Manu Shamanna
2024-Oct-24 12:49 UTC
[Samba] Could not find a suitable mechtype in NEG_TOKEN_INIT error in libsmbclient 4.19.4
>> Hi, >> >> >> [global] >> workgroup = SAMBA >> security = user >> passdb backend = tdbsam >> client max protocol = SMB3 >> > >I think this all down to Samba raising the default lowest SMB protocol >to '2' at 4.11.0 > >As this is the client, libsmbclient will read /etc/samba/smb.conf and >anything found there will override its defaults which on 4.10.x will >have been these: > >client ipc max protocol = SMB3_11 >client ipc min protocol = NT1 >client max protocol = SMB3_11 >client min protocol = CORE > >Now on 4.19.x they will be these: > >client ipc max protocol = SMB3_11 >client ipc min protocol = SMB2_02 >client max protocol = SMB3_11 >client min protocol = SMB2_02 > >So, setting 'client max protocol = SMB3' will have little effect. > >I 'think' it is probable that your code is sending a SMBv1 request to >the Windows server and the server has SMBv1 turned off by default. > >RowlandChanging the client max/min protocol settings did not help. I removed the "client max protocol" setting in smb.conf and that did not help either. Looking at the packet captures, when its working on libsmbclient 4.10, it first sends a SMB1 negotiate protocol request, to which server sends back a SMB2 response. Then there is a SMB2 negotiate protocol request/response again. In 4.19, there is a SMB2 client negotiate protocol request straightaway and to which the server responds with a SMB2 negotiate protocol response. The SMB2 server negotiate protocol response looks like below for the 4.10 request which works, Frame 8: 380 bytes on wire (3040 bits), 380 bytes captured (3040 bits) on interface any, id 0 Linux cooked capture v1 Internet Protocol Version 4, Src: 10.213.83.50, Dst: 10.213.83.54 Transmission Control Protocol, Src Port: 445, Dst Port: 54178, Seq: 253, Ack: 437, Len: 312 NetBIOS Session Service Message Type: Session message (0x00) Length: 308 SMB2 (Server Message Block Protocol version 2) SMB2 Header ProtocolId: 0xfe534d42 Header Length: 64 Credit Charge: 0 NT Status: STATUS_SUCCESS (0x00000000) Command: Negotiate Protocol (0) Credits granted: 1 Flags: 0x00000001, Response Chain Offset: 0x00000000 Message ID: 1 Reserved: 0x00000000 Tree Id: 0x00000000 Session Id: 0x0000000000000000 Signature: 00000000000000000000000000000000 [Response to: 7] [Time from request: 0.000343221 seconds] Negotiate Protocol Response (0x00) [Preauth Hash: cca6d99fdf8c2da4087b861deb15c32f9ae8a929b32343dc86981393a37239ac6aa2f786d21b4f12ba1b9c96f962107eeac018311a084944818c67f517b8b904] StructureSize: 0x0041 Security mode: 0x01, Signing enabled Dialect: SMB 3.1.1 (0x0311) NegotiateContextCount: 2 Server Guid: 1d1584b9-bf7c-4bc5-b11f-67c1bc1ef0cd Capabilities: 0x0000002f, DFS, LEASING, LARGE MTU, MULTI CHANNEL, DIRECTORY LEASING Max Transaction Size: 8388608 Max Read Size: 8388608 Max Write Size: 8388608 Current Time: Oct 22, 2024 20:39:32.457004900 India Standard Time Boot Time: Aug 7, 2023 10:11:38.342574400 India Standard Time Blob Offset: 0x00000080 Blob Length: 120 Security Blob [?]: 607606062b0601050502a06c306aa03c303a060a2b06010401823702021e06092a864882f71201020206092a864886f712010202060a2a864886f71201020203060a2b06010401823702020aa32a3028a0261b246e6f745f646566696e65645f696e5f5246433431373840706c GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 5 items MechType: 1.3.6.1.4.1.311.2.2.30 (NEGOEX - SPNEGO Extended Negotiation Security