Bug 14935 - Can't connect to Windows shares not requiring authentication using KDE/Gnome
Summary: Can't connect to Windows shares not requiring authentication using KDE/Gnome
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.15.3
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/-...
Keywords:
: 14761 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-12-20 20:23 UTC by Tobias Görgens
Modified: 2022-01-20 13:22 UTC (History)
5 users (show)

See Also:


Attachments
network traces (90.98 KB, application/gzip)
2021-12-20 20:23 UTC, Tobias Görgens
no flags Details
Network traces 4.16.0pre1-GIT-1ea659b59ab (7.89 KB, application/gzip)
2021-12-23 17:29 UTC, Tobias Görgens
no flags Details
Strace + Network traces with 4.16.0pre1-GIT-1ea659b59ab (3.01 MB, application/gzip)
2021-12-28 14:13 UTC, Tobias Görgens
no flags Details
Patches for v4-15-test (9.06 KB, patch)
2022-01-17 14:18 UTC, Stefan Metzmacher
asn: review+
Details
Patches for v4-14-test (9.06 KB, patch)
2022-01-17 14:19 UTC, Stefan Metzmacher
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Görgens 2021-12-20 20:23:03 UTC
Created attachment 17063 [details]
network traces

Hey there,

I'm experiencing a bug since version 4.14 and higher of Samba/libsmbclient, that prevents me from accessing a Windows share using a file manager in Linux like Dolphin or Nautilus, if the Windows share has been configured to not require authentication.
Accessing Windows shares that are password-protected works without issue.
Mounting these shares using cifs works as well and connecting/browsing through the shares using smbclient works as well.
Accessing these Windows shares using another Windows system works as well.

This issue has already been discussed here:https://bugs.kde.org/show_bug.cgi?id=445416

There, another user with the same issue hinted me to try samba <=4.13, which I did and it worked again (though not as expected, as I had to enter the name of the PC as user and could choose any password, instead of not asking me for any authentication at all).

A similar issue has already been discussed here, though, they are not the same:
https://bugzilla.samba.org/show_bug.cgi?id=14326

There, the author also hinted at another discussing, hinting at an issue in libsmbclient: https://bugs.kde.org/show_bug.cgi?id=398079#c19

As this issue exists in both Dolphin and Nautilus using KIO and GVFS respectively, it's more likely that issue is on samba's side than on theirs.

I have attached the output of "tcpdump -s0 -w /tmp/sniff.pcap host <ip-of-the-windows-target-machine>" on a machine running samba 4.15.3 (not working) and one using 4.13.14 (working).

Should any additional logs or information be required, I'd be very happy to help!
Comment 1 Björn Jacke 2021-12-21 07:42:13 UTC
the traces seem to contain connection multiple attempts over a period of 50s. Did you intend to capture only one connection attempt? It would be helpful if you make one capture per failure scenario and not multiple tests in one capture, then we can only guess what is going on there.

Apart of that:

- the 4.13 capture shows connection attempts with user HEIMNETZWERK\Arbeitszimmer AND empty guest connection attempts. The guest connection attempts are rejected with STATUS_ACCESS_DENIED. The one that is successful at the end of the capture is a Arbeitszimmer and not a guest logon

- the 4.15 capture shows in the middle also a successfull Arbeitszimmer sesion setup. The empty guest logons are also all rejected with STATUS_ACCESS_DENIED here.

If with 4.13 there was a guest logon requested but a "Arbeitszimmer" logon was done finally, then this is an error (and not the failing guest logons). I don't think that libsmbclient is making such a fallback. Is the KDE/Gnome code making a fallback to a guessed auth user after the guest session setup was unsuccessful? If this is the case, then they should fix that.

See also https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default for why guest connections are usually expected NOT to work these days.
Comment 2 Stefan Metzmacher 2021-12-21 09:10:21 UTC
(In reply to Björn Jacke from comment #1)

In the 4.15 capture the client requires signing which is incompatible with
guest authentication.

