Bug 11531 - "Bad SMB2 signature for message" with a netapp filer
Summary: "Bad SMB2 signature for message" with a netapp filer
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.3.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-24 08:54 UTC by Luca Olivetti
Modified: 2015-09-25 10:11 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luca Olivetti 2015-09-24 08:54:36 UTC
Trying to join a netapp filer (actually the simulator) to the domain, I get this error on the filer:



Thu Sep 24 09:45:19 CEST [netappsim:smbrpc.getDomainSid.usingCachedCopy:info]: CIFSRPC: Getting domain SID from filer cache because the filer was not able to get the domain SID from a domain controller.  

Then a "cifs resetdc" gives me this error:

netappsim> cifs resetdc
Thu Sep 24 09:41:04 CEST [netappsim:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for WETRON.  
Thu Sep 24 09:41:04 CEST [netappsim:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using DNS site query (Default-First-Site-Name)..  
Thu Sep 24 09:41:04 CEST [netappsim:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using generic DNS query.  
Thu Sep 24 09:41:05 CEST [netappsim:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for WETRON complete. 1 unique addresses found.  
Thu Sep 24 09:41:05 CEST [netappsim:cifs.server.infoMsg:info]: CIFS: Warning for server \\DC1: Connection terminated.  
Thu Sep 24 09:41:05 CEST [netappsim:cifs.server.infoMsg:info]: CIFS: Warning for server \\DC1: Unable to create NETLOGON pipe No Trusted Logon Servers Available - STATUS_NO_LOGON_SERVERS.  
Thu Sep 24 09:41:05 CEST [netappsim:auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for SAMBA.WETRON.ES.  
Thu Sep 24 09:41:05 CEST [netappsim:auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 1 AD LDAP server addresses using DNS site query (Default-First-Site-Name).  
Thu Sep 24 09:41:05 CEST [netappsim:auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 1 AD LDAP server addresses using generic DNS query.  
Thu Sep 24 09:41:06 CEST [netappsim:auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD LDAP server address discovery for SAMBA.WETRON.ES complete. 1 unique addresses found.  


On the samba side I see this in the log

[2015/09/24 09:41:05.113687,  0] ../libcli/smb/smb2_signing.c:170(smb2_signing_check_pdu)
  Bad SMB2 signature for message
[2015/09/24 09:41:05.113938,  0] ../lib/util/util.c:559(dump_data)
  [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[2015/09/24 09:41:05.114088,  0] ../lib/util/util.c:559(dump_data)
  [0000] 6C 02 BB 22 1A 3F FB 52   F4 79 99 D1 1F BE B3 49   l..".?.R .y.....I



Setting "max protocol=SMB2" in smb.conf allows the filer to correctly join the comain.
Comment 1 Stefan Metzmacher 2015-09-25 04:50:07 UTC
Can you please upload a network capture with a level 10 log?

For both cases SMB2 and SMB3.
Comment 2 Luca Olivetti 2015-09-25 06:29:49 UTC
A network capture with tcpdump or the level 10 log is enough?
Comment 3 Luca Olivetti 2015-09-25 06:30:48 UTC
And is it safe to upload it publicly?
Comment 4 Luca Olivetti 2015-09-25 10:07:22 UTC
While I was trying to capture logs for the two cases, a "funny" thing happened: it makes no difference the setting of "max protocols", sometimes a "cifs resetdc" works, sometimes it doesn't.
The "funny" part of it is that even when it failed and the netapp showed me the dc as "PDCBROKEN" I could still successfully access the shares on the netapp ?!?!? (maybe it was just caching the credentials from the last successful attempt, I don't know)
For the time being I'm closing this as invalid, but if you want the logs I can provide them.
Comment 5 Luca Olivetti 2015-09-25 10:11:16 UTC
One more thing: when "cifs resetdc" is successful, smbstatus shows the protocol as SMB2_02:

a# smbstatus

Samba version 4.3.0-Debian
PID     Username      Group         Machine            Protocol Version       
------------------------------------------------------------------------------
21270     WETRON\netapp01$  WETRON\domain computers  192.168.169.23 (ipv4:192.168.169.23:17164) SMB2_02     

Service      pid     machine       Connected at
-------------------------------------------------------
IPC$         21270   192.168.169.23  Fri Sep 25 12:09:43 2015

No locked files