spnego support

[xdarklight]

Hello,

I have an old SMB client which unfortunately cannot connect to ksmbd

ksmbd: ksmbd_kthread_fn:289: connect success: accepted new connection
ksmbd: ksmbd_conn_handler_loop:314: RFC1002 header 47 bytes
ksmbd: check_smb1_hdr:32: got SMB
ksmbd: smb1_calc_size:196: SMB2 byte count 12, struct size : 0
ksmbd: smb1_calc_size:199: SMB1 len 47
ksmbd: ksmbd_lookup_dialect_by_name:219: client requested dialect NT LM 0.12
ksmbd: ksmbd_lookup_dialect_by_name:219: client requested dialect NT LM 0.12
ksmbd: ksmbd_lookup_dialect_by_name:219: client requested dialect NT LM 0.12
ksmbd: ksmbd_lookup_dialect_by_name:219: client requested dialect NT LM 0.12
ksmbd: ksmbd_lookup_dialect_by_name:219: client requested dialect NT LM 0.12
ksmbd: ksmbd_lookup_dialect_by_name:219: client requested dialect NT LM 0.12
ksmbd: ksmbd_lookup_dialect_by_name:219: client requested dialect NT LM 0.12
ksmbd: ksmbd_lookup_dialect_by_name:224: selected NT LM 0.12 dialect
ksmbd: ksmbd_smb_negotiate_common:477: conn->dialect 0x0
ksmbd: ksmbd_conn_handler_loop:314: RFC1002 header 271 bytes
ksmbd: check_smb1_hdr:32: got SMB
ksmbd: smb1_calc_size:196: SMB2 byte count 210, struct size : 26
ksmbd: smb1_calc_size:199: SMB1 len 271
ksmbd: smb_session_setup_andx:1263: New session ID: 19, Uid: 0
ksmbd: smb_session_setup_andx:1271: build response without extend_security
ksmbd: build_sess_rsp_noextsec:945: session setup request for user 
ksmbd: build_sess_rsp_noextsec:960: server challenge is not assigned in negotiate
ksmbd: __process_request:152: Failed to process 115 [-22]
ksmbd: ksmbd_conn_handler_loop:314: RFC1002 header 253 bytes
ksmbd: check_smb1_hdr:32: got SMB
ksmbd: smb1_calc_size:196: SMB2 byte count 192, struct size : 26
ksmbd: smb1_calc_size:199: SMB1 len 253
ksmbd: smb_session_setup_andx:1263: New session ID: 19, Uid: 0
ksmbd: smb_session_setup_andx:1271: build response without extend_security
ksmbd: build_sess_rsp_noextsec:945: session setup request for user 
ksmbd: build_sess_rsp_noextsec:960: server challenge is not assigned in negotiate
ksmbd: __process_request:152: Failed to process 115 [-22]

my server config:

[global]
...
        ipc timeout = 20
        deadtime = 15
        map to guest = Bad User
        smb2 max read = 64K
        smb2 max write = 64K
        smb2 max trans = 64K
        cache read buffers = no
        cache trans buffers = no

######### Dynamic written config options #########
        server min protocol = NT1
        server signing = disabled

... some shares with guest ok = true ...

I found the following TODO in smb1pdu.c:875:

/* TODO: need to set spnego enable through smb.conf parameter */

setting conn->use_spnego = false; make this odd client work for me.

Are there any plans to make it configurable through smb.conf as the comment says?
If not: do you have any reference that I can follow for implementing it myself?

Thank you!
Martin

[namjaejeon]

I have a question and requests.

1. What kind of client is it? kernel cifs client? or smbclient of samba?

2. Can you give me tcpdump that captured the packets on problem ?

3. The your old smb client can connect samba server without setting any smb.conf of samba ?

[xdarklight]

1. the client is a Playstation 2. it currently only supports SMBv1. the implementation for that can be found here: https://github.com/ps2dev/ps2sdk/tree/master/iop/network/smbman/src
2. I will create a tcpdump later
3. apparently this smb.conf - which I haven't tried myself yet - works for other users: https://gist.github.com/mafredri/e88401c91489232e92e493d0e02912ef

[xdarklight]

2. you can grab the pcap file here: https://gist.github.com/xdarklight/e18c83855bbd1aa278eeb61788eafc2c/raw/913a22867f5b8a83625b457579d96d089b3df7da/smb-packet-dump.pcap

[namjaejeon]

Thanks! Let me check it.

[namjaejeon]

Can you check your old client can connect with samba after adding raw NTLMv2 auth = yes smb.conf of samba ?

raw NTLMv2 auth = yes

I am finding the proper config parameter in samba's smb.conf.

[xdarklight]

thank you for looking into this!

I am finding the proper config parameter in samba's smb.conf.

to make sure I understand it correctly:

• you're hoping that with a samba server and above setting it will also fail (just like ksmbd does)
• knowledge of the "right" samba config setting will help you to move forward with this issue

I'll try this as soon as I have some spare time (which may take until the weekend) and then update you in here

[namjaejeon]

Right, I expect that your old client connection failed with samba when setting the parameter I suggested.
ksmbd's smb.conf parameters are compatible with samba's one. I should find it in samba's smb.conf.

I'll try this as soon as I have some spare time (which may take until the weekend) and then update you in here

Thanks! If it is clear, I will add "raw NTLMv2 auth" parameter in ksmbd's configuration.

[xdarklight]

$ smbd --version
Version 4.12.6

$ cat /etc/samba/smb.conf 
[global]
server min protocol = NT1
keepalive = 0

[ps2smb]
   comment = PS2 SMB
    path = /mnt/ps2
    browseable = yes
    read only = no
    guest ok = yes
    public = yes
    available = yes

adding or removing raw NTLMv2 auth = yes does not seem to make a difference

packet dump with above setting enabled (I removed everything after the successful "Tree Connect" response to keep things simple): https://gist.github.com/xdarklight/e18c83855bbd1aa278eeb61788eafc2c/raw/4c54fe8479ff138c9c2635e6f2dc1bfefbd90bff/samba4.pcap

[namjaejeon]

Have you added/removed this parameter at global section like the following ? and should use_spnego = false in ksmbd at the same time.

[global]
server min protocol = NT1
keepalive = 0
raw NTLMv2 auth = yes

[xdarklight]

Have you added/removed this parameter at global section like the following ?

yes, sorry for not being clear about that
I have added raw NTLMv2 auth = yes right below keepalive = 0

and should use_spnego = false in ksmbd at the same time.

[global]
server min protocol = NT1
keepalive = 0
raw NTLMv2 auth = yes

I added raw NTLMv2 auth = yes to /etc/ksmbd/smb.conf while keeping my should use_spnego = false patch.
it does not seem to change anything

in the meantime I have found this inside the samba source-code: https://github.com/samba-team/samba/blob/0b742ec6a0558397d5cf01b99a401f8e2bc0e2e0/source4/smb_server/smb/negprot.c#L299
it seems like spnego is not config dependent and instead should be enabled based on the "extended security" flag in "flags2".
please see #438 and let me know what you think. it works fine for my use-case

[xdarklight]

fixed with 365d380