Bug 14151 - smbclient (CentOS 7) 4.9.1 to Mac OSX Sierra 10.12.6, can't enumerate shares, Error returning browse list: NT_STATUS_REVISION_MISMATCH
Summary: smbclient (CentOS 7) 4.9.1 to Mac OSX Sierra 10.12.6, can't enumerate shares,...
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.9.1
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-03 19:27 UTC by Christopher Cox
Modified: 2019-10-03 23:22 UTC (History)
1 user (show)

See Also:


Attachments
smbclient -d 10 -L doc_svr2 -U ccox -W SKOPOS (31.22 KB, text/plain)
2019-10-03 19:27 UTC, Christopher Cox
no flags Details
smb.conf (264 bytes, text/plain)
2019-10-03 19:27 UTC, Christopher Cox
no flags Details
Pcap (7.03 KB, application/vnd.tcpdump.pcap)
2019-10-03 19:28 UTC, Christopher Cox
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Cox 2019-10-03 19:27:06 UTC
Created attachment 15508 [details]
smbclient -d 10 -L doc_svr2 -U ccox -W SKOPOS

When trying to enumerate shares on Mac OSX using their native smb, we see:

Error returning browse list: NT_STATUS_REVISION_MISMATCH

Samba 4.9.1-6 from CentOS 7.

Attached is the level 10 debug smbclient output, our smb.conf and a pcap.
Comment 1 Christopher Cox 2019-10-03 19:27:40 UTC
Created attachment 15509 [details]
smb.conf
Comment 2 Christopher Cox 2019-10-03 19:28:04 UTC
Created attachment 15510 [details]
Pcap
Comment 3 Jeremy Allison 2019-10-03 19:47:21 UTC
(In reply to Christopher Cox from comment #2)

Capture frames can't be decoded into SMB by wireshark. Can you try the capture again and make sure you just capture full frames going between client and server.
Comment 4 Christopher Cox 2019-10-03 20:12:25 UTC
On 10/3/19 2:47 PM, samba-bugs@samba.org wrote:
> https://bugzilla.samba.org/show_bug.cgi?id=14151
> 
> --- Comment #3 from Jeremy Allison <jra@samba.org> ---
> (In reply to Christopher Cox from comment #2)
> 
> Capture frames can't be decoded into SMB by wireshark. Can you try the capture
> again and make sure you just capture full frames going between client and
> server.
> 

Maybe my tcpdump is rusty.  I figured it was capturing enough.  What 
options do you recommend?
Comment 5 Jeremy Allison 2019-10-03 20:35:57 UTC
Actually, what would really help isn't the wireshark trace - but for you to set a gdb breakpoint on 

smb1cli_req_writev_submit()

and post me a gdb backtrace from that point.

If you know how to use gdb, being able to go up one frame to tstream_smbXcli_np_readv_trans_start() and then print out the contents of the cli_nps struct variable that would confirm.

I'm pretty sure that inside there you'll have:

cli_nps->is_smb1 = true (1)

and it should be false (0).

Now the question is *why*...
Comment 6 Jeremy Allison 2019-10-03 20:48:57 UTC
Oh, I think you may be blundering into a bug that got fixed in later Samba versions.

Inside your version of:

source3/client/client.c:browse_host() you have:

4897 /****************************************************************************
4898  Try and browse available connections on a host.
4899 ****************************************************************************/
4900 
4901 static bool browse_host(bool sort)
4902 {
4903         int ret;
4904         if (!grepable) {
4905                 d_printf("\n\tSharename       Type      Comment\n");
4906                 d_printf("\t---------       ----      -------\n");
4907         }
4908 
4909         if (browse_host_rpc(sort)) {
4910                 return true;
4911         }
4912 
4913         if((ret = cli_RNetShareEnum(cli, browse_fn, NULL)) == -1) {
4914                 NTSTATUS status = cli_nt_error(cli);
4915                 d_printf("Error returning browse list: %s\n",
4916                          nt_errstr(status));
4917         }
4918 
4919         return (ret != -1);
4920 }

Note that if 'browse_host_rpc(sort)' fails then it continues to the SMB1-specific cli_RNetShareEnum() call.

Modern versions of Samba have:

4900 /****************************************************************************
4901  Try and browse available connections on a host.
4902 ****************************************************************************/
4903 
4904 static bool browse_host(bool sort)
4905 {
4906         int ret;
4907 
4908         if (!grepable) {
4909                 d_printf("\n\tSharename       Type      Comment\n");
4910                 d_printf("\t---------       ----      -------\n");
4911         }
4912 
4913         if (browse_host_rpc(sort)) {
4914                 return true;
4915         }
4916 
4917         if (lp_client_min_protocol() > PROTOCOL_NT1) {
4918                 return false;
4919         }
4920 
4921         ret = cli_RNetShareEnum(cli, browse_fn, NULL);
4922         if (ret == -1) {
4923                 NTSTATUS status = cli_nt_error(cli);
4924                 d_printf("Error returning browse list: %s\n",
4925                          nt_errstr(status));
4926         }
4927 
4928         return (ret != -1);
4929 }

Note the fix at lines 4917-4919 that prevents falling through into cli_RNetShareEnum() if the SMB2 rpc call failed.

In your smbclient debug level 10 log you have:

rpc_api_pipe: host doc_svr2
cli_api_pipe failed: NT_STATUS_IO_TIMEOUT

*Then* followed by the smb1cli_req_writev_submit: called for dialect[SMB3_00] server[doc_svr2] error.

I think that means the server timed out the dcerpc_srvsvc_NetShareEnumAll() call, so it blundered into the old SMB1 code.

So that error message is a red herring.

The real problem is why the server isn't reponding to the dcerpc_srvsvc_NetShareEnumAll() call I think.
Comment 7 Jeremy Allison 2019-10-03 20:50:48 UTC
FYI, when talking to a MacOSX server you should always set 'client min protocol = SMB2' as Apple written Mac servers will never support SMB1.
Comment 8 Jeremy Allison 2019-10-03 21:01:01 UTC
See bug:

https://bugzilla.samba.org/show_bug.cgi?id=14152

I just logged, as it still needs some changes in master/Samba-current releases.
Comment 9 Christopher Cox 2019-10-03 23:22:14 UTC
The netbios port (139) is closed on doc_svr2.  But again, Windows can enumerate the shares, Mac can enumerate the shares... but maybe it's why smbclient can't?

(I'm just guesing... feel free to ignore if n/a)