Bug 11841 - NT_STATUS_ACCESS_DENIED when accessing windows public share with 4.3.8
Summary: NT_STATUS_ACCESS_DENIED when accessing windows public share with 4.3.8
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.3.8
Hardware: All All
: P5 regression (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
: 11859 11885 (view as bug list)
Depends on: 11849
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-14 22:52 UTC by crisb
Modified: 2017-07-03 21:56 UTC (History)
7 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description crisb 2016-04-14 22:52:20 UTC
Hi

When running 4.3.8, I cant connect to my windows 10 share (which has no access permissions).  I get NT_STATUS_ACCESS_DENIED -   have tried adding 

allow dcerpc auth level connect = yes

to the smb.conf but this does not change anything.


full output of smbclient -kd3  //desktop-5blpm4c/Video - the same thing on 4.3.6 gives me access:


lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface wlan0 ip=192.168.0.10 bcast=192.168.0.255 netmask=255.255.255.0
added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 netmask=255.255.255.0
Client started (version 4.3.8).
Connecting to 192.168.0.6 at port 445
Doing spnego session setup (blob length=320)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.3.6.1.4.1.311.2.2.10
got principal=<null>
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP packet check failed due to short signature (0 bytes)!
NTLMSSP NTLM2 packet check failed due to invalid signature!
GENSEC SPNEGO: failed to verify mechListMIC: NT_STATUS_ACCESS_DENIED
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED
Comment 1 crisb 2016-04-15 06:32:17 UTC
tried adding various options to smb.conf without success:

 allow dcerpc auth level connect = yes
 client ipc signing = no

 winbind sealed pipes = false
 require strong key = false
 raw NTLMv2 auth = yes


i should mention this is just a simple workgroup setup.

also 4.3.8 completely breaks browsing with smb4k (may or may not be the same thing).
Comment 2 Stefan Metzmacher 2016-04-15 09:13:57 UTC
(In reply to crisb from comment #0)

I need more information.

For me this gives LOGON_FAILURE with 4.3.6 and 4.3.8.

Can you please upload captures with both versions together with the
output if you use -d 100 instead of -d3?

I also need more details in the way you configured the windows 10 share
and what users is used? Did you enabled the guest account or something like this?
Comment 3 crisb 2016-04-15 09:30:00 UTC
I'll get the trace asap.

The windows 10 box was configured with 'Turn off password protected sharing' in 'Manage advanced sharing settings'.
Comment 4 Stefan Metzmacher 2016-04-15 09:51:14 UTC
(In reply to crisb from comment #3)

Ok, got it reproduced.

This things is your are trying to authenticate as guest without
making it explicit.

smbclient -U% //desktop-5blpm4c/Video
should do what you want.
Comment 5 Stefan Metzmacher 2016-04-15 10:09:16 UTC
(In reply to Stefan Metzmacher from comment #4)

Sorry I tested with

smbclient -U% //desktop-5blpm4c/Video -mSMB3
Comment 6 crisb 2016-04-15 10:27:35 UTC
ok will try that when i can.

for smb4k the issue seems to be it is issuing:

net rap server domain -p 139 -I <ip addr redacted> -w MYGROUP -S LOCALHOST -U %

and this is returning no members on 4.3.8, whereas on 4.3.6 there is one.  similar for other workgroups found.

is this related?
Comment 7 crisb 2016-04-15 10:51:56 UTC
ok,

smbclient -U% //desktop-5blpm4c/Video -mSMB3

works but:

smbclient -U% //desktop-5blpm4c/Video

fails still.
Comment 8 crisb 2016-04-15 12:29:18 UTC
client ipc max protocol = NT1

makes

net rap server domain -p 139 -I <ip addr redacted> -w MYGROUP -S TEST01 -U %

work again correctly and return the machines present.

note that none of the machines in the workgroup are running samba 4.3.8 (so I presume querying them shouldnt change in 4.3.8)
Comment 9 crisb 2016-04-15 12:42:36 UTC
interestingly doing the command on localhost, which is of course running 4.3.8 (so 4.3.8 client and 4.3.8 server):

 net rap server domain -p 139 -I 172.29.0.187 -w MYGROUP -S LOCALHOST -U %

without min client rpc setting:


Enumerating servers in this domain or workgroup:

