SMB1 test findings

[bosim]

Because the Sonos device needs SMB1 which fails loading share from cifsd (#428), I decided to do a bit of testing on my Debian Buster machine to see if the SMB1 implementation is working as expected. I configured smb.conf (using DDWRT) with NT1 as both minimum and maximum protocol.

Here are my findings:

smbclient

Login works, ls, put, rm works. However on ls I see:

smbclient -m=NT1 -U user //host/share
..
smb: \> ls
  .                                   D        0  Tue Jul 21 20:16:12 2020
  ..                                  D        0  Tue Jul 21 20:16:12 2020
  <contents>
  Error in dskattr: NT_STATUS_INVALID_NETWORK_RESPONSE

As far as I recall if I run with a higher smb version the call works.

gvfs-mount

Ran gvfs-mount smb://host/share and then went to /run/user/uid/gvfs/<share dir>.
Login works, writing, retrieving, deletion works.

cifs mount

Ran sudo mount -t cifs -o username=user,vers=1.0 //host/share /tmp/mount

It does not work:

mount error(22): Invalid argument

and dmesg says:

CIFS VFS: bad security blob length 138
CIFS VFS: Send error in SessSetup = -22
CIFS VFS: cifs_mount failed w/return code = -22

I did try to run wireshark while doing this test and I found, that the response of NTLMSSP_AUTH did return a security blob length of 138, but with no security blob.

Should be fairly easy to test with a usual Linux machine.

[namjaejeon]

smbclient:
Login works, ls, put, rm works. However on ls I see:

What is problem ?
Error in dskattr: NT_STATUS_INVALID_NETWORK_RESPONSE
You are saying this error message ?

cifsd mount:
Ran sudo mount -t cifs -o username=user,vers=1.0 //host/share /tmp/mount
It does not work:

In my test, It work fine. can you share wireshark dump ? and what kernel version did you use ?

[bosim]

smbclient:
Login works, ls, put, rm works. However on ls I see:

What is problem ?
Error in dskattr: NT_STATUS_INVALID_NETWORK_RESPONSE
You are saying this error message ?

It seems so, I do not get the error when connecting to samba3 also using SMB1.

cifsd mount:
Ran sudo mount -t cifs -o username=user,vers=1.0 //host/share /tmp/mount
It does not work:

In my test, It work fine. can you share wireshark dump ? and what kernel version did you use ?

Sure will make a dump.

So what cifsd returns, as final response in the chat is:

SMB (Server Message Block Protocol)
    SMB Header
    Session Setup AndX Response (0x73)
        Word Count (WCT): 4
        AndXCommand: No further commands (0xff)
        Reserved: 00
        AndXOffset: 43
        Action: 0x0000
            .... .... .... ...0 = Guest: Not logged in as GUEST
        Security Blob Length: 138
        Byte Count (BCC): 0

Notice the Security blob Length..

The communication with the samba4 server is identical except for it returns a security blob length 0 (and no blob):

SMB (Server Message Block Protocol)
    SMB Header
    Session Setup AndX Response (0x73)
        Word Count (WCT): 4
        AndXCommand: No further commands (0xff)
        Reserved: 00
        AndXOffset: 0
        Action: 0x0000
            .... .... .... ...0 = Guest: Not logged in as GUEST
        Security Blob Length: 0
        Byte Count (BCC): 83
        Security Blob: <MISSING>
        Native OS: Windows 6.1
        Native LAN Manager: Samba 4.9.5-Debian
        Primary Domain: WORKGROUP

So the packets in both cases are in the sequence: Protocol negotiate request -> Protocol negotiate response -> AndX request NTLMSSP_NEGOTIATE -> AndX Response NTLMSSP_CHALLENGE -> AndX Request NTLMSSP_AUTH -> AndX Response.

cifsd is running on Linux 4.4.230 ARMv7.

[bosim]

@namjaejeon Any news here?

Do you still need the dump?

Meanwhile another user has reported about the problem:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326325

[namjaejeon]

Do you still need the dump?

Yes.

[namjaejeon]

@bosim Martin Blumenstingl sent the patches(#436) to #ksmbd-next branch. I think that this fix is related with your issue. can you check #ksmbd-next ?

[Neustradamus]

@bosim: @namjaejeon needs an answer to this comment...

[bosim]

Sorry for delay.

DD-Wrt now has the patch [1], and it still does not work, but now I see the following in the log

Oct 31 15:43:25 gateway kern.err kernel: cannot find context for id 32
Oct 31 15:43:25 gateway kern.err kernel: ksmbd: ksmbd_auth_ntlm:396: password processing failed
Oct 31 15:43:25 gateway kern.err kernel: ksmbd: build_sess_rsp_noextsec:986: ntlm authentication failed for user sonos

[1] see changeset https://svn.dd-wrt.com/changeset/44696

[bosim]

BTW the cifs mount command shown above still fails, now on a newer system (openSUSE LEAP 15.2, kernel 5.3), and it still fails on the bad security blob length.

[bosim]

I seem to have missed in the log output:

Nov 17 18:59:29 gateway kern.err kernel: cannot alloc blkcipher ecb(des)

Is the des cipher provides by the kernel, so needs to be compiled in seperately?

[bosim]

Yay!

modprobe des_generic did the trick!

[namjaejeon]

Cool~ If so, This issue is also fixed ?

[bosim]

@namjaejeon Almost I still get the cifs mount error.

[namjaejeon]

@bosim I requested a packet dump to you before. it is needed to find the clue.

[Neustradamus]

@bosim: Any news?
Have you looked all previous comments?

[Neustradamus]

@bosim: Any news?
Have you looked all previous comments?
Have you tested latest code?

[bosim]

Regarding cifs mount, I still see:

[ 5420.105192] CIFS: Attempting to mount //192.168.1.1/mediaserver
[ 5420.105225] CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers
[ 5420.219019] CIFS: VFS: bad security blob length 138
[ 5420.219045] CIFS: VFS: \\192.168.1.1 Send error in SessSetup = -22
[ 5420.219105] CIFS: VFS: cifs_mount failed w/return code = -22

where to send packet dump when I get it done?

I am a bit confused here, last time I found a bug it was related to DD-WRT so, if you guys successfully can run the cifs mount command, with vers=1.0, maybe it is DD-WRT related again. So anybody able to test?

I am on Debian bullseye (kernel 5.10).

[bosim]

Turns out it works using vers=1.0,sec=ntlm. Closing.