pisymbol .
2016-May-25 18:38 UTC
[Samba] Regression: The 'net' command is now failing to login (UNKNOWN ENUM VALUE 1003?)
Hello:
Platform: CentOS 6.7 x86-64
$ rpm -qa | grep samba
samba-common-3.6.23-30.el6_7.x86_64
samba4-libs-4.2.10-6.el6_7.x86_64
ie-samba-utils-3.6.13-7.x86_64
samba-winbind-3.6.23-30.el6_7.x86_64
samba-client-3.6.23-30.el6_7.x86_64
samba-winbind-clients-3.6.23-30.el6_7.i686
samba-winbind-clients-3.6.23-30.el6_7.x86_64
Problems began after requiring SMB signing (I forgot the specifics but
it was related to CVE-2016-2111 and the one before it I think).
I had to enable support for signatures on the NetApp (I'm using their
latest patched 8.2.4P3D1 firmware too however it looks like it fails
on older releases of OnTap as well) as per their KB. That worked for
now making commands like rpcclient working.
However, this now breaks the 'net' command:
$ sudo net -d10 -U someuser%somepass -S <netapp hostname> share
....
ntlmssp3_handle_neg_flags: Got challenge flags[0x60898205] - possible
downgrade detected! missing_flags[0x00000010] -
NT_STATUS_RPC_SEC_PKG_ERROR
Got NTLMSSP neg_flags=0x00000010
NTLMSSP_NEGOTIATE_SIGN
neg_flags[0x60088205]
Got NTLMSSP neg_flags=0x60088205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: NT_STATUS_RPC_SEC_PKG_ERROR
lang_tdb_init: /usr/lib64/samba/en_US.UTF-8.msg: No such file or directory
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?
NetShareEnum: struct NetShareEnum
out: struct NetShareEnum
buffer : *
buffer : NULL
entries_read : *
entries_read : 0x00000000 (0)
total_entries : *
total_entries : 0x00000000 (0)
resume_handle : *
resume_handle : 0x00000000 (0)
result : UNKNOWN_ENUM_VALUE (1003)
return code = 1003
What is UNKNOWN ENUM VALUE (1003)?
Note that disabling spnego does resolve this but then breaks the
rpcclient command.
Is this pilot error on my part or a real issue?
-aps
pisymbol .
2016-May-26 11:23 UTC
[Samba] Regression: The 'net' command is now failing to login (UNKNOWN ENUM VALUE 1003?)
On Wed, May 25, 2016 at 2:38 PM, pisymbol . <pisymbol at gmail.com> wrote:> Hello: > > Platform: CentOS 6.7 x86-64 > > $ rpm -qa | grep samba > samba-common-3.6.23-30.el6_7.x86_64 > samba4-libs-4.2.10-6.el6_7.x86_64 > ie-samba-utils-3.6.13-7.x86_64 > samba-winbind-3.6.23-30.el6_7.x86_64 > samba-client-3.6.23-30.el6_7.x86_64 > samba-winbind-clients-3.6.23-30.el6_7.i686 > samba-winbind-clients-3.6.23-30.el6_7.x86_64 > > Problems began after requiring SMB signing (I forgot the specifics but > it was related to CVE-2016-2111 and the one before it I think). > > I had to enable support for signatures on the NetApp (I'm using their > latest patched 8.2.4P3D1 firmware too however it looks like it fails > on older releases of OnTap as well) as per their KB. That worked for > now making commands like rpcclient working. > > However, this now breaks the 'net' command: > > $ sudo net -d10 -U someuser%somepass -S <netapp hostname> share > .... > ntlmssp3_handle_neg_flags: Got challenge flags[0x60898205] - possible > downgrade detected! missing_flags[0x00000010] - > NT_STATUS_RPC_SEC_PKG_ERROR > Got NTLMSSP neg_flags=0x00000010 > NTLMSSP_NEGOTIATE_SIGN > neg_flags[0x60088205] > Got NTLMSSP neg_flags=0x60088205 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > SPNEGO login failed: NT_STATUS_RPC_SEC_PKG_ERROR > lang_tdb_init: /usr/lib64/samba/en_US.UTF-8.msg: No such file or directory > session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED > did you forget to run kinit? > NetShareEnum: struct NetShareEnum > out: struct NetShareEnum > buffer : * > buffer : NULL > entries_read : * > entries_read : 0x00000000 (0) > total_entries : * > total_entries : 0x00000000 (0) > resume_handle : * > resume_handle : 0x00000000 (0) > result : UNKNOWN_ENUM_VALUE (1003) > return code = 1003 > > What is UNKNOWN ENUM VALUE (1003)?If I turn off spnego on the client, then the net command works but now rpcclient doesn't: Attempt to open gencache.tdb has failed. internal_resolve_name: returning 1 addresses: 192.168.17.248:0 Running timed event "tevent_req_timedout" 0x246a968 Connecting to 192.168.17.248 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 19800 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. TCP_QUICKACK = 1 Failed to load /var/lib/samba/lib/upcase.dat - No such file or directory Failed to load /var/lib/samba/lib/lowcase.dat - No such file or directory Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules Substituting charset 'UTF-8' for LOCALE cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE failed session setup with NT_STATUS_LOGON_FAILURE Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE Can someone please explain to me why 'net' and 'rpcclient' authenticate differently? Note that I tried this on our NetApp with signing on and off. -aps
mathias dufresne
2016-May-26 11:56 UTC
[Samba] Regression: The 'net' command is now failing to login (UNKNOWN ENUM VALUE 1003?)