Is the smb.conf file different between 4.13 and 4.15?
Comment 3 Stefan Metzmacher 2021-12-21 09:58:28 UTC
(In reply to Stefan Metzmacher from comment #2)

I guess it's this commit:

commit d0062d312cbbf80afd78143ca5c0be68f2d72b03
Author:     Andreas Schneider <asn@samba.org>
AuthorDate: Wed Jun 10 12:40:13 2020 +0200
Commit:     Andreas Schneider <asn@cryptomilk.org>
CommitDate: Wed Aug 19 16:22:42 2020 +0000

    s3:libsmb: Use cli_credentials_set_smb_encryption()
    
    This also adds a SMBC_ENCRYPTLEVEL_DEFAULT to 'enum
    smbc_smb_encrypt_level' in order to use the smb.conf default value.
    
    Signed-off-by: Andreas Schneider <asn@samba.org>
    Reviewed-by: Stefan Metzmacher <metze@samba.org>

it changed the default from SMBC_ENCRYPTLEVEL_NONE to SMBC_ENCRYPTLEVEL_DEFAULT,

while we still have this code in SMBC_server_internal():

        if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
                signing_state = SMB_SIGNING_REQUIRED;
        }

I guess it should be changed to:

        if (context->internal->smb_encryption_level > SMBC_ENCRYPTLEVEL_NONE) {
                signing_state = SMB_SIGNING_REQUIRED;
        }
Comment 4 Stefan Metzmacher 2021-12-21 10:18:02 UTC
*** Bug 14761 has been marked as a duplicate of this bug. ***
Comment 5 Tobias Görgens 2021-12-21 10:27:20 UTC
(In reply to Björn Jacke from comment #1)

Thank you for your reply!

I had multiple attempts in one file indeed, I didn't know I was not supposed to, I'm sorry.
Would it be helpful if I re-do the attempts, one per capture?

I've had a look at the link you sent, we're using Windows 10 Pro on the machines here, so guest access should still work.
Only Windows 10 Education, Enterprise and Server 2019 are affected, as far as I understood.
Comment 6 Tobias Görgens 2021-12-21 10:29:00 UTC
(In reply to Stefan Metzmacher from comment #2)
The smb.conf file used in the 4.13 and 4.15 capture are the same.
Comment 7 Stefan Metzmacher 2021-12-21 12:09:15 UTC
The last patch from https://gitlab.com/samba-team/samba/-/merge_requests/2308
should fix the problem
Comment 8 Tobias Görgens 2021-12-23 17:29:00 UTC
Hey there,

I installed samba with the proposed PR, but it doesn't fix the issue: A connection is still not possible.

I ran dolphin in a terminal and got the following output:
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Bad SMB2 (sign_algo_id=1) signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] EB AB 4D 1B BA EA 0F 42   DD 44 3E 24 3C 8C 2A 52   ..M....B .D>$<.*R
Bad SMB2 (sign_algo_id=1) signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] 55 D9 D2 3A AD D5 17 D0   B7 A3 80 2A 66 96 6F 14   U..:.... ...*f.o.
Bad SMB2 (sign_algo_id=1) signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] 86 D1 97 0B C4 0E 57 70   11 92 00 6B 22 2A F9 42   ......Wp ...k"*.B

Interestingly, I don't get the bad login message when entering nothing in the login fields (= guest login) but it still doesn't work.

I attached the network dumps again, this time with only one attempt per file, differentiating in the user name (the user name can be found in the file names).
Also done with samba version 4.16.0pre1-GIT-1ea659b59ab

I hope these help!
Comment 9 Tobias Görgens 2021-12-23 17:29:56 UTC
Created attachment 17065 [details]
Network traces 4.16.0pre1-GIT-1ea659b59ab
Comment 10 Samba QA Contact 2021-12-27 16:39:06 UTC
This bug was referenced in samba master:

648b476dcdb6f378b627266cb787fd8f38fba56a
59e436297b0a4baa01e4e8a4bbb9c0bc9d7e1f29
0a808f6b53f50f426bd706f5327f610bb9e5967d
9d2bf015378c5bc630c92618e034c5eba95cc6b4
Comment 11 Stefan Metzmacher 2021-12-28 12:44:50 UTC
(In reply to Tobias Görgens from comment #8)

Are you really sure the correct library was used?

