Due to a recent update on Javascript code a full page refresh on your browser might be needed.
Bug 1372611 - NetAPP SMB servers don't negotiate NTLMSSP_SIGN for SESSION KEY setup
Summary: NetAPP SMB servers don't negotiate NTLMSSP_SIGN for SESSION KEY setup
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: samba
Version: 6.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Robin Hack
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-02 08:18 UTC by Toralf
Modified: 2020-01-17 15:55 UTC (History)
5 users (show)

Fixed In Version: samba-3.6.23-36.el6_9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-21 10:15:08 UTC
Target Upstream Version:


Attachments (Terms of Use)
SAMBA config (9.73 KB, text/plain)
2016-09-08 12:48 UTC, Toralf
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0662 normal SHIPPED_LIVE Moderate: samba security and bug fix update 2017-03-21 12:34:11 UTC

Description Toralf 2016-09-02 08:18:20 UTC
Description of problem:
After upgrading to EL6.8, I can no longer access Windows shares at work through smb:// URLs. Error messages are related to SPNEGO.

Version-Release number of selected component (if applicable):
3.6.23-36.el6_8

How reproducible:
Every time


Steps to Reproduce:
1.  gvfs-mount "smb://domain;toralf.lund@server/filesys/"

- or -

1. smbclient //server/filesys/ -W domain -U toralf.lund

[ Some names are changed for security reasons ]


Actual results:

gvfs-mount just keeps asking for a password. If running gfvsd in debug mode, errors are reported. These are the same as for smbclient - see below.

smbclient says

Enter toralf.lund's password: 
ntlmssp3_handle_neg_flags: Got challenge flags[0x60898205] - possible downgrade detected! missing_flags[0x00000010] - NT_STATUS_RPC_SEC_PKG_ERROR
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?


Expected results:

The volume is mounted

- or -

"smb: \>" prompt appears.


Additional info

sambaclient access in successful if I add
	client use spnego = no
under "[global]" in /etc/samba/smb.conf. Unfortunately, the gvfs-mount still fails in the same exact manner - it looks like the above mentioned setting is ignored.

The problem does not occur on a different machine which has samba version 3.6.23-25.el6_7.

Comment 3 Andreas Schneider 2016-09-05 11:57:54 UTC
Please provide the output of 'testparm -s' and 'smbclient -d10 //server/filesys/' connecting with your user. You might need to specify the username with -U

Comment 4 Andreas Schneider 2016-09-06 14:07:46 UTC
Also what Windows Server do you connected to? Which version of Windows?

Comment 5 Toralf 2016-09-06 14:30:02 UTC
$ testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_STANDALONE
[global]
	workgroup = MYGROUP
	server string = Samba Server Version %v
	log file = /var/log/samba/log.%m
	max log size = 50
	client signing = required
	idmap config * : backend = tdb
	cups options = raw

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	print ok = Yes
	browseable = No