This spnego stuff makes me think about "client ldap sasl wrapping = sign" to be added in some cases. There are threads related to that posted recently. Disabling spnego is, if I'm not mistaken, disabling Kerberos. Disabling Kerberos should not be what you really want with AD : ) 2016-05-26 13:23 GMT+02:00 pisymbol . <pisymbol at gmail.com>:> On Wed, May 25, 2016 at 2:38 PM, pisymbol . <pisymbol at gmail.com> wrote: > > Hello: > > > > Platform: CentOS 6.7 x86-64 > > > > $ rpm -qa | grep samba > > samba-common-3.6.23-30.el6_7.x86_64 > > samba4-libs-4.2.10-6.el6_7.x86_64 > > ie-samba-utils-3.6.13-7.x86_64 > > samba-winbind-3.6.23-30.el6_7.x86_64 > > samba-client-3.6.23-30.el6_7.x86_64 > > samba-winbind-clients-3.6.23-30.el6_7.i686 > > samba-winbind-clients-3.6.23-30.el6_7.x86_64 > > > > Problems began after requiring SMB signing (I forgot the specifics but > > it was related to CVE-2016-2111 and the one before it I think). > > > > I had to enable support for signatures on the NetApp (I'm using their > > latest patched 8.2.4P3D1 firmware too however it looks like it fails > > on older releases of OnTap as well) as per their KB. That worked for > > now making commands like rpcclient working. > > > > However, this now breaks the 'net' command: > > > > $ sudo net -d10 -U someuser%somepass -S <netapp hostname> share > > .... > > ntlmssp3_handle_neg_flags: Got challenge flags[0x60898205] - possible > > downgrade detected! missing_flags[0x00000010] - > > NT_STATUS_RPC_SEC_PKG_ERROR > > Got NTLMSSP neg_flags=0x00000010 > > NTLMSSP_NEGOTIATE_SIGN > > neg_flags[0x60088205] > > Got NTLMSSP neg_flags=0x60088205 > > NTLMSSP_NEGOTIATE_UNICODE > > NTLMSSP_REQUEST_TARGET > > NTLMSSP_NEGOTIATE_NTLM > > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > > NTLMSSP_NEGOTIATE_NTLM2 > > NTLMSSP_NEGOTIATE_128 > > NTLMSSP_NEGOTIATE_KEY_EXCH > > SPNEGO login failed: NT_STATUS_RPC_SEC_PKG_ERROR > > lang_tdb_init: /usr/lib64/samba/en_US.UTF-8.msg: No such file or > directory > > session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED > > did you forget to run kinit? > > NetShareEnum: struct NetShareEnum > > out: struct NetShareEnum > > buffer : * > > buffer : NULL > > entries_read : * > > entries_read : 0x00000000 (0) > > total_entries : * > > total_entries : 0x00000000 (0) > > resume_handle : * > > resume_handle : 0x00000000 (0) > > result : UNKNOWN_ENUM_VALUE (1003) > > return code = 1003 > > > > What is UNKNOWN ENUM VALUE (1003)? > > > If I turn off spnego on the client, then the net command works but now > rpcclient doesn't: > > Attempt to open gencache.tdb has failed. > internal_resolve_name: returning 1 addresses: 192.168.17.248:0 > Running timed event "tevent_req_timedout" 0x246a968 > Connecting to 192.168.17.248 at port 445 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 19800 > SO_RCVBUF = 87380 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > Could not test socket option SO_SNDTIMEO. > Could not test socket option SO_RCVTIMEO. > TCP_QUICKACK = 1 > Failed to load /var/lib/samba/lib/upcase.dat - No such file or directory > Failed to load /var/lib/samba/lib/lowcase.dat - No such file or directory > Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules > Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules > Substituting charset 'UTF-8' for LOCALE > cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE > failed session setup with NT_STATUS_LOGON_FAILURE > Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE > > > Can someone please explain to me why 'net' and 'rpcclient' > authenticate differently? > > Note that I tried this on our NetApp with signing on and off. > > -aps > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >