Bug 12965 - smbclient fails: no access to shares on Mac OSX server
smbclient fails: no access to shares on Mac OSX server
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools
4.6.6
x64 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-15 06:26 UTC by Alex
Modified: 2017-08-15 21:57 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex 2017-08-15 06:26:36 UTC
Hi!

Probably I'm a victim of the weird circumstances described in this thread 
here:

https://lists.samba.org/archive/samba-technical/2017-June/121241.html

However, this is the issue I am confronted with:

I can no longer use smb / smbclient to mount shares on a Mac OSX server, which 
used to work some monthes ago. I'm on Linux (openSuse Leap 42.3). If I try, I 
get an error message, see below. 

smbclient --version
Version 4.6.6-git.36.67c8c47724e3.1-SUSE-SLE_12-x86_64

There is an iMac with the server app running. No further updates available, 
neither for MacOS, nor for the server app on the Mac.

Here is the output of smbclient: 

=============================

smbclient -msmb3 -U AW //192.168.XXX.20/Shared -d 10
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter passdb backend = tdbsam
doing parameter printing = cups
doing parameter printcap name = cups
doing parameter printcap cache time = 750
doing parameter cups options = raw
doing parameter map to guest = Bad User
doing parameter include = /etc/samba/dhcp.conf
Can't find include file /etc/samba/dhcp.conf
doing parameter logon path = \\%L\profiles\.msprofile
doing parameter logon home = \\%L\%U\.9xprofile
doing parameter usershare allow guests = Yes
doing parameter client ntlmv2 auth = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface wlan0 ip=192.168.XXX.104 bcast=192.168.XXX.255 
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="LINUX-VYSJ"
Client started (version 4.6.6-git.36.67c8c47724e3.1-SUSE-SLE_12-x86_64).
Connecting to 192.168.XXX.20 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 372480
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
Enter WORKGROUP\AW's password: 
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Cannot do GSE to an IP address
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
     negotiate: struct NEGOTIATE_MESSAGE
        Signature                : 'NTLMSSP'
        MessageType              : NtLmNegotiate (1)
        NegotiateFlags           : 0x62088215 (1644724757)
               1: NTLMSSP_NEGOTIATE_UNICODE
               0: NTLMSSP_NEGOTIATE_OEM    
               1: NTLMSSP_REQUEST_TARGET   
               1: NTLMSSP_NEGOTIATE_SIGN   
               0: NTLMSSP_NEGOTIATE_SEAL   
               0: NTLMSSP_NEGOTIATE_DATAGRAM
               0: NTLMSSP_NEGOTIATE_LM_KEY 
               0: NTLMSSP_NEGOTIATE_NETWARE
               1: NTLMSSP_NEGOTIATE_NTLM   
               0: NTLMSSP_NEGOTIATE_NT_ONLY
               0: NTLMSSP_ANONYMOUS        
               0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
               0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
               0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
               1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
               0: NTLMSSP_TARGET_TYPE_DOMAIN
               0: NTLMSSP_TARGET_TYPE_SERVER
               0: NTLMSSP_TARGET_TYPE_SHARE
               1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
               0: NTLMSSP_NEGOTIATE_IDENTIFY
               0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
               0: NTLMSSP_NEGOTIATE_TARGET_INFO
               1: NTLMSSP_NEGOTIATE_VERSION
               1: NTLMSSP_NEGOTIATE_128    
               1: NTLMSSP_NEGOTIATE_KEY_EXCH
               0: NTLMSSP_NEGOTIATE_56     
        DomainNameLen            : 0x0000 (0)
        DomainNameMaxLen         : 0x0000 (0)
        DomainName               : *
            DomainName               : ''
        WorkstationLen           : 0x0000 (0)
        WorkstationMaxLen        : 0x0000 (0)
        Workstation              : *
            Workstation              : ''
        Version: struct ntlmssp_VERSION
            ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
            ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
            ProductBuild             : 0x0000 (0)
            Reserved: ARRAY(3)
                [0]                      : 0x00 (0)
                [1]                      : 0x00 (0)
                [2]                      : 0x00 (0)
            NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
Got challenge flags:
Got NTLMSSP neg_flags=0x22810205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
ntlmssp_handle_neg_flags: Got challenge flags[0x22810205] - possible downgrade 
detected! missing_flags[0x00080000] - NT code 0x80090302
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
neg_flags[0x22000205]
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
SPNEGO(ntlmssp) login failed: NT code 0x80090302
SPNEGO login failed: NT code 0x80090302
session setup failed: NT code 0x80090302

=========================================

So, is this a bug of either apple's smb implementation, or of samba?

The server is running, of course. From an iphone I can access the shares on the server. Server does not request only encrypted connections.  

Thank you!

Regards,

Alexander
Comment 1 Stefan Metzmacher 2017-08-15 08:56:39 UTC
This is fixed in 4.6.7
Comment 2 Alex 2017-08-15 21:57:26 UTC
(In reply to Stefan Metzmacher from comment #1)
True.

Thank you!