        Server name          Server description
        -------------        ----------------------------


with min client rpc version NT1:


Enumerating servers in this domain or workgroup:

        Server name          Server description
        -------------        ----------------------------
        LOCALHOST            Samba Server
Comment 10 crisb 2016-04-16 08:01:46 UTC
previous comment s/min/max
Comment 11 crisb 2016-04-16 10:10:38 UTC
so, setting:

client max protocol = SMB3
client ipc max protocol = NT1

fixes browsing on smb4k and logging on to passwordless windows shares.

however "client max protocol = SMB3" breaks browsing with dolphin (no machines appear).  

mounting with dolphin and smb4k is still broken because they use smbmount/mount.cfs which dont pick up these values from the smb.conf.
Comment 12 Stefan Metzmacher 2016-04-20 10:03:41 UTC
*** Bug 11859 has been marked as a duplicate of this bug. ***
Comment 13 Sérgio Basto 2016-04-27 23:00:37 UTC
I don't believe this , you prefer some stupid security , than let things works, today I couldn't print because security is more important , specially when I'm under an intra network .
Comment 14 Stefan Metzmacher 2016-04-28 03:08:19 UTC
Please test the patches from bug #11849, thanks!
Comment 15 Giulio 2016-04-28 18:04:57 UTC
(In reply to Stefan Metzmacher from comment #14)
 
I rebuilt the CentOS 7.2 samba-4.2.10-6.el7_2 rpm with the patch.
 
Now smbclient works fine, as before the april-12 update.
 
No more
 NTLMSSP packet check failed due to short signature (0 bytes)!
 NTLMSSP NTLM2 packet check failed due to invalid signature!
errors.
 
Note that w/o the patch, in my case "-mSMB3" was not enough, it would allow you
to browse the Win7 machine, but when printing you get:
NT_STATUS_ACCESS_DENIED opening remote file \filename
This error persists even with the patch (that is, if I still use "-mSMB3");
but this is not an issue anymore since with the patch I can use smbclient
w/o any option and it works as expected.
Comment 16 crisb 2016-04-29 22:39:52 UTC
smbclient with no user works fine now, but:

net rap server domain -p 139 -I <ip addr redacted> -w MYGROUP -S TEST01 -U %

still returns nothing, and dolphin still asks for password.
Comment 17 Christian Ambach 2016-05-10 18:39:08 UTC
*** Bug 11885 has been marked as a duplicate of this bug. ***
Comment 18 hrm-temp@sonic.net 2016-07-04 20:46:21 UTC
I just tried Samba version 4.4.4-3.1-x86_64 from http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_13.1/ on an openSUSE 13.1 64-bit KDE system.
Dolphin again requires a username and password when trying to access a Windows 10 machine which has no password set.
Went back to 4.1.22-3.51.1 and access works.
Comment 19 hrm-temp@sonic.net 2016-07-06 05:30:22 UTC
There is an odd but effective work-around described at https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572876/comments/27
namely, when the authentication window pops up:

"for UNprotected share just use your local ubuntu account credentials (login and password)
for protected share use credentials that was set on share-host machine"

This works with Samba 4.3.9 and Nemo on Mint 18 Cinnamon 32-bit, and 4.4.4 and Dolphin on openSUSE 13.1 KDE 32-bit.

It does NOT work with 4.2.4 32-bit on openSUSE 13.1 KDE.
Regards,
Howard
Comment 20 Sérgio Basto 2016-07-13 22:41:32 UTC
With samba 4.4.4 on Fedora 23, NT_STATUS is not ACCESS_DENIED and I have new messages like : 

Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) 

NetBIOS over TCP disabled -- no workgroup available

I'm building samba 4.4.5 ATM , 

I google a little :

https://social.technet.microsoft.com/Forums/windowsserver/en-US/f3a909c8-04e8-485d-894c-3f92683c0fd7/can-not-enable-netbios-over-tcpip-on-shared-network-interface?forum=winserverhyperv

https://support.microsoft.com/en-us/kb/204279

Yet, I haven't tried enable "NetBIOS over TCP" on Windows 7 home machine . 
but I test with firewall disabled on my Linux .
Comment 21 Stefan Metzmacher 2017-07-03 21:56:53 UTC
(In reply to Stefan Metzmacher from comment #14)

This is fixed since the patches from bug #11849 were released
August 2016.