-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GUEST Logon failure on Windows 10/MacOS with password protected shares disabled #186
Comments
Could you provide a packet capture for a working client as well? I'm not entriely sure what disabling the password protection means on windows from a technical standpoint, what the trace shows is that guest login (this means using wrong credentials) is rejected with LOGIN_FAILURE while anonymous login (no credentials) fails with ACCESS_DENIED (which can both mean no permissions as well as e.g. signing issues). |
OK need to find a way to reproduce with windows.
|
Attached also is the log from macos to win10 working too (I should have provided this one earlier): |
I can't see much difference between the macos ok and the jcifs nok.
|
(5th edit of the post) |
For MacOS I am using |
jcifs-macos-nok.pcap.zip seems to be missing the SMB traffic |
ok indeed I was capturing on en0 and it should have been lo since I am on the same machine, does this capture help: jcifsng-macos-guest-nok.pcap.zip ? |
Some observations:
Can you disable the server's signing requirement (https://support.apple.com/en-us/HT205926) and verify that it is signing related? |
Thank you for analyzing the issue.
with the following packet capture guest-macos-signing_off.pcap.zip If it helps, I tried from a win10 host to connect to the macOS SMB2 server with packet signing disabled with guest account a no password and it works. Associated capture is there: guest-win10-packet_signing_off.pcap.zip I also tried to log in from my app on a Android phone with jcifs-ng and it fails to rule out the local interface issue. |
Sorry for all the delay. Unfortunately I don't see anything obvious, except that jcifs-ng is not requesting signing (as we do determine this beforehand). Is a connection with a regular user account to the system successful? |
No problem for the delay, guest on macOS is the only last configuration problematic on my side in all the scenarii explored.
|
I am experiencing the same issue. When the following Windows option is set: |
If I recall correctly the following option made it work: |
courville, |
@zc2com please try: jcifs.smb.client.disableSpnegoIntegrity=true, it seems I originally misspoke. |
…with WD MyCloud see AgNO3/jcifs-ng#226
… solving WD MyCloud issues See AgNO3/jcifs-ng#186 and AgNO3/jcifs-ng#226 Separate SMBv1 and SMBv2 world and do not mix options
Hi Mortiz, zc2 |
… solving WD MyCloud issues See AgNO3/jcifs-ng#186 and AgNO3/jcifs-ng#226 Separate SMBv1 and SMBv2 world and do not mix options
… solving WD MyCloud issues See AgNO3/jcifs-ng#186 and AgNO3/jcifs-ng#226 Separate SMBv1 and SMBv2 world and do not mix options
… solving WD MyCloud issues See AgNO3/jcifs-ng#186 and AgNO3/jcifs-ng#226 Separate SMBv1 and SMBv2 world and do not mix options
I've saved a tcpdump with a successful login made by Samba and failed ones by jCIFS-NG. I noticed, that Samba sends the domain name WORKGROUP. I tried to simulate that by pushing the word WORKGROUP as a domain parameter to Type3Message() in NtlmContext.java:275 Hope for help. |
I finally made it work. But not as "GUEST" and I had to modify the JCIFS-NG code. I believe, GUEST does not work because such account actually exists on the server machine and the password that JCIFS-NG supplies ("invalid") is, in fact, invalid. Samba client still successfully uses the account "GUEST", somehow providing the correct password (see the wireshark dump in my previous comment).
|
To provide some context and a basis for discussion, there are two distict modes of authentication in SMB:
That things get more difficult in guest mode when the target user exists makes sense (samba for example even has options to decide whether a wrong username is required or to accept just wrong passwords) and this may be hitting different checks and code paths. So changing the guest username would avoid hitting that code path, I guess making the guest user configurable would at least allow a workaround until this is figured out fully. However, as samba is still able to perform the login with the guest user I think something else is wrong here. |
So digging into this further, it turns out that samba is really not performing guest authentication either, but the guest accounts password's just is the empty string. So it seems we either need to be compatible with that or change the guest acount username. |
What exactly is that "guest authentication"? Is not it just using the name GUEST and empty password? BTW, that actually works, after I changed the code to:
From my experience, for the anonymous mode, the credentials could be anything but not empty string. But you are saying
I guess that is the case when nonAnonymous==false and empty password so then you set lmResponse/ntResponse to null. Maybe that how it supposed to be according to the SMB spec, but that just does not work. To avoid that I set nonAnonymous to be always true. |
No, guest authentication essentially is using whatever username or possibly password and the server deciding, credentials are wrong, but you are welcome anyways. We definitely can not mess with the anonymous authentication mode, this is widely used e.g. for IPC and functioning as it is supposed to. |
Ok, I guess, I will use my workaround in my app until you find a proper solution. Please let me know if you need some testing. |
Also: - adds a setting to permit silent fallback to guest authentication - allow proper authentication with the username 'guest'
So, I went ahead and implemented a couple of things:
In my tests this permits guest logins on win10 (and my other test targets) using withGuestCredentials() I'm not quite sure whether it's better to have to have a username of "guest" (with empty password) or a more commonly non-existent username like "jcifsguest". |
… solving WD MyCloud issues See AgNO3/jcifs-ng#186 and AgNO3/jcifs-ng#226 Separate SMBv1 and SMBv2 world and do not mix options
mbechler, thanks for the fix! I tested against a Windows 8.1 home . It works fine using withGuestCredentials() (I did not setup any default credentials). It gives me an "Access is denied" when I tried to use withAnonymousCredentials(). Here's a call stack:
Do I guess right, the anonymous mode should not be used for a regular password-less access to shared folders? |
Yes, while in theory it could be used for file access, afaik this mode is only used for IPC with domain controllers. |
… solving WD MyCloud issues See AgNO3/jcifs-ng#186 and AgNO3/jcifs-ng#226 Separate SMBv1 and SMBv2 world and do not mix options
… solving WD MyCloud issues See AgNO3/jcifs-ng#186 and AgNO3/jcifs-ng#226 Separate SMBv1 and SMBv2 world and do not mix options
Guest login now works for me as well on win10. Thank you. |
… solving WD MyCloud issues See AgNO3/jcifs-ng#186 and AgNO3/jcifs-ng#226 Separate SMBv1 and SMBv2 world and do not mix options
… solving WD MyCloud issues See AgNO3/jcifs-ng#186 and AgNO3/jcifs-ng#226 Separate SMBv1 and SMBv2 world and do not mix options
With https://gist.github.com/courville/a0e6fe1ce2f31c9adc52191216eed3e0 test script on Windows 10 SMB server with disabled password protected sharing, I get a SmbAuthException logon failure:
Here is the corresponding pcap wireshark trace:
win10-guest.pcap.zip
The text was updated successfully, but these errors were encountered: