search

jborean93 / smbprotocol

Python SMBv2 and v3 Client
MIT License
318 stars 73 forks source link

require_signing seems to change over request #181

Closed lermana closed 2 years ago

lermana commented 2 years ago

Hello, thanks for putting together this library!

I am having trouble authenticating to an enterprise network drive using a service account, and I've turned on logging to get more clarity. Here's how I'm trying to connect:

smbclient.register_session("***.com", username=r"DOMAIN\user", password="***", auth_protocol="ntlm", require_signing=False)

One thing I'm noticing is that the value of require_signing seems to change over the course of the request -- could that be the server telling me I need to handle signing, or is there something in the code here that's overriding what I'm trying to set?

2022-06-13 18:59:42,495 - smbprotocol.connection - INFO - Initialising connection, guid: ..., require_signing: False, server_name: ***.com, port: 445
2022-06-13 18:59:42,497 - smbprotocol.connection - INFO - Setting up transport connection
2022-06-13 18:59:42,497 - smbprotocol.transport - INFO - Connecting to DirectTcp socket
2022-06-13 18:59:42,537 - smbprotocol.connection - INFO - Starting negotiation with SMB server
2022-06-13 18:59:42,538 - smbprotocol.connection - INFO - Negotiating with SMB2 protocol with highest client dialect of: SMB_3_1_1
2022-06-13 18:59:42,540 - smbprotocol.connection - INFO - Sending SMB2 Negotiate message
2022-06-13 18:59:42,550 - smbprotocol.connection - INFO - Receiving SMB2 Negotiate response
2022-06-13 18:59:42,551 - smbprotocol.connection - INFO - Negotiated dialect: (785) SMB_3_1_1
2022-06-13 18:59:42,551 - smbprotocol.connection - INFO - Connection require signing: True

My error:

LogonFailure: Received unexpected status from the server: The attempted logon is invalid. This is either due to a bad username or authentication information. (3221225581) STATUS_LOGON_FAILURE: 0xc000006d
jborean93 commented 2 years ago

One thing I'm noticing is that the value of require_signing seems to change over the course of the request -- could that be the server telling me I need to handle signing

That's correct, the require_signing option when you register the session is just you telling the client not to mandate signing from it's end. The server can still response in the Negotiate response that it requires signing turning it on for the connection. This logic is covered at https://github.com/jborean93/smbprotocol/blob/98422c904cfb7242e654570125a1d5d71fcb49f7/smbprotocol/connection.py#L809-L813

Now the error you are getting back is an authentication failure. The server is explicitly rejecting your username/password for some reason. The best thing you can do here is check the Security event logs for when you attempted to connect and look at the reason and sub reason why the authentication failed. For example this is what I see when I sent the wrong password.

image

Hopefully that can give you enough info to start digging into why it's rejecting your authentication.

lermana commented 2 years ago

Thanks for the quick reply, @jborean93 -- very helpful.