Discussion:
Problem with connecting to SMB server in 3.9.11 kernel.
Ben Greear
11 years ago
Permalink
Hello!

A customer reported problems connecting our CIFS traffic generation test gear to their SMB server.
We are using the 3.9.11+ kernel, and though it is patched, we do not have any
patches to cifs.

The OS is Fedora 14, 64-bit.

A similar system on Fedora 14, with a 3.7.10+ kernel was working, but when
we tried the 3.7.10+ kernel on the broken machine, it also failed to work.
So, it could be the SMB server itself is having issues. (In the 3.7.10+ failure,
the server just failed to respond after "Setup andX Request AUTH message", though we
did get the TCP ack so it looks like the message was received by the server.)

I'm attaching a capture taken on the SMB server.

From looking at this page:

http://msdn.microsoft.com/en-us/library/ff469913.aspx

It appears the problem (STATUS_UNSUCCESSFUL) is:

"The size of the extended attribute list is not correct. Check the EaErrorOffset field for the
address of the SMB_GEA structure at which the error was detected."

I did not see anything about extended attribute list in the capture, but if someone else
with more knowledge could take a look and see if they notice any problems I would be grateful.

Thanks!
Ben
--
Ben Greear <greearb-my8/4N5VtI7c+***@public.gmane.org>
Candela Technologies Inc http://www.candelatech.com
Jeff Layton
11 years ago
Permalink
On Sat, 18 Jan 2014 09:17:32 -0800
...
There's no EA list on this call so that description isn't valid here.

AIUI, NT_STATUS_UNSUCCESSFUL is basically a generic "something went
wrong" error (sort of like EIO on POSIX). It looks like the server
doesn't like something about the request being sent, but it's tough to
know what it is.

I cc'ed Shirish though as he wrote most of that code. Maybe he has some
idea?
--
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+***@public.gmane.org>
Tom Talpey
11 years ago
Permalink
...
The trace Ben attached shows an authentication failure, and I don't see any TRANS2_QUERY_FILE_INFORMATION in the trace at all as Ben references. The client is still sending its SESSION_SETUP attempt. Looks like the client is attempting NTLMSSP/NTLMv2 for NICVALIDATION\administrator, and this status is resulting from the authentication and not the SMB protocol.

Microsoft Message Analyzer shows no problem with the packet structure itself, in any case. So this doesn't appear to be a malformed request.

What type of server is this? The NativeOS string is "SpinStream2", which I don't recognize.
Amit Haval (India Bangalore)
11 years ago
Permalink
Adding our team to comment/help.

-----Original Message-----
From: Tom Talpey [mailto:ttalpey-***@public.gmane.org]
Sent: Monday, January 20, 2014 7:17 PM
To: Jeff Layton; Ben Greear
Cc: linux-cifs-***@public.gmane.org; Amit Haval (India Bangalore); Shirish Pargaonkar
Subject: RE: Problem with connecting to SMB server in 3.9.11 kernel.
...
The trace Ben attached shows an authentication failure, and I don't see any TRANS2_QUERY_FILE_INFORMATION in the trace at all as Ben references. The client is still sending its SESSION_SETUP attempt. Looks like the client is attempting NTLMSSP/NTLMv2 for NICVALIDATION\administrator, and this status is resulting from the authentication and not the SMB protocol.

Microsoft Message Analyzer shows no problem with the packet structure itself, in any case. So this doesn't appear to be a malformed request.

What type of server is this? The NativeOS string is "SpinStream2", which I don't recognize.


______________________________________________________________________
This email has been scanned by the Boundary Defense for Email Security System. For more information please visit http://www.apptix.com/email-security/antispam-virus
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the Boundary Defense for Email Security System. For more information please visit http://www.apptix.com/email-security/antispam-virus
______________________________________________________________________
Shirish Pargaonkar
11 years ago
Permalink
yes, this looks like a authentication failure.
It probably is a NetApp server. Can any other client (e.g. Windows,
smbclient etc.) authenticate using ntlmv2/ntlmssp to this server?

SMB servers do not typically point_out/log what part of the request is
invalid, so it is little harder to figure out how the request is incorrect.
...
Amit Haval (India Bangalore)
11 years ago
Permalink
Adding nic-dl...

-----Original Message-----
From: Shirish Pargaonkar [mailto:shirishpargaonkar-***@public.gmane.org]
Sent: Monday, January 20, 2014 9:24 PM
To: Ben Greear
Cc: linux-cifs; Amit Haval (India Bangalore)
Subject: Re: Problem with connecting to SMB server in 3.9.11 kernel.

yes, this looks like a authentication failure.
It probably is a NetApp server. Can any other client (e.g. Windows, smbclient etc.) authenticate using ntlmv2/ntlmssp to this server?

SMB servers do not typically point_out/log what part of the request is invalid, so it is little harder to figure out how the request is incorrect.
...
______________________________________________________________________
This email has been scanned by the Boundary Defense for Email Security System. For more information please visit http://www.apptix.com/email-security/antispam-virus
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the Boundary Defense for Email Security System. For more information please visit http://www.apptix.com/email-security/antispam-virus
______________________________________________________________________
Shirish Pargaonkar
11 years ago
Permalink
I will spend more time later tonight/tomorrow but it could be related to
cifs client not using Target received in NTLMSSP Challenge response from
the server (since the bit Target Type Domain in flags is set) while
constructing NTLMSSP Authenticate message. Just a guess.


On Mon, Jan 20, 2014 at 11:34 AM, Amit Haval (India Bangalore)
...
Ben Greear
11 years ago
Permalink
Post by Shirish Pargaonkar
I will spend more time later tonight/tomorrow but it could be related to
cifs client not using Target received in NTLMSSP Challenge response from
the server (since the bit Target Type Domain in flags is set) while
constructing NTLMSSP Authenticate message. Just a guess.
Did you have any luck with this?

Thanks,
Ben
--
Ben Greear <greearb-my8/4N5VtI7c+***@public.gmane.org>
Candela Technologies Inc http://www.candelatech.com
Shirish Pargaonkar
11 years ago
Permalink
I want to code to use Target Name instead of using domain name from
the avpair info received in type 2 ntlmssp challenge message from the server
to calculate ntlmv2 response within ntlmssp.
Will post a preliminary patch to try out with that code change (hopefully
in a day or two). That is one code change I think might work.
Post by Ben Greear
Post by Shirish Pargaonkar
I will spend more time later tonight/tomorrow but it could be related to
cifs client not using Target received in NTLMSSP Challenge response from
the server (since the bit Target Type Domain in flags is set) while
constructing NTLMSSP Authenticate message. Just a guess.
Did you have any luck with this?
Thanks,
Ben
--
Candela Technologies Inc http://www.candelatech.com
Shirish Pargaonkar
11 years ago
Permalink
I Was thinking perhaps client not setting either
NTLMSSP_TARGET_TYPE_SERVER or
NTLMSSP_TARGET_TYPE_DOMAIN or
NTLMSSP_TARGET_TYPE_SHARE
(the one that server sets in type 2/challenge message)
in type 3 message is a problem but it is not (as per page 33 in
ms-nlmp document).

cifs client should change to code Target Name instead of NetBIOS
domain name from Target Info to calculate ntlmv2 response but that is
not the problem here (because they happen to be the exact same).

Is there a way to check what kind of response this SMB server
expects i.e. NTLMv1 or NTLMv2? There may be a conf file on the
server effecting that.

Also, if you can provide wireshark trace for any other client besides
cifs client successfully authenticating with this server, that would be
useful too.
...
Shirish Pargaonkar
11 years ago
Permalink
Can you try this patch and see if it works?

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index e87387d..ac14d71 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -450,9 +450,8 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer,
sec_blob->WorkstationName.MaximumLength = 0;
tmp += 2;

- if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
- (ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC))
- && !calc_seckey(ses)) {
+ if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
+ !calc_seckey(ses)) {
memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
...
Ben Greear
11 years ago
Permalink
Post by Shirish Pargaonkar
Can you try this patch and see if it works?
We have verified that this works in our test systems.
We are just passing user=foo,password=bar in our
mount options, so hopefully that is sufficient to exercise this
code?

Thanks,
Ben
...
--
Ben Greear <greearb-my8/4N5VtI7c+***@public.gmane.org>
Candela Technologies Inc http://www.candelatech.com
Steve French
11 years ago
Permalink
username=foo is preferred
...
--
Thanks,

Steve
Shirish Pargaonkar
11 years ago
Permalink
Thanks. Will post a patch on the mailing list.

Regards,

Shirish
...
Continue reading on narkive:
Search results for 'Problem with connecting to SMB server in 3.9.11 kernel.' (Questions and Answers)
14
replies
Creating a "Why we should switch to Mac" Speech. Help Please?
started 17 years ago
desktops
Loading...