Closed bosim closed 3 years ago
namjaejeon
commented
4 years ago smbclient: Login works, ls, put, rm works. However on ls I see:
What is problem ? Error in dskattr: NT_STATUS_INVALID_NETWORK_RESPONSE You are saying this error message ?
cifsd mount: Ran sudo mount -t cifs -o username=user,vers=1.0 //host/share /tmp/mount It does not work:
In my test, It work fine. can you share wireshark dump ? and what kernel version did you use ?
bosim
commented
4 years ago smbclient: Login works, ls, put, rm works. However on ls I see:
What is problem ? Error in dskattr: NT_STATUS_INVALID_NETWORK_RESPONSE You are saying this error message ?
It seems so, I do not get the error when connecting to samba3 also using SMB1.
cifsd mount: Ran sudo mount -t cifs -o username=user,vers=1.0 //host/share /tmp/mount It does not work:
In my test, It work fine. can you share wireshark dump ? and what kernel version did you use ?
Sure will make a dump.
So what cifsd returns, as final response in the chat is:
SMB (Server Message Block Protocol)
SMB Header
Session Setup AndX Response (0x73)
Word Count (WCT): 4
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 43
Action: 0x0000
.... .... .... ...0 = Guest: Not logged in as GUEST
Security Blob Length: 138
Byte Count (BCC): 0Notice the Security blob Length..
The communication with the samba4 server is identical except for it returns a security blob length 0 (and no blob):
SMB (Server Message Block Protocol)
SMB Header
Session Setup AndX Response (0x73)
Word Count (WCT): 4
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
Action: 0x0000
.... .... .... ...0 = Guest: Not logged in as GUEST
Security Blob Length: 0
Byte Count (BCC): 83
Security Blob: <MISSING>
Native OS: Windows 6.1
Native LAN Manager: Samba 4.9.5-Debian
Primary Domain: WORKGROUPSo the packets in both cases are in the sequence: Protocol negotiate request -> Protocol negotiate response -> AndX request NTLMSSP_NEGOTIATE -> AndX Response NTLMSSP_CHALLENGE -> AndX Request NTLMSSP_AUTH -> AndX Response.
cifsd is running on Linux 4.4.230 ARMv7.
bosim
commented
4 years ago @namjaejeon Any news here?
Do you still need the dump?
Meanwhile another user has reported about the problem: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326325
namjaejeon
commented
4 years ago Do you still need the dump?
Yes.
namjaejeon
commented
3 years ago @bosim Martin Blumenstingl sent the patches(https://github.com/cifsd-team/cifsd/issues/436) to #ksmbd-next branch. I think that this fix is related with your issue. can you check #ksmbd-next ?
Neustradamus
commented
3 years ago @bosim: @namjaejeon needs an answer to this comment...
bosim
commented
3 years ago Sorry for delay.
DD-Wrt now has the patch [1], and it still does not work, but now I see the following in the log
Oct 31 15:43:25 gateway kern.err kernel: cannot find context for id 32
Oct 31 15:43:25 gateway kern.err kernel: ksmbd: ksmbd_auth_ntlm:396: password processing failed
Oct 31 15:43:25 gateway kern.err kernel: ksmbd: build_sess_rsp_noextsec:986: ntlm authentication failed for user sonos[1] see changeset https://svn.dd-wrt.com/changeset/44696
bosim
commented
3 years ago BTW the cifs mount command shown above still fails, now on a newer system (openSUSE LEAP 15.2, kernel 5.3), and it still fails on the bad security blob length.
bosim
commented
3 years ago I seem to have missed in the log output:
Nov 17 18:59:29 gateway kern.err kernel: cannot alloc blkcipher ecb(des)Is the des cipher provides by the kernel, so needs to be compiled in seperately?
bosim
commented
3 years ago Yay!
modprobe des_generic did the trick!
namjaejeon
commented
3 years ago Cool~ If so, This issue is also fixed ?
bosim
commented
3 years ago @namjaejeon Almost I still get the cifs mount error.
namjaejeon
commented
3 years ago @bosim I requested a packet dump to you before. it is needed to find the clue.
Neustradamus
commented
3 years ago @bosim: Any news? Have you looked all previous comments?
Neustradamus
commented
3 years ago @bosim: Any news? Have you looked all previous comments? Have you tested latest code?
bosim
commented
3 years ago Regarding cifs mount, I still see:
[ 5420.105192] CIFS: Attempting to mount //192.168.1.1/mediaserver
[ 5420.105225] CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers
[ 5420.219019] CIFS: VFS: bad security blob length 138
[ 5420.219045] CIFS: VFS: \\192.168.1.1 Send error in SessSetup = -22
[ 5420.219105] CIFS: VFS: cifs_mount failed w/return code = -22where to send packet dump when I get it done?
I am a bit confused here, last time I found a bug it was related to DD-WRT so, if you guys successfully can run the cifs mount command, with vers=1.0, maybe it is DD-WRT related again. So anybody able to test?
I am on Debian bullseye (kernel 5.10).
bosim
commented
3 years ago Turns out it works using vers=1.0,sec=ntlm. Closing.
Because the Sonos device needs SMB1 which fails loading share from cifsd (#428), I decided to do a bit of testing on my Debian Buster machine to see if the SMB1 implementation is working as expected. I configured
smb.conf(using DDWRT) withNT1as both minimum and maximum protocol.Here are my findings:
smbclient
Login works,
ls, put, rmworks. However onlsI see:As far as I recall if I run with a higher smb version the call works.
gvfs-mount
Ran
gvfs-mount smb://host/shareand then went to/run/user/uid/gvfs/<share dir>. Login works, writing, retrieving, deletion works.cifs mount
Ran
sudo mount -t cifs -o username=user,vers=1.0 //host/share /tmp/mountIt does not work:
and
dmesgsays:I did try to run wireshark while doing this test and I found, that the response of
NTLMSSP_AUTHdid return a security blob length of138, but with no security blob.Should be fairly easy to test with a usual Linux machine.