$ smbclient -d10 //server/filesys -U toralf.lund -W domain
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = MYGROUP
doing parameter server string = Samba Server Version %v
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter security = user
doing parameter passdb backend = tdbsam
doing parameter load printers = yes
doing parameter cups options = raw
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_STANDALONE
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80::3e97:eff:fe26:3a3f%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface wlan0 ip=fe80::6267:20ff:fefd:893c%wlan0 bcast=fe80::ffff:ffff:ffff:ffff%wlan0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.30.40.167 bcast=10.30.47.255 netmask=255.255.240.0
Netbios name list:-
my_netbios_names[0]="OSL-71465"
Client started (version 3.6.23-36.el6_8).
Enter toralf.lund's password: 
Opening cache file at /var/lib/samba/gencache.tdb
tdb(/var/lib/samba/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied
gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only.
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for 
internal_resolve_name: looking up server#20 (sitename (null))
no entry for server#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name server<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name server<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
resolve_wins: Attempting wins lookup for name server<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name server<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for server#20: 10.30.16.231
Adding cache entry with key = NBT/SERVER#20 and timeout = Tue Sep  6 16:33:01 2016
 (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 10.30.16.231:0 
Running timed event "tevent_req_timedout" 0x7f1d7820ea20
Connecting to 10.30.16.231 at port 445
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 0
	SO_BROADCAST = 0
	TCP_NODELAY = 1
	TCP_KEEPCNT = 9
	TCP_KEEPIDLE = 7200
	TCP_KEEPINTVL = 75
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_REUSEPORT = 0
	SO_SNDBUF = 19800
	SO_RCVBUF = 87380
	SO_SNDLOWAT = 1
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
	TCP_QUICKACK = 1
 session request ok
Substituting charset 'UTF-8' for LOCALE
Doing spnego session setup (blob length=101)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=oslna20b$@DOMAIN
     negotiate: struct NEGOTIATE_MESSAGE
        Signature                : 'NTLMSSP'
        MessageType              : NtLmNegotiate (1)
        NegotiateFlags           : 0x60088215 (1611170325)
               1: NTLMSSP_NEGOTIATE_UNICODE
               0: NTLMSSP_NEGOTIATE_OEM    
               1: NTLMSSP_REQUEST_TARGET   
               1: NTLMSSP_NEGOTIATE_SIGN   
               0: NTLMSSP_NEGOTIATE_SEAL   
               0: NTLMSSP_NEGOTIATE_DATAGRAM
               0: NTLMSSP_NEGOTIATE_LM_KEY 
               0: NTLMSSP_NEGOTIATE_NETWARE
               1: NTLMSSP_NEGOTIATE_NTLM   
               0: NTLMSSP_NEGOTIATE_NT_ONLY
               0: NTLMSSP_ANONYMOUS        
               0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
               0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
               0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
               1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
               0: NTLMSSP_TARGET_TYPE_DOMAIN
               0: NTLMSSP_TARGET_TYPE_SERVER
               0: NTLMSSP_TARGET_TYPE_SHARE
               1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
               0: NTLMSSP_NEGOTIATE_IDENTIFY
               0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
               0: NTLMSSP_NEGOTIATE_TARGET_INFO
               0: NTLMSSP_NEGOTIATE_VERSION
               1: NTLMSSP_NEGOTIATE_128    
               1: NTLMSSP_NEGOTIATE_KEY_EXCH
               0: NTLMSSP_NEGOTIATE_56     
        DomainNameLen            : 0x000f (15)
        DomainNameMaxLen         : 0x000f (15)
        DomainName               : *
            DomainName               : 'DOMAIN'
        WorkstationLen           : 0x0009 (9)
        WorkstationMaxLen        : 0x0009 (9)
        Workstation              : *
            Workstation              : 'OSL-71465'
Got challenge flags:
Got NTLMSSP neg_flags=0x60898205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
ntlmssp3_handle_neg_flags: Got challenge flags[0x60898205] - possible downgrade detected! missing_flags[0x00000010] - NT_STATUS_RPC_SEC_PKG_ERROR
Got NTLMSSP neg_flags=0x00000010
  NTLMSSP_NEGOTIATE_SIGN
neg_flags[0x60088205]
Got NTLMSSP neg_flags=0x60088205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: NT_STATUS_RPC_SEC_PKG_ERROR
lang_tdb_init: /usr/lib64/samba/en_GB.utf8.msg: No such file or directory
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?



I'll have to get back to you later on the Windows version etc., as this is not information that's generally available. We're just provided with server and share names that we may connect to.

Comment 7 Andreas Schneider 2016-09-08 12:06:34 UTC
You have set 'client signing = requried', but the server doesn't provide signing support for normal SMB connections.

I do not see a bug here. Does it work if you remove 'client signing = required'?

Comment 8 Toralf 2016-09-08 12:47:13 UTC
I didn't notice that in the testparam output. I haven't really set the option, though, unless I'm missing something obvious. I can't find any mention of "client signing" in my original /etc/samba/smb.conf, and if I add the line
	client signing = disabled
under [global], 'testparam -s' still says "client signing = required".

I'll add attach my current smb.conf...

Comment 9 Toralf 2016-09-08 12:48:00 UTC
Created attachment 1199075 [details]
SAMBA config

Comment 10 Andreas Schneider 2016-10-05 12:54:19 UTC
Is your Windows server patch and includes the BADLOCK patches? Which version of Windows do you run?

Comment 11 Andreas Schneider 2016-10-11 14:33:58 UTC
Which SMB server are you connecting to?

Comment 12 Toralf 2016-10-13 16:09:42 UTC
I've registered a ticket with our IT support department where I ask for this information, but haven't got an answer yet.

Do you know of any other way I can find the data? I don't have login access to the server in question...

Comment 13 Toralf 2016-10-18 14:07:18 UTC
The response from the support people:

Hi Toralf, The server is a Netapp running Ontap 8.2.4.

Comment 14 Andreas Schneider 2016-10-27 06:10:08 UTC
Your NetAPP server doesn't support signing. You have to turn it on. smbclient requests signing and the server removes the flag. It correctly detects that it has been removed!

See:
https://www.samba.org/samba/security/CVE-2016-2110.html

and

https://library.netapp.com/ecmdocs/ECMP1196993/html/GUID-0C291FD0-68D3-4DAE-A493-9958EA4C70DC.html

Comment 15 Toralf 2016-10-27 07:10:42 UTC
I don't really agree with that. As far as I know, I didn't tell the software to request signing, and it shouldn't force it on me. Also, a man-in-the-middle attack is very unlikely, as I'm on an access controlled network behind a strong firewall.

A change like this really makes it hard to use Samba, and Linux, in real life, where you don't just connect to your little hobby servers which you have total control over yourself, but the resources you need to access are managed by someone else entirely, and you have little or no influence on how they are configured.

Comment 16 Toralf 2016-10-27 07:23:09 UTC
Remember that I also tried connecting with "client signing = disabled" - see Comment 8.

Comment 17 Andreas Schneider 2016-10-27 12:52:41 UTC
As Alexander already stated in another bug and which also applies here:

According to [MS-NLMP] specification, 2.2.2.5, "D (1 bit): If set, requests session key negotiation for message signatures. If the client sends NTLMSSP_NEGOTIATE_SIGN to the server in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_SIGN to the client in the CHALLENGE_MESSAGE."

As we can see, the client asked for NTLMSSP_NEGOTIATE_SIGN but the server did not return it. According to MS-NLMP 3.1.5.1.2, when client receives CHALLENGE_MESSAGE from the server, "it MUST determine if the features selected by the server are strong enough for the client authentication policy. If not, the client MUST return an error to the calling application."

So I would say Samba smbclient behaves according to the spec here -- it requested signing of the negotiation and server did not follow the request, so the client chose to drop the connection, as required by the MS-NLMP specification.


In order that your server complies to the specification of [MS-NLMP] it MUST support signing (also known as Message Integrity).

The smb.conf states for "client signing":

  This controls whether the client is allowed or required to use SMB signing.

This option has nothing to do with NTLMSSP message integrity.

Could you test with RHEL7?

Comment 18 Toralf 2016-10-27 18:47:04 UTC
OK, but isn't there a way to tell smbclient NOT to ask for NTLMSSP_NEGOTIATE_SIGN? Also, why does "testparm -s" report

	client signing = required

when smb.conf has

	client signing = disabled
?

I'll try to see if there is machine somewhere that has been upgraded to version 7.

Comment 19 Andreas Schneider 2016-10-28 16:09:51 UTC
To make it clear again: Samba is not at fault here. It is NetAPP not implementing the protocol correctly.

However I will look into a work around. I think it is only for establishing the session key, maybe we can relax the requirement here. I need to evaluate that. NOTE: This will be a workaround on Samba side about to work around a bug in the implementation of NetAPP NAS!

Comment 23 errata-xmlrpc 2017-03-21 10:15:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0662.html


Note You need to log in before you can comment on or make changes to this bug.