Created attachment 17063 [details] network traces Hey there, I'm experiencing a bug since version 4.14 and higher of Samba/libsmbclient, that prevents me from accessing a Windows share using a file manager in Linux like Dolphin or Nautilus, if the Windows share has been configured to not require authentication. Accessing Windows shares that are password-protected works without issue. Mounting these shares using cifs works as well and connecting/browsing through the shares using smbclient works as well. Accessing these Windows shares using another Windows system works as well. This issue has already been discussed here:https://bugs.kde.org/show_bug.cgi?id=445416 There, another user with the same issue hinted me to try samba <=4.13, which I did and it worked again (though not as expected, as I had to enter the name of the PC as user and could choose any password, instead of not asking me for any authentication at all). A similar issue has already been discussed here, though, they are not the same: https://bugzilla.samba.org/show_bug.cgi?id=14326 There, the author also hinted at another discussing, hinting at an issue in libsmbclient: https://bugs.kde.org/show_bug.cgi?id=398079#c19 As this issue exists in both Dolphin and Nautilus using KIO and GVFS respectively, it's more likely that issue is on samba's side than on theirs. I have attached the output of "tcpdump -s0 -w /tmp/sniff.pcap host <ip-of-the-windows-target-machine>" on a machine running samba 4.15.3 (not working) and one using 4.13.14 (working). Should any additional logs or information be required, I'd be very happy to help!
the traces seem to contain connection multiple attempts over a period of 50s. Did you intend to capture only one connection attempt? It would be helpful if you make one capture per failure scenario and not multiple tests in one capture, then we can only guess what is going on there. Apart of that: - the 4.13 capture shows connection attempts with user HEIMNETZWERK\Arbeitszimmer AND empty guest connection attempts. The guest connection attempts are rejected with STATUS_ACCESS_DENIED. The one that is successful at the end of the capture is a Arbeitszimmer and not a guest logon - the 4.15 capture shows in the middle also a successfull Arbeitszimmer sesion setup. The empty guest logons are also all rejected with STATUS_ACCESS_DENIED here. If with 4.13 there was a guest logon requested but a "Arbeitszimmer" logon was done finally, then this is an error (and not the failing guest logons). I don't think that libsmbclient is making such a fallback. Is the KDE/Gnome code making a fallback to a guessed auth user after the guest session setup was unsuccessful? If this is the case, then they should fix that. See also https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default for why guest connections are usually expected NOT to work these days.
(In reply to Björn Jacke from comment #1) In the 4.15 capture the client requires signing which is incompatible with guest authentication. Is the smb.conf file different between 4.13 and 4.15?
(In reply to Stefan Metzmacher from comment #2) I guess it's this commit: commit d0062d312cbbf80afd78143ca5c0be68f2d72b03 Author: Andreas Schneider <asn@samba.org> AuthorDate: Wed Jun 10 12:40:13 2020 +0200 Commit: Andreas Schneider <asn@cryptomilk.org> CommitDate: Wed Aug 19 16:22:42 2020 +0000 s3:libsmb: Use cli_credentials_set_smb_encryption() This also adds a SMBC_ENCRYPTLEVEL_DEFAULT to 'enum smbc_smb_encrypt_level' in order to use the smb.conf default value. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> it changed the default from SMBC_ENCRYPTLEVEL_NONE to SMBC_ENCRYPTLEVEL_DEFAULT, while we still have this code in SMBC_server_internal(): if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) { signing_state = SMB_SIGNING_REQUIRED; } I guess it should be changed to: if (context->internal->smb_encryption_level > SMBC_ENCRYPTLEVEL_NONE) { signing_state = SMB_SIGNING_REQUIRED; }
*** Bug 14761 has been marked as a duplicate of this bug. ***
(In reply to Björn Jacke from comment #1) Thank you for your reply! I had multiple attempts in one file indeed, I didn't know I was not supposed to, I'm sorry. Would it be helpful if I re-do the attempts, one per capture? I've had a look at the link you sent, we're using Windows 10 Pro on the machines here, so guest access should still work. Only Windows 10 Education, Enterprise and Server 2019 are affected, as far as I understood.
(In reply to Stefan Metzmacher from comment #2) The smb.conf file used in the 4.13 and 4.15 capture are the same.