Can you please paste the commands you used to build samba?

And 'ldd /usr/bin/dolphin' as well as running dolphin under strace like
'strace -f -ttT -s 512 -o /dev/shm/dolphin.strace.txt /usr/bin/dolphin'

At the same time run the network capture, thanks!
Comment 12 Tobias Görgens 2021-12-28 14:12:17 UTC
(In reply to Stefan Metzmacher from comment #11)

Hi there,
To be honest, I'm not 100% sure if dolphin used the correct version, but I didn't know a way to show which library it uses and I did everything to make sure it uses it.

Anyway, here are the requested information:

To get the source, I cloned https://gitlab.com/samba-team/devel/samba/
And used "git checkout metze-libsmb" to switch to the branch of the MR.
Then, I used the commands shown here to build samba:
https://wiki.samba.org/index.php/Build_Samba_from_Source#Samba_Operating_System_Requirements
(starting with "./configure").

In the end, I had to make sure that the installed binaries are used, so I added
"export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH" in /etc/profile
and "export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH" in /etc/environment

Afterwards, I opened a new terminal window and ran smbclient --version to verify the version, it showed 4.16.0pre1-GIT-1ea659b59ab as expected. Then, I opened dolphin in this terminal window.
I hope this was the correct way.

"ldd /usr/bin/dolphin" shows:
https://pastebin.com/AQXU9VeY

I attached the new network traces while running it under strace (and the strace logs as well).
I did it the following way: I opened dolphin with strace, then started the network trace. After not being able to connect, I closed dolphin and then stopped the network trace.
I hope it did everything right here & that the logs help! :)
Comment 13 Tobias Görgens 2021-12-28 14:13:12 UTC
Created attachment 17066 [details]
Strace + Network traces with 4.16.0pre1-GIT-1ea659b59ab
Comment 14 Stefan Metzmacher 2021-12-28 20:32:52 UTC
(In reply to Tobias Görgens from comment #13)

As I assumed the strace shows /usr/lib/libsmbclient.so.0 is used.

I guess you also need to export LD_LIBRARY_PATH similar to PATH,
it needs to contain the directory under /usr/local where you find libsmbclient.so.0
Comment 15 Tobias Görgens 2021-12-28 21:42:38 UTC
(In reply to Stefan Metzmacher from comment #14)

Oh OK, I'm sorry :(

I tried everything I found to set LD_PATH_LIBRARY, but nothing seemed to work 100%.
I uploaded the strace of the new attempt here:
https://drive.google.com/file/d/1yhuc9ES6sZWqNCq7Veuoik3zoCVHVh49/view?usp=sharing

but "/usr/lib/libsmbclient.so.0" is still shown sometimes (sometimes the new library is used interestingly) and accessing the share doesn't work.
I added export LD_LIBRARY_PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$LD_LIBRARY_PATH to /etc/profile and /etc/environment again.

Does someone have another idea what I could try?
Comment 16 Rowland Penny 2021-12-28 22:03:44 UTC
(In reply to Tobias Görgens from comment #15)
You could try moving the existing libsmbclient.so.0 out of the way and then create a symlink to the new instead.
Comment 17 Stefan Metzmacher 2021-12-29 08:10:39 UTC
(In reply to Tobias Görgens from comment #15)

You need to find the path that contains libsmbclient.so.0 (most likely /usr/local/lib) not the bin/ and sbin/ directories.
Comment 18 Tobias Görgens 2021-12-30 12:00:30 UTC
(In reply to Rowland Penny from comment #16)
(In reply to Stefan Metzmacher from comment #17)

Thank you very much! :)

I created the symlinks, accessing the shares once again works! :)

Interestingly though, I still need to enter the name of the Windows machine (not user name, actual name of the PC shown in network discovery), guest login still doesn't work.

