Bug 15669 - libsmbclient NT_STATUS_LOGON_FAILURE on NAS which not in AD
Summary: libsmbclient NT_STATUS_LOGON_FAILURE on NAS which not in AD
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.17.12
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2024-06-25 05:14 UTC by wangrong
Modified: 2024-06-25 05:22 UTC (History)
0 users

See Also:

samba-4.17.12 log (gvfs mount smb fail) (2.85 KB, text/plain)
2024-06-25 05:18 UTC, wangrong
no flags Details
samba-4.17.12 tcpdump (495.52 KB, application/vnd.tcpdump.pcap)
2024-06-25 05:20 UTC, wangrong
no flags Details
samba-4.9.5 log (gvfs mount smb ok) (2.57 KB, text/plain)
2024-06-25 05:21 UTC, wangrong
no flags Details
samba-4.9.5 tcpdump (2.95 MB, application/vnd.tcpdump.pcap)
2024-06-25 05:22 UTC, wangrong
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description wangrong 2024-06-25 05:14:13 UTC
There is a KDC in the network, but neither the client nor the server has entered the domain.
Use the following smbclient command to connect to a NAS server.
smbclient //vdi.crdc.com/netdisk -U tianjin.ssy.com/zhuxinang%<password>

Normally this will try the gse_krb5 authentication mechanism first, and upon failure it will use the ntlmssp authentication mechanism.
When trying the gse_krb5 authentication mechanism.
Since the client has access to the KDC, cli_session_creds_prepare_krb5() can succeed.
Since there is no service principal registered for the NAS in the KDC, gss_init_sec_context() in gse_get_client_auth_token() will fail.
But the gss_min returned by gss_init_sec_context() is not KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, but other values.
This causes gse_get_client_auth_token() to return NT_STATUS_LOGON_FAILURE instead of NT_STATUS_INVALID_PARAMETER.
This in turn causes the entire authentication process to fail instead of trying the ntlmssp authentication mechanism.

Other tests, Using samba-2:4.9.5 can successfully identify the error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN and connect successfully.

I'm confused why samba-2:4.17.12 doesn't detect the error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN and causes the authentication flow to break.
Comment 1 wangrong 2024-06-25 05:18:48 UTC
Created attachment 18352 [details]
samba-4.17.12 log (gvfs mount smb fail)
Comment 2 wangrong 2024-06-25 05:20:30 UTC
Created attachment 18353 [details]
samba-4.17.12 tcpdump
Comment 3 wangrong 2024-06-25 05:21:03 UTC
Created attachment 18354 [details]
samba-4.9.5 log (gvfs mount smb ok)
Comment 4 wangrong 2024-06-25 05:22:37 UTC
Created attachment 18355 [details]
samba-4.9.5 tcpdump