Mechanism) MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) MechType: 1.2.840.113554.1.2.2.3 (KRB5 - Kerberos 5 - User to User) MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) negHints hintName: not_defined_in_RFC4178 at please_ignore NegotiateContextOffset: 0x000000f8 Negotiate Context: SMB2_PREAUTH_INTEGRITY_CAPABILITIES Negotiate Context: SMB2_ENCRYPTION_CAPABILITIES On the 4.19 request, the server response is below. Frame 372: 308 bytes on wire (2464 bits), 308 bytes captured (2464 bits) on interface any, id 0 Linux cooked capture v1 Internet Protocol Version 4, Src: 192.168.1.99, Dst: 192.168.1.135 Transmission Control Protocol, Src Port: 445, Dst Port: 34164, Seq: 1, Ack: 237, Len: 240 NetBIOS Session Service Message Type: Session message (0x00) Length: 236 SMB2 (Server Message Block Protocol version 2) SMB2 Header ProtocolId: 0xfe534d42 Header Length: 64 Credit Charge: 0 NT Status: STATUS_SUCCESS (0x00000000) Command: Negotiate Protocol (0) Credits granted: 1 Flags: 0x00000001, Response Chain Offset: 0x00000000 Message ID: 0 Reserved: 0x00000000 Tree Id: 0x00000000 Session Id: 0x0000000000000000 Signature: 00000000000000000000000000000000 [Response to: 371] [Time from request: 0.000684602 seconds] Negotiate Protocol Response (0x00) [Preauth Hash: 9453f901c369c80002478182242f00a9ef2139d9332bdf9584d9a3bb64035a4fe61448afb04a7c63153cf4b38818743dd0eba3fc54334c381fe68559dcb670f5] StructureSize: 0x0041 Security mode: 0x01, Signing enabled Dialect: SMB 3.1.1 (0x0311) NegotiateContextCount: 2 Server Guid: 64c66341-2bdd-439c-aa6a-e1c35c9d802c Capabilities: 0x0000002f, DFS, LEASING, LARGE MTU, MULTI CHANNEL, DIRECTORY LEASING Max Transaction Size: 8388608 Max Read Size: 8388608 Max Write Size: 8388608 Current Time: Oct 23, 2024 13:12:58.889021700 India Standard Time Boot Time: Oct 4, 2024 14:01:11.644965700 India Standard Time Blob Offset: 0x00000080 Blob Length: 42 Security Blob: 602806062b0601050502a01e301ca01a3018060a2b06010401823702021e060a2b06010401823702020a GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 2 items MechType: 1.3.6.1.4.1.311.2.2.30 (NEGOEX - SPNEGO Extended Negotiation Security Mechanism) MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) NegotiateContextOffset: 0x000000b0 Negotiate Context: SMB2_PREAUTH_INTEGRITY_CAPABILITIES Negotiate Context: SMB2_ENCRYPTION_CAPABILITIES Both the server responses contain the NTLMSSP sub mechanism. I am not sure why the 4.19 version does not recognize this sub mechanism type. Regards, Manu
Rowland Penny
2024-Oct-24 13:08 UTC
[Samba] Could not find a suitable mechtype in NEG_TOKEN_INIT error in libsmbclient 4.19.4
On Thu, 24 Oct 2024 18:19:21 +0530 Manu Shamanna via samba <samba at lists.samba.org> wrote:>> Looking at the packet captures, when its working on libsmbclient 4.10, > it first sends a SMB1 negotiate protocol request, to which server > sends back a SMB2 response. Then there is a SMB2 negotiate protocol > request/response again. > > In 4.19, there is a SMB2 client negotiate protocol request > straightaway and to which the server responds with a SMB2 negotiate > protocol response. >From my understanding, it works in reverse, the client should send a SMBv3 negotiate protocol request and the server should respond either with basically 'yes, using SMBv3' or 'Do you understand SMBv2 ?'. To put it another way, the client should start at the highest version of SMB and then negotiate down to the highest mutual available version, you appear to starting at the lowest version. Rowland