The last patch from https://gitlab.com/samba-team/samba/-/merge_requests/2308 should fix the problem
Hey there, I installed samba with the proposed PR, but it doesn't fix the issue: A connection is still not possible. I ran dolphin in a terminal and got the following output: smbXcli_negprot_smb1_done: No compatible protocol selected by server. smbXcli_negprot_smb1_done: No compatible protocol selected by server. smbXcli_negprot_smb1_done: No compatible protocol selected by server. smbXcli_negprot_smb1_done: No compatible protocol selected by server. Bad SMB2 (sign_algo_id=1) signature for message [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0000] EB AB 4D 1B BA EA 0F 42 DD 44 3E 24 3C 8C 2A 52 ..M....B .D>$<.*R Bad SMB2 (sign_algo_id=1) signature for message [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0000] 55 D9 D2 3A AD D5 17 D0 B7 A3 80 2A 66 96 6F 14 U..:.... ...*f.o. Bad SMB2 (sign_algo_id=1) signature for message [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0000] 86 D1 97 0B C4 0E 57 70 11 92 00 6B 22 2A F9 42 ......Wp ...k"*.B Interestingly, I don't get the bad login message when entering nothing in the login fields (= guest login) but it still doesn't work. I attached the network dumps again, this time with only one attempt per file, differentiating in the user name (the user name can be found in the file names). Also done with samba version 4.16.0pre1-GIT-1ea659b59ab I hope these help!
Created attachment 17065 [details] Network traces 4.16.0pre1-GIT-1ea659b59ab
This bug was referenced in samba master: 648b476dcdb6f378b627266cb787fd8f38fba56a 59e436297b0a4baa01e4e8a4bbb9c0bc9d7e1f29 0a808f6b53f50f426bd706f5327f610bb9e5967d 9d2bf015378c5bc630c92618e034c5eba95cc6b4
(In reply to Tobias Görgens from comment #8) Are you really sure the correct library was used? Can you please paste the commands you used to build samba? And 'ldd /usr/bin/dolphin' as well as running dolphin under strace like 'strace -f -ttT -s 512 -o /dev/shm/dolphin.strace.txt /usr/bin/dolphin' At the same time run the network capture, thanks!
(In reply to Stefan Metzmacher from comment #11) Hi there, To be honest, I'm not 100% sure if dolphin used the correct version, but I didn't know a way to show which library it uses and I did everything to make sure it uses it. Anyway, here are the requested information: To get the source, I cloned https://gitlab.com/samba-team/devel/samba/ And used "git checkout metze-libsmb" to switch to the branch of the MR. Then, I used the commands shown here to build samba: https://wiki.samba.org/index.php/Build_Samba_from_Source#Samba_Operating_System_Requirements (starting with "./configure"). In the end, I had to make sure that the installed binaries are used, so I added "export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH" in /etc/profile and "export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH" in /etc/environment Afterwards, I opened a new terminal window and ran smbclient --version to verify the version, it showed 4.16.0pre1-GIT-1ea659b59ab as expected. Then, I opened dolphin in this terminal window. I hope this was the correct way. "ldd /usr/bin/dolphin" shows: https://pastebin.com/AQXU9VeY I attached the new network traces while running it under strace (and the strace logs as well). I did it the following way: I opened dolphin with strace, then started the network trace. After not being able to connect, I closed dolphin and then stopped the network trace. I hope it did everything right here & that the logs help! :)
Created attachment 17066 [details] Strace + Network traces with 4.16.0pre1-GIT-1ea659b59ab
(In reply to Tobias Görgens from comment #13) As I assumed the strace shows /usr/lib/libsmbclient.so.0 is used. I guess you also need to export LD_LIBRARY_PATH similar to PATH, it needs to contain the directory under /usr/local where you find libsmbclient.so.0
(In reply to Stefan Metzmacher from comment #14) Oh OK, I'm sorry :( I tried everything I found to set LD_PATH_LIBRARY, but nothing seemed to work 100%. I uploaded the strace of the new attempt here: https://drive.google.com/file/d/1yhuc9ES6sZWqNCq7Veuoik3zoCVHVh49/view?usp=sharing but "/usr/lib/libsmbclient.so.0" is still shown sometimes (sometimes the new library is used interestingly) and accessing the share doesn't work. I added export LD_LIBRARY_PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$LD_LIBRARY_PATH to /etc/profile and /etc/environment again. Does someone have another idea what I could try?
