Total credits overflow: 1 for SMB 2.0.2

[peclik]

ksmbd 3.4.4

Problem: I have HP Color LaserJet MFP M281fdn. CONFIG_SMB_INSECURE_SERVERmust be enabled (negotiation starts with SMB1). When trying to scan from the printer to a network share, ksmbd reports

Total credits overflow: 1

Proposed solution: Add .max_credits = SMB2_MAX_CREDITS, into static struct smb_version_values smb20_server_values

Attached is a pcap after patch has been applied (192.168.20.108 is the printer, 192.168.20.5 is ksmbd) M281fdn-Samba-test.zip

[namjaejeon]

Thanks for your report and solution! can you send the patch to linux-cifsd-devel@lists.sourceforge.net ?

[mmakassikis]

peclik, can you test with master branch from namjaejeon/ksmbd ?

I think this change may not be necessary after https://github.com/namjaejeon/ksmbd/commit/53544224a37b4cf1156b0fccf774bb57922bbeed.

[namjaejeon]

@mmakassikis Thanks for your comment:)

@peclik Done. Thanks for your report!

[peclik]

@mmakassikis I have tester current master. Unfortunately 5354422 breaks compatibility with the printer. After revoking the commit, the printer is able to upload to a server with ksmbd again.

[peclik]

(In reply to other user question)

Today, the situation is even worse, I gave up. There are more problems - not only (init_smb3_11_server vs. init_smb2_0_server), but also strange forced listen on IPv6 when available and ignoring IPv4, see

 ret = sock_create(PF_INET6, SOCK_STREAM, IPPROTO_TCP, &ksmbd_socket)

in transport_tcp.c.

[namjaejeon]

@peclik Please explain more what is problem ?

[peclik]

@namjaejeon

1. In code @ fe243b7, the problem with my printer HP Color LaserJet MFP M281fdn still exists. It cannot connect because it supports SMBv2 only. The workaround is to revert the https://github.com/namjaejeon/ksmbd/commit/53544224a37b4cf1156b0fccf774bb57922bbeed patch.

2. This code https://github.com/namjaejeon/ksmbd/blob/ecf319086072fe673338df4586e2ba6c455eb713/transport_tcp.c#L457, if I understand it right, prefers IPv6 over IPv4. I.e. when IPv6 is configured on an interface ksmbd won't listen on its IPv4 address. That should be configurable at least.

(Edit: referenced a commit I was testing the ksmbd at.)

[namjaejeon]

In current code, the problem with my printer HP Color LaserJet MFP M281fdn still exists. It cannot connect because it supports SMBv2 only. The workaround is to revert the https://github.com/namjaejeon/ksmbd/commit/53544224a37b4cf1156b0fccf774bb57922bbeed patch.

I can not understand why this patch cause problem. Can you dump packets using wireshark or tcpdump ?

if I understand it right, prefers IPv6 over IPv4. I.e. when IPv6 is configured on an interface ksmbd won't listen on its IPv4 address. That should be configurable at least.

So what is problem for you ?

[peclik]

Regarding 2. Problem is, that on my server's interface I have both IPv4 and IPv6 configured. And I want to connect to SMB shares from IPv4 only clients. (Usually, daemons by default bind to all interfaces and IPv4 +IPv6 protocols, which can be limited in their configurations. But with ksmbd I cannot select neither IPv4 alone nor both IPv6 and IPv4.).

Regarding 1.

• I have tested current code ecf319086072fe673338df4586e2ba6c455eb713.

• With the following patches:

  index 7f332c3..d3729ee 100644
  --- a/Makefile
  +++ b/Makefile
  @@ -2,6 +2,11 @@
  #
  # Makefile for Linux SMB3 kernel server
  #
  +
  +ccflags-y := -DCONFIG_SMB_INSECURE_SERVER=1
  +export CONFIG_SMB_INSECURE_SERVER := y
  +
  +
  ifneq ($(KERNELRELEASE),)
  # For kernel build
  
  diff --git a/transport_tcp.c b/transport_tcp.c
  index b5db6b4..ba8e15c 100644
  --- a/transport_tcp.c
  +++ b/transport_tcp.c
  @@ -454,7 +454,8 @@ static int create_socket(struct interface *iface)
        struct socket *ksmbd_socket;
        bool ipv4 = false;
  
  -       ret = sock_create(PF_INET6, SOCK_STREAM, IPPROTO_TCP, &ksmbd_socket);
  +       //ret = sock_create(PF_INET6, SOCK_STREAM, IPPROTO_TCP, &ksmbd_socket);
  +        ret = 1;
        if (ret) {
                if (ret != -EAFNOSUPPORT)
                        pr_err("Can't create socket for ipv6, fallback to ipv4: %d\n", ret);

• The printer connect test failed. (While the connection with the same user 'x' and password works)
• tcpdump: ksmbd-failed-HP_LaserJet.zip
• ksmbd log follows:

  Aug 06 18:52:00 vhosta kernel: device br0 left promiscuous mode
  Aug 06 18:52:51 vhosta kernel: ksmbd: connect success: accepted new connection
  Aug 06 18:52:51 vhosta kernel: ksmbd: RFC1002 header 58 bytes
  Aug 06 18:52:51 vhosta kernel: ksmbd: got SMB
  Aug 06 18:52:51 vhosta kernel: ksmbd: SMB2 byte count 23, struct size : 0
  Aug 06 18:52:51 vhosta kernel: ksmbd: SMB1 len 58
  Aug 06 18:52:51 vhosta kernel: [43B blob data]
  Aug 06 18:52:51 vhosta kernel: [42B blob data]
  Aug 06 18:52:51 vhosta kernel: [43B blob data]
  Aug 06 18:52:51 vhosta kernel: [42B blob data]
  Aug 06 18:52:51 vhosta kernel: [34B blob data]
  Aug 06 18:52:51 vhosta kernel: ksmbd: conn->dialect 0x202
  Aug 06 18:52:51 vhosta kernel: ksmbd: conn->dialect 0x202
  Aug 06 18:52:51 vhosta kernel: ksmbd: Upgrade to SMB2 negotiation
  Aug 06 18:52:51 vhosta kernel: ksmbd: credits: requested[1] granted[1] total_granted[1]
  Aug 06 18:52:51 vhosta kernel: ksmbd: RFC1002 header 154 bytes
  Aug 06 18:52:51 vhosta kernel: ksmbd: got SMB2 command
  Aug 06 18:52:51 vhosta kernel: ksmbd: SMB2 data length 66 offset 88
  Aug 06 18:52:51 vhosta kernel: ksmbd: SMB2 len 154
  Aug 06 18:52:51 vhosta kernel: ksmbd: Received request for session setup
  Aug 06 18:52:51 vhosta kernel: ksmbd: negotiate phase
  Aug 06 18:52:51 vhosta kernel: ksmbd: NTLMSSP SecurityBufferLength 118
  Aug 06 18:52:51 vhosta kernel: ksmbd: credits: requested[40] granted[40] total_granted[40]
  Aug 06 18:52:51 vhosta kernel: ksmbd: RFC1002 header 312 bytes
  Aug 06 18:52:51 vhosta kernel: ksmbd: got SMB2 command
  Aug 06 18:52:51 vhosta kernel: ksmbd: SMB2 data length 224 offset 88
  Aug 06 18:52:51 vhosta kernel: ksmbd: SMB2 len 312
  Aug 06 18:52:51 vhosta kernel: ksmbd: Received request for session setup
  Aug 06 18:52:51 vhosta kernel: ksmbd: authenticate phase
  Aug 06 18:52:51 vhosta kernel: ksmbd: session setup request for user x
  Aug 06 18:52:51 vhosta kernel: ksmbd: decode_ntlmssp_authenticate_blob dname
  Aug 06 18:52:51 vhosta kernel: ksmbd: credits: requested[1] granted[1] total_granted[40]
  Aug 06 18:52:51 vhosta kernel: ksmbd: RFC1002 header 114 bytes
  Aug 06 18:52:51 vhosta kernel: ksmbd: skip to check tree connect request
  Aug 06 18:52:51 vhosta kernel: ksmbd: got SMB2 command
  Aug 06 18:52:51 vhosta kernel: ksmbd: SMB2 data length 42 offset 72
  Aug 06 18:52:51 vhosta kernel: ksmbd: SMB2 len 114
  Aug 06 18:52:51 vhosta kernel: ksmbd: credits: requested[1] granted[1] total_granted[40]
  Aug 06 18:52:51 vhosta kernel: ksmbd: RFC1002 header 68 bytes
  Aug 06 18:52:51 vhosta kernel: ksmbd: skip to check tree connect request
  Aug 06 18:52:51 vhosta kernel: ksmbd: got SMB2 command
  Aug 06 18:52:51 vhosta kernel: ksmbd: SMB2 len 68
  Aug 06 18:52:51 vhosta kernel: ksmbd: credits: requested[1] granted[1] total_granted[40]

[mmakassikis]

The code you commented prevents ksmbd from creating a socket.

On Linux, a socket created with PF_INET6 will accept both IPv6 and IPv4 connections (unless IPV6_V6ONLY socket option has been set, but this is not the case with ksmbd).

If the client is IPv4 only, the fact that ksmbd can accept connections over IPv6 is completely transparent.

In the pcap you attached, the server responds with "Access Denied" error. Can you verify in ksmbd config that

• you have a user called "x" with the same password that was configured on the printer ?
• there is a "upload" share configured ?

What permissions are set on the "upload" directory ?

Can you connect to the share using the same credentials using a different client ?

Try running the mountd binary "-v" and then attempt to connect.

[peclik]

Without that patch (ret=1), netstat -l shows that port 445 is open on IPv6 address only, but I can test connection again.

The same share UPLOAD with the user 'x' and given passowrd works from Windows.

[mmakassikis]

Without that patch (ret=1), netstat -l shows that port 445 is open on IPv6 address only, but I can test connection again.

Yes, that is the expected behaviour. If you connect a client over IPv4 and run "netstat -paluten" again, you should see an ESTABLISHED connection, with an IPv4-mapped IPv6 address (e.g. if the client is connecting from 192.168.1.30, you will see ::ffff:192.168.1.30)

[peclik]

OK, thanks for explanation regarding IPv4.

Code @ https://github.com/namjaejeon/ksmbd/commit/fe243b7f7ced079fafd2ac887994a104bba360ee worked with the printer's client when I reverted https://github.com/namjaejeon/ksmbd/commit/53544224a37b4cf1156b0fccf774bb57922bbeed patch, the same share/user/password used. (On the other hand after that it didn't work with Windows client, of course). I did not test reverting the patch with the current code, as that would be meaningless, probably.