search

hirochachacha / go-smb2

SMB2/3 client library written in Go.
BSD 2-Clause "Simplified" License
352 stars 95 forks source link

centos 7, samba server version 4.10.4, Access Denied #22

Open whans opened 4 years ago

whans commented 4 years ago

Hi, client env: macos

When i run the example_test.go throw the panic

panic: response error: {Access Denied} A process has requested access to an object but has not been granted those access rights.

samba server config with account authentication

hirochachacha commented 4 years ago

Could you show me a minimal reproducible code and stack trace? So that I could say something.

whans commented 4 years ago 
conn, err := net.Dial("tcp", "172.16.16.28:445")
if err != nil {
    panic(err)
}
defer conn.Close()

d := &smb2.Dialer{
    Initiator: &smb2.NTLMInitiator{
        User:     "samba",
        Password: "test",
        Domain:   "",
    },
}

c, err := d.Dial(conn)
if err != nil {
    panic(err)
}
defer c.Logoff()

fs, err := c.Mount(`\\172.16.16.28\share`)
if err != nil {
    panic(err) // panic here
}

panic: response error: {Access Denied} A process has requested access to an object but has not been granted those access rights.

hirochachacha commented 4 years ago

Is there any possibility that you misconfigured the server setting? That error was actually coming from the server side, not client side.

whans commented 4 years ago

I‘m using MAC OS finder connect with samba server is working fine

hirochachacha commented 4 years ago

According to https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/652e0c14-5014-4470-999d-b174d7b2da87, there're 3 scenarios the server responds with access denied.

If the server implements the SMB 3.x dialect family, EncryptData or Share.EncryptData is TRUE, RejectUnencryptedAccess is TRUE, and Connection.ServerCapabilities does not include SMB2_GLOBAL_CAP_ENCRYPTION, the server MUST fail the request with STATUS_ACCESS_DENIED.

If Connection.Dialect belongs to the SMB 3.x dialect family, Share.EncryptData is TRUE, RejectUnencryptedAccess is TRUE, and Connection.ClientCapabilities does not include the SMB2_GLOBAL_CAP_ENCRYPTION bit, the server MUST fail the request with STATUS_ACCESS_DENIED.

The server MUST determine whether the user represented by Session.SecurityContext is granted access based on the authorization policy specified in Share.ConnectSecurity. If the server determines that it will grant access, the server MUST fail the request with STATUS_ACCESS_DENIED.

But I'm sure which is the culprit. Perhaps, removing SMB2_GLOBAL_CAP_ENCRYPTION from https://github.com/hirochachacha/go-smb2/blob/master/feature.go#L10 might work? If you give me both packet captures I can do further investigation though.

whans commented 4 years ago

removing SMB2_GLOBAL_CAP_ENCRYPTION, not work

wireshark captures: https://github.com/whans/smb2-cap/blob/master/access-denied.pcapng

hirochachacha commented 4 years ago

Thanks, could you also give me a succeeded one? So that I can compare them line by line.

whans commented 4 years ago

success capture https://github.com/whans/smb2-cap/blob/master/smb2-success.pcapng

hirochachacha commented 4 years ago

I wonder why you used different domain name on each packets? You used "BEEGFS-28" on the failure packet and "win" on succeeded one.

whans commented 4 years ago

I have to host

I update the capture you can download from the same url : https://github.com/whans/smb2-cap/blob/master/smb2-success.pcapng

hirochachacha commented 4 years ago

I noticed a subtle difference there. I hope it works fine. https://github.com/hirochachacha/go-smb2/commit/4367356b0fa4078d961bd337f5ce65debe9ce0c5

whans commented 4 years ago

add the path, doesn't fix this problem.

Neustradamus commented 2 years ago

@whans, @hirochachacha: Any news?