(In reply to Tobias Görgens from comment #15) You could try moving the existing libsmbclient.so.0 out of the way and then create a symlink to the new instead.
(In reply to Tobias Görgens from comment #15) You need to find the path that contains libsmbclient.so.0 (most likely /usr/local/lib) not the bin/ and sbin/ directories.
(In reply to Rowland Penny from comment #16) (In reply to Stefan Metzmacher from comment #17) Thank you very much! :) I created the symlinks, accessing the shares once again works! :) Interestingly though, I still need to enter the name of the Windows machine (not user name, actual name of the PC shown in network discovery), guest login still doesn't work. But I can access it, so that's a win! :) Should I send some logs to investigate why guest login still doesn't work?
(In reply to Tobias Görgens from comment #18) If you are using windows 10, check if guest access is allowed, this is now turned off by default.
(In reply to Rowland Penny from comment #19) Hey there, that's actually not completely true: In Windows 10 Home and Pro, Guest access is still enabled by default. The Microsoft Doc says the following: " Windows 10 Enterprise and Windows 10 Education no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials. Windows Server 2019 Datacenter and Standard editions no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials. Windows 10 Home and Pro are unchanged from their previous default behavior; they allow guest authentication by default." https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default But to be sure, I manually enabled guest access as well, but it's still not working.
(In reply to Tobias Görgens from comment #20) Thanks for pointing that out, I rarely use Windows (only when I really have to) and I then use W10 enterprise, so I cannot use guest access. I thought it was the same on all W10 versions. Do you have any Linux clients you could try guest access from ?
(In reply to Rowland Penny from comment #21) Yes, guest access on a linux server works just fine. So it's just an issue with Windows servers. Might someone else be able to confirm this? Is guest access possible for someone sharing from W10 Home/Pro?
Created attachment 17098 [details] Patches for v4-15-test
Created attachment 17099 [details] Patches for v4-14-test
(In reply to Tobias Görgens from comment #22) Can you upload captures for the case where you think guest authentication is not working?
Jule, can you please apply the patches to the relevant branches? Thanks!
Pushed to autobuild-v4-{15,14}-test.
This bug was referenced in samba v4-14-test: 72e5b758e04dab11fccc21d3c7bc22aace393527 8feb866c2151ec88a61598abd4f602aefeb26aea 7aa5875ff926b14cd4feb183a308bb39cf6ad77d be1b37e7c6ebd5a38202d807df990793fd450b68
This bug was referenced in samba v4-15-test: dfabc5da3863fecaf408ab8550645518c097302d 025749c3773b64d82dca1edfc82fc1898c7c1763 a9c32e69546975687d87c5f803c1d092559a0664 a4281c9ea7fed0abc2d0a9301a5ca684e9386efe
Closing out bug report. Thanks!
This bug was referenced in samba v4-15-stable (Release samba-4.15.4): dfabc5da3863fecaf408ab8550645518c097302d 025749c3773b64d82dca1edfc82fc1898c7c1763 a9c32e69546975687d87c5f803c1d092559a0664 a4281c9ea7fed0abc2d0a9301a5ca684e9386efe
(In reply to Stefan Metzmacher from comment #25) Hello, I already uploaded traces with trying guest access, where it should be working. :)
(In reply to Tobias Görgens from comment #32) ArbeitszimmerLogin.pcap frame 127 shows that guest is working. Anonymous (empty username) access is denied in frame 133. Guest Authentication means a given (non-empty) username/password combination is ignored and the access is mapped to the "Guest" user instead and results in a token with the SID of the Guest Account (with RID 501) and no valid session key shared by client and server, which means signing can't work. This was the problem that the patches address, we no longer require signing by default. Anonymous Authentication (with an empty username/password) is different it would result in a token with S-1-5-7 (SID_NT_ANONYMOUS). I guess with guest authentication is not working your are actually talking about anonymous authentication, correct?
(In reply to Stefan Metzmacher from comment #33) Sorry for the late answer, yes, I actually meant anonymous access. Should that work?
This bug was referenced in samba v4-14-stable (Release samba-4.14.13): 72e5b758e04dab11fccc21d3c7bc22aace393527 8feb866c2151ec88a61598abd4f602aefeb26aea 7aa5875ff926b14cd4feb183a308bb39cf6ad77d be1b37e7c6ebd5a38202d807df990793fd450b68