samba - Oct 2024 - Kerberos ticket renew causes a brief network interruption

On 10/29/24 4:09 PM, Hans van Leeuwen wrote:
> With "server smb encrypt = no" I can't reproduce the problem.
ah, I see, interesting.
> So I don't know how I can deliver you a pcap file with unencrypted
network packets.
<https://wiki.samba.org/index.php/Wireshark_Decryption#Samba_client_and_server>

If you can get us the trace and the session keys, we will at least be 
able to look at the trace when talking to Samba.
For Windows see

<https://learn.microsoft.com/en-us/answers/questions/1286653/how-to-decrypt-smb3-traffic>

Basically:

netsh trace start provider=Microsoft-Windows-SMBClient

I'll then check with dochelp and ask for the status of Message Analyzer 
and if they still provide a copy on request.

I guess while at it and to avoid that you have to do it all again, run 
Samba at loglevel 10 with the following settings when you grad a network 
trace:

https://wiki.samba.org/index.php/Client_specific_logging

All this will require some effort on my end, I'll have to see if and 
when I can fit this into my schedule.

If Synology is able to reproduce this and is looking into fixing it, I'm 
afraid that will never see the light of day outside Synology as they're 
not working with the Samba community in any way.

-slow

-- 
SerNet Samba Team Lead https://sernet.de/
Samba Team Member      https://samba.org/
SAMBA+ packages       https://samba.plus/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20241029/e9739aba/OpenPGP_signature.sig>

Hi Ralph Boehme,

On the web-site
https://wiki.samba.org/index.php/Wireshark_Decryption#Samba_client_and_server
I see the command :  smbclient  //localhost/scratch 
--option='debugencryption=yes'  -e  -mSMB3  -U  aaptel%aaptel

Invalid option -e: unknown option



Usage: smbclient [-?EgqBNPkV] [-?|--help] [--usage] [-M|--message=HOST]
[-I|--ip-address=IP]

        [-E|--stderr] [-L|--list=HOST] [-T|--tar=<c|x>IXFvgbNan]
[-D|--directory=DIR]

        [-c|--command=STRING] [-b|--send-buffer=BYTES] [-t|--timeout=SECONDS]
[-p|--port=PORT]

        [-g|--grepable] [-q|--quiet] [-B|--browse] [-d|--debuglevel=DEBUGLEVEL]
[--debug-stdout]

        [-s|--configfile=CONFIGFILE] [--option=name=value]
[-l|--log-basename=LOGFILEBASE]

        [--leak-report] [--leak-report-full]
[-R|--name-resolve=NAME-RESOLVE-ORDER]

        [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL]

        [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE]
[-W|--workgroup=WORKGROUP]

        [--realm=REALM] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass]
[--password=STRING]

        [--pw-nt-hash] [-A|--authentication-file=FILE] [-P|--machine-pass]
[--simple-bind-dn=DN]

        [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE]
[--use-winbind-ccache]

        [--client-protection=sign|encrypt|off] [-k|--kerberos] [-V|--version]

        [OPTIONS] service <password>

I tried smbclient version 4.15.13 and 4:19.5

Without the '-e' option I get more:

smbclient //localhost/scratch --option='debugencryption=yes' -mSMB3 -U
account at domain
Password for [account at domain]:

debug encryption: dumping generated session keys

Session Id    [0000] C5 13 D5 15 00 00 00 00                            
........

Session Key   [0000] CB 55 69 61 C3 48 1C C3   DE 53 19 D7 9D 27 B0 BD  
.wia.H.. .S...'..

Signing Key   [0000] D9 D2 21 AE 92 6E BC 49   10 F9 16 12 D1 7B 7A 7C  
..!..n.I .....{z|

App Key       [0000] 55 8B 33 B8 A8 7F 7E 6D   37 51 68 19 46 E6 9C 71  
U.3...~m 7Qh.F..q

ServerIn Key  [0000] E8 D0 64 CB BE C0 98 D7   60 B5 41 AA 59 AF 5B C7  
..d..... `.A.Y.[.

ServerOut Key [0000] DB 13 CC 58 7A C3 5B 6B   CC BF 66 20 5D E0 53 CE  
...Xz.[k ..f ].S.

tree connect failed: NT_STATUS_BAD_NETWORK_NAME

Best regards,

Hans.



-----Original Message-----
From: Ralph Boehme <slow at samba.org>
Sent: Tuesday, October 29, 2024 7:12 PM
To: Hans van Leeuwen <HansvanLeeuwen at mailstreet.nl>
Cc: samba at lists.samba.org
Subject: Re: [Samba] Kerberos ticket renew causes a brief network interruption



LET OP: Deze e-mail is afkomstig van buiten de organisatie. Klik niet op links
of open geen bijlagen tenzij je zeker weet dat je de afzender herkent.