIGN
                0: NTLMSSP_NEGOTIATE_SEAL
                0: NTLMSSP_NEGOTIATE_DATAGRAM
                0: NTLMSSP_NEGOTIATE_LM_KEY
                0: NTLMSSP_NEGOTIATE_NETWARE
                1: NTLMSSP_NEGOTIATE_NTLM
                0: NTLMSSP_NEGOTIATE_NT_ONLY
                0: NTLMSSP_ANONYMOUS
                0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
                0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
                0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
                1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
                0: NTLMSSP_TARGET_TYPE_DOMAIN
                0: NTLMSSP_TARGET_TYPE_SERVER
                0: NTLMSSP_TARGET_TYPE_SHARE
                1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
                0: NTLMSSP_NEGOTIATE_IDENTIFY
                0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
                0: NTLMSSP_NEGOTIATE_TARGET_INFO
                1: NTLMSSP_NEGOTIATE_VERSION
                1: NTLMSSP_NEGOTIATE_128
                1: NTLMSSP_NEGOTIATE_KEY_EXCH
                0: NTLMSSP_NEGOTIATE_56
         DomainNameLen            : 0x0000 (0)
         DomainNameMaxLen         : 0x0000 (0)
         DomainName               : *
             DomainName               : ''
         WorkstationLen           : 0x0000 (0)
         WorkstationMaxLen        : 0x0000 (0)
         Workstation              : *
             Workstation              : ''
         Version: struct ntlmssp_VERSION
             ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
             ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
             ProductBuild             : 0x0000 (0)
             Reserved: ARRAY(3)
                 [0]                      : 0x00 (0)
                 [1]                      : 0x00 (0)
                 [2]                      : 0x00 (0)
             NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
Got challenge flags:
Got NTLMSSP neg_flags=0x60898211
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_TARGET_TYPE_DOMAIN
   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
   NTLMSSP_NEGOTIATE_TARGET_INFO
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
   NTLMSSP_NEGOTIATE_VERSION
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
   NTLMSSP_NEGOTIATE_VERSION
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
BAD SIG NTLM2: wanted signature of
[0000] 01 00 00 00 84 28 CB 93   07 B3 4D 85 00 00 00 00   .....(.. ..M.....
BAD SIG: got signature of
[0000] 4E 54 4C 4D 53 53 50 00   02 00 00 00 06 00 06 00   NTLMSSP. ........
[0010] 30 00 00 00 11 82 89 60   E7 47 B8 0A B0 E7 60 22   0......` .G....`"
[0020] 00 00 00 00 00 00 00 00   78 00 78 00 36 00 00 00   ........ x.x.6...
[0030] 41 00 44 00 4D 00 02 00   06 00 41 00 44 00 4D 00   A.D.M... ..A.D.M.
[0040] 01 00 1A 00 4E 00 31 00   44 00 49 00 53 00 43 00   ....N.1. D.I.S.C.
[0050] 4F 00 50 00 41 00 53 00   50 00 44 00 49 00 04 00   O.P.A.S. P.D.I...
[0060] 14 00 61 00 64 00 6D 00   2E 00 65 00 68 00 75 00   ..a.d.m. ..e.h.u.
[0070] 2E 00 65 00 73 00 03 00   30 00 6E 00 31 00 64 00   ..e.s... 0.n.1.d.
[0080] 69 00 73 00 63 00 6F 00   70 00 61 00 73 00 70 00   i.s.c.o. p.a.s.p.
[0090] 64 00 69 00 2E 00 61 00   64 00 6D 00 2E 00 65 00   d.i...a. d.m...e.
[00A0] 68 00 75 00 2E 00 65 00   73 00 00 00 00 00         h.u...e. s.....
NTLMSSP NTLM2 packet check failed due to invalid signature!
GENSEC SPNEGO: failed to verify mechListMIC: NT_STATUS_ACCESS_DENIED
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED
   NTLMSSP_NEGOTIATE_KEY_EXCH
BAD SIG NTLM2: wanted signature of
[0000] 01 00 00 00 84 28 CB 93   07 B3 4D 85 00 00 00 00   .....(.. ..M.....
BAD SIG: got signature of
[0000] 4E 54 4C 4D 53 53 50 00   02 00 00 00 06 00 06 00   NTLMSSP. ........
[0010] 30 00 00 00 11 82 89 60   E7 47 B8 0A B0 E7 60 22   0......` .G....`"
[0020] 00 00 00 00 00 00 00 00   78 00 78 00 36 00 00 00   ........ x.x.6...
[0030] 41 00 44 00 4D 00 02 00   06 00 41 00 44 00 4D 00   A.D.M... ..A.D.M.
[0040] 01 00 1A 00 4E 00 31 00   44 00 49 00 53 00 43 00   ....N.1. D.I.S.C.
[0050] 4F 00 50 00 41 00 53 00   50 00 44 00 49 00 04 00   O.P.A.S. P.D.I...
[0060] 14 00 61 00 64 00 6D 00   2E 00 65 00 68 00 75 00   ..a.d.m. ..e.h.u.
[0070] 2E 00 65 00 73 00 03 00   30 00 6E 00 31 00 64 00   ..e.s... 0.n.1.d.
[0080] 69 00 73 00 63 00 6F 00   70 00 61 00 73 00 70 00   i.s.c.o. p.a.s.p.
[0090] 64 00 69 00 2E 00 61 00   64 00 6D 00 2E 00 65 00   d.i...a. d.m...e.
[00A0] 68 00 75 00 2E 00 65 00   73 00 00 00 00 00         h.u...e. s.....
NTLMSSP NTLM2 packet check failed due to invalid signature!
GENSEC SPNEGO: failed to verify mechListMIC: NT_STATUS_ACCESS_DENIED
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED

Comment 26 Andreas Schneider 2016-05-19 11:50:27 UTC

A zstream update for RHEL7 to fix several regressions will be released soon.

Comment 30 Buck Huppmann 2016-05-20 18:15:46 UTC

Created attachment 1160026 [details]
maybe bogus patch to get DFS referral-chasing to work

Here's a patch that restored smbclient for me (chasing a
DFS referral from a Windows domain DFS server to a NetApp
filer).  I just have no idea if it just completely compro-
mises the security added by the downgrade-attack mitiga-
tions that broke smbclient for me

What the rationale in the patch is is that if the client
"wants" session-keying, then, sure, request signing, but
don't require it unless the client actually "wants" sign-
ing itself and not just as a prereq for the "wanted"
session-keying

Maybe that's just completely wrong, but i blame the mish-
mash of complementary and conflicting options in the proto-
col layers' negotiation stages for giving me an excuse to
be lazy and just throw this out there and hope somebody
else figures out if it's not completely wrong and maybe
try to do something with it

I would maybe alternately do that on samba-technical, but
the code i spent any time looking at, for RHEL 5 (samba3x
package), is probably old enough to be beneath their con-
tempt and not something that they are likely to want to
think about the finer points of

Comment 31 Buck Huppmann 2016-06-06 13:08:19 UTC

(In reply to myself from comment #30)

looking at this commit to samba's (v4-2-stable) git:

https://git.samba.org/?p=samba.git;a=commit;h=abbb1ab296b6f891bd73ea95ddab02da0b7ec79b

the commitdiff seems to also reduce the requirement for signing
to a negotiable feature when session keying is requsted, so
... maybe my submitted patch isn't totally off the wall

Comment 32 Terry Bowling 2016-06-27 14:30:53 UTC

Looks like this issue is fixed for RHEL 7 via bz1333794 as described in errata notes https://access.redhat.com/errata/RHBA-2016:1257.

Not sure yet about RHEL 6.

Comment 34 Andreas Schneider 2016-08-08 12:50:23 UTC

Closing as this is a bug in the vendors NAS implementation.

Note You need to log in before you can comment on or make changes to this bug.

abokovoy
asn
baumanmo
buckh
carnil
david.sanchez
edgars.jekabsons
gdeschner
jarrpa
magnus.moren
mark
m.a.young
michal.bruncko
redhat-bugzilla
ssn
stefan.zwijsen
stephan.wiesand
tbowling
troels
voetelink