But I can access it, so that's a win! :)

Should I send some logs to investigate why guest login still doesn't work?
Comment 19 Rowland Penny 2021-12-30 15:23:02 UTC
(In reply to Tobias Görgens from comment #18)
If you are using windows 10, check if guest access is allowed, this is now turned off by default.
Comment 20 Tobias Görgens 2022-01-01 11:44:08 UTC
(In reply to Rowland Penny from comment #19)

Hey there,

that's actually not completely true: In Windows 10 Home and Pro, Guest access is still enabled by default.
The Microsoft Doc says the following:
"    Windows 10 Enterprise and Windows 10 Education no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
    Windows Server 2019 Datacenter and Standard editions no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
    Windows 10 Home and Pro are unchanged from their previous default behavior; they allow guest authentication by default."

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default

But to be sure, I manually enabled guest access as well, but it's still not working.
Comment 21 Rowland Penny 2022-01-01 14:31:32 UTC
(In reply to Tobias Görgens from comment #20)
Thanks for pointing that out, I rarely use Windows (only when I really have to) and I then use W10 enterprise, so I cannot use guest access. I thought it was the same on all W10 versions.

Do you have any Linux clients you could try guest access from ?
Comment 22 Tobias Görgens 2022-01-01 23:56:36 UTC
(In reply to Rowland Penny from comment #21)
Yes, guest access on a linux server works just fine. So it's just an issue with Windows servers.

Might someone else be able to confirm this?
Is guest access possible for someone sharing from W10 Home/Pro?
Comment 23 Stefan Metzmacher 2022-01-17 14:18:45 UTC
Created attachment 17098 [details]
Patches for v4-15-test
Comment 24 Stefan Metzmacher 2022-01-17 14:19:11 UTC
Created attachment 17099 [details]
Patches for v4-14-test
Comment 25 Stefan Metzmacher 2022-01-17 14:21:30 UTC
(In reply to Tobias Görgens from comment #22)

Can you upload captures for the case where you think guest authentication
is not working?
Comment 26 Andreas Schneider 2022-01-17 14:32:00 UTC
Jule, can you please apply the patches to the relevant branches? Thanks!
Comment 27 Jule Anger 2022-01-18 17:41:14 UTC
Pushed to autobuild-v4-{15,14}-test.
Comment 28 Samba QA Contact 2022-01-18 18:57:03 UTC
This bug was referenced in samba v4-14-test:

72e5b758e04dab11fccc21d3c7bc22aace393527
8feb866c2151ec88a61598abd4f602aefeb26aea
7aa5875ff926b14cd4feb183a308bb39cf6ad77d
be1b37e7c6ebd5a38202d807df990793fd450b68
Comment 29 Samba QA Contact 2022-01-18 18:58:35 UTC
This bug was referenced in samba v4-15-test:

dfabc5da3863fecaf408ab8550645518c097302d
025749c3773b64d82dca1edfc82fc1898c7c1763
a9c32e69546975687d87c5f803c1d092559a0664
a4281c9ea7fed0abc2d0a9301a5ca684e9386efe
Comment 30 Jule Anger 2022-01-18 19:24:00 UTC
Closing out bug report.

Thanks!
Comment 31 Samba QA Contact 2022-01-19 15:08:30 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.4):

dfabc5da3863fecaf408ab8550645518c097302d
025749c3773b64d82dca1edfc82fc1898c7c1763
a9c32e69546975687d87c5f803c1d092559a0664
a4281c9ea7fed0abc2d0a9301a5ca684e9386efe
Comment 32 Tobias Görgens 2022-01-19 23:34:40 UTC
(In reply to Stefan Metzmacher from comment #25)
Hello,

I already uploaded traces with trying guest access, where it should be working. :)
Comment 33 Stefan Metzmacher 2022-01-20 13:22:21 UTC
(In reply to Tobias Görgens from comment #32)

ArbeitszimmerLogin.pcap frame 127 shows that guest is working.

Anonymous (empty username) access is denied in frame 133.


Guest Authentication means a given (non-empty) username/password combination
is ignored and the access is mapped to the "Guest" user instead and results
in a token with the SID of the Guest Account (with RID 501) and no valid session key shared by client and server, which means signing can't work. This was the problem that the patches address, we no longer require signing by default.

Anonymous Authentication (with an empty username/password) is different
it would result in a token with S-1-5-7 (SID_NT_ANONYMOUS).

I guess with guest authentication is not working your are actually talking
about anonymous authentication, correct?