Authentication issue with SMB share on Linux

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows

https://dfir-orc.github.io

GNU Lesser General Public License v2.1

370 stars 42 forks source link

Authentication issue with SMB share on Linux #52

Closed tazrome closed 2 years ago

tazrome commented 2 years ago

Hi,

It seems we have an issue to upload the result archive on a Linux SMB share. We are facing with authentication issue. It's seems like ORC add a \ in the begining of username and this cause a bad authentication.

method=filecopy mode=sync operation=move authscheme=[negotiate or basic]

Great thanks for your work

sc-anssi commented 2 years ago

Hi, I tested with the following setup but could not reproduce your issue (ie. it works in my setup):

Orc v10.0.20
Samba 4.13.5

smb.conf:

security = user
...
[upload]
path = /opt/upload
valid users = bob
read only = no

bob was a local unix user and added to samba with smbpasswd -a bob
local config:
```
<upload job="foobar" method="filecopy">
server="file://10.0.0.1"
path="upload"
operation="move"
mode="sync"
user="bob"
password="bobpwd"
</upload>
```
I do sometimes see a prefixing \ before the username in the network traffic (which is likely added by the Windows API, not DFIR-Orc) , but it does not prevent the user from successfully authenticating. Could you provide us with more details about your setup and errors ? Thanks in advance. Regards.

tazrome commented 2 years ago

Hello,

Sorry for the delay... below few more détails. Hopes it will help.

Samba configuration is pretty simple as you describes above...

Setup orc v10.0.19

security = user
...
[upload]
path = /opt/upload
valid users = bob
read only = no

**With Samba 4.7.1**

The authentication works but I need to prefix a "fake" domain before the login user... something like toto\bob as username

Nothing really relevant in log files even with a log level > 5. I see an authentication error with bad password with the user bob and it's ok with a user anydomain\bob

**Samba 4.9.5**

The authentication works normaly (with only "bob" as user)

I tried multiple samba configuration but i'm not sure if it 's related to Orc, Samba or my samba configuration... There is no Windows domain involved with Samba in my setup.

Thanks

Regards

sc-anssi commented 2 years ago

Hi, I honestly don't know what made Samba 4.7.1 fail, but since the issue seems to be fixed in Samba 4.9.5 I don't think it's related to DFIR-Orc. Both Samba versions are pretty old and not supported anymore, you should definitely update if possible. Regards.