SMB connection to Samba v4.11.6 totally fails

Support for Android version of Total Commander

Moderators: white, Hacker, petermad, Stefan2

Post Reply
tantalus1983
Junior Member
Junior Member
Posts: 2
Joined: 2020-03-11, 20:34 UTC

SMB connection to Samba v4.11.6 totally fails

Post by *tantalus1983 »

Hello,
first of all, TC for Android is a great tool. It really made my life better. Thanks!
I'm using OpenSuSE Tumbleweed, which recently updated Samba to v4.11.6. Since then, I get no access to SMB shares anymore.
I've opened this topic as I suspect that this is related to the latest version of Samba. The same configuration worked before. Also, this may be an issue of smbj.

Samba always responds with a "Bad SMB2 signature for message", except I set "min protocol, SMB2_22" or higher, then it fails negotiating a protocol. Changing the SMB2 option does not help.
When I set max protocol = SMB2_02, it can't negotiate with the SMB2 option turned off (makes sense). With SMB2 on, I get the signature error.

It seems like SMB2_10 is always supported, but the SMB2 option unlocks SMB2_02

- TC for Android 2.91
- smbd -V on PC: Version 4.11.5-git.114.5685848b8fcSUSE-oS15.5-x86_64
- smbd -V on RPi: Version 4.11.5-git.114.5685848b8fc1.1-SUSE-oS15.5-aarch64
- Restarted TC between all tries

Log for min protocol = SMB2_10, SMB2 option on or off:

Code: Select all

[2020/03/11 22:07:09.767162,  3] ../../lib/util/access.c:369(allow_access)
  Allowed connection from fd20::c06a:d997:73bf:ef61 (fd20::c06a:d997:73bf:ef61)
[2020/03/11 22:07:09.768280,  3] ../../source3/smbd/oplock.c:1414(init_oplocks)
  init_oplocks: initializing messages.
[2020/03/11 22:07:09.768444,  3] ../../source3/smbd/process.c:1955(process_smb)
  Transaction 0 of length 61 (0 toread)
[2020/03/11 22:07:09.768492,  3] ../../source3/smbd/process.c:1548(switch_message)
  switch message SMBnegprot (pid 21890) conn 0x0
[2020/03/11 22:07:09.769256,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [SMB 2.002]
[2020/03/11 22:07:09.769315,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [SMB 2.???]
[2020/03/11 22:07:09.769853,  3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
(...)
[2020/03/11 22:07:09.771085,  3] ../../source3/smbd/negprot.c:776(reply_negprot)
  Selected protocol SMB 2.???
[2020/03/11 22:07:09.774511,  3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_10
[2020/03/11 22:07:09.779540,  3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe0888215
[2020/03/11 22:07:09.786183,  3] ../../auth/ntlmssp/ntlmssp_server.c:550(ntlmssp_server_preauth)
  Got user=[guest] domain=[] workstation=[] len1=0 len2=140
(...)
[2020/03/11 22:07:09.787819,  3] ../../source3/param/loadparm.c:1618(lp_add_ipc)
  adding IPC service
[2020/03/11 22:07:09.787879,  3] ../../source3/auth/auth.c:199(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user []\[guest]@[] with the new password interface
[2020/03/11 22:07:09.787909,  3] ../../source3/auth/auth.c:202(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: []\[guest]@[]
[2020/03/11 22:07:09.788000,  3] ../../source3/auth/check_samsec.c:398(check_sam_security)
  check_sam_security: Couldn't find user 'guest' in passdb.
[2020/03/11 22:07:09.788029,  2] ../../source3/auth/auth.c:343(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [guest] -> [guest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2020/03/11 22:07:09.788105,  2] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user []\[guest] at [Mi, 11 Mär 2020 22:07:09.788078 CET] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv6:fd20::c06a:d997:73bf:ef61:38574] mapped to []\[guest]. local host [ipv6:fd20::14:445] 
  {"timestamp": "2020-03-11T22:07:09.788235+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv6:fd20::14:445", "remoteAddress": "ipv6:fd20::c06a:d997:73bf:ef61:38574", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "", "clientAccount": "guest", "workstation": "", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "guest", "mappedDomain": "", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 8930}}
[2020/03/11 22:07:09.788321,  3] ../../source3/auth/auth_util.c:2216(do_map_to_guest_server_info)
  No such user guest [] - using guest account
[2020/03/11 22:07:09.792154,  0] ../../libcli/smb/smb2_signing.c:236(smb2_signing_check_pdu)
  Bad SMB2 signature for message
[2020/03/11 22:07:09.792281,  0] ../../lib/util/util.c:661(dump_data)
  [0000] A2 39 16 7F A1 2B 33 13   9F 66 D3 6B 86 01 A9 D7   .9...+3. .f.k....
[2020/03/11 22:07:09.792374,  0] ../../lib/util/util.c:661(dump_data)
  [0000] 64 73 D1 A1 5D 10 80 1D   DF 23 CB 74 82 C4 6E D9   ds..]... .#.t..n.
[2020/03/11 22:07:09.792459,  3] ../../source3/smbd/smb2_server.c:3254(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:2506
[2020/03/11 22:08:09.827216,  2] ../../source3/smbd/process.c:2886(deadtime_fn)
  Closing idle connection
...

Samba log with "min protocol = SMB2_22" (or higher), SMB2 option on or off.
Same for "max protocol = SMB2_02" and SMB2 option off.

Code: Select all

[2020/03/11 22:11:24.948871,  3] ../../lib/util/access.c:369(allow_access)
  Allowed connection from fd20::c06a:d997:73bf:ef61 (fd20::c06a:d997:73bf:ef61)
[2020/03/11 22:11:24.949971,  3] ../../source3/smbd/oplock.c:1414(init_oplocks)
  init_oplocks: initializing messages.
[2020/03/11 22:11:24.950124,  3] ../../source3/smbd/process.c:1955(process_smb)
  Transaction 0 of length 51 (0 toread)
[2020/03/11 22:11:24.950173,  3] ../../source3/smbd/process.c:1548(switch_message)
  switch message SMBnegprot (pid 22044) conn 0x0
[2020/03/11 22:11:24.950846,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [NT LM 0.12]
[2020/03/11 22:11:24.951129,  3] ../../source3/smbd/negprot.c:757(reply_negprot)
  reply_negprot: No protocol supported !
[2020/03/11 22:11:24.951559,  3] ../../source3/smbd/server_exit.c:243(exit_server_common)
  Server exit (no protocol supported
  )
tantalus1983
Junior Member
Junior Member
Posts: 2
Joined: 2020-03-11, 20:34 UTC

Re: SMB connection to Samba v4.11.6 totally fails

Post by *tantalus1983 »

Ok, I got a little further right after creating the post.

It still seems that SMB2 is broken with TC SMB and Samba. This was reported some while ago:
https://www.ghisler.ch/board/viewtopic.php?f=22&t=53707
Disabling the SMB2 option helped back then. TC connects with SMB1 then (and not with SMB3, as I assumed).

This was okay until SMBv1 was disabled in the default configuration of Samba 4.11:
https://wiki.samba.org/index.php/Samba_4.11_Features_added/changed#SMB1_is_disabled_by_default


Allowing SMBv1 in Samba fixes the issue:

Code: Select all

min protocol = LANMAN2
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48005
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: SMB connection to Samba v4.11.6 totally fails

Post by *ghisler(Author) »

I'm using the smbj library. I cannot find any bugs related to Samba 4.11:
https://github.com/hierynomus/smbj/issues

Btw, is there any Linux distribution for PC using Samba 4.11, so I could test this?
Linux mint 19.3 (the latest) uses 4.7.6, and Raspbian uses 4.9.5.
Author of Total Commander
https://www.ghisler.com
JOUBE
Power Member
Power Member
Posts: 1433
Joined: 2004-07-08, 08:58 UTC

Re: SMB connection to Samba v4.11.6 totally fails

Post by *JOUBE »

ghisler(Author) wrote: 2020-03-12, 11:24 UTCBtw, is there any Linux distribution for PC using Samba 4.11, so I could test this?
Debian. Debian of cause ;-).

https://packages.debian.org/search?keywords=samba

Paket samba

jessie (oldoldstable) (net): SMB/CIFS-Datei-, Druck- und Anmeldeserver für Unix
2:4.2.14+dfsg-0+deb8u13 [security]: amd64 armel armhf i386
stretch (oldstable) (net): SMB/CIFS-Datei-, Druck- und Anmeldeserver für Unix
2:4.5.16+dfsg-1+deb9u2: amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x
buster (stable) (net): SMB/CIFS-Datei-, Druck- und Anmeldeserver für Unix
2:4.9.5+dfsg-5+deb10u1 [security]: amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x
bullseye (testing) (net): SMB/CIFS-Datei-, Druck- und Anmeldeserver für Unix
2:4.11.5+dfsg-1: amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x
sid (unstable) (net): SMB/CIFS-Datei-, Druck- und Anmeldeserver für Unix
2:4.11.5+dfsg-1+b1: alpha amd64 arm64 armel armhf hppa i386 m68k mips64el mipsel ppc64 ppc64el riscv64 s390x sh4 sparc64 x32
2:4.9.5+dfsg-3 [debports]: powerpcspe

Debian bullseye (11) can be downloaded here: https://www.debian.org/devel/debian-installer/index.de.html

The CD amd64: https://cdimage.debian.org/cdimage/bullseye_di_alpha2/amd64/iso-cd/

I use the lightweight LXDE desktop (like on Raspberry Pi) on Debian.

JOUBE

PS.:
Debian -> Ubuntu -> Linux Mint
Debian -> Raspbian
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48005
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: SMB connection to Samba v4.11.6 totally fails

Post by *ghisler(Author) »

Thanks, I will try installing it in Virtualbox
Author of Total Commander
https://www.ghisler.com
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48005
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: SMB connection to Samba v4.11.6 totally fails

Post by *ghisler(Author) »

I have installed Debian Bullseye Alpha 2 now in Virtualbox.
However, it only installs Samba v4.11.5, not v4.11.6.
Connecting to it from my LAN plugin works without problems.

How do I get Samba v4.11.6? Do I need to compile it myself?
Author of Total Commander
https://www.ghisler.com
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48005
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: SMB connection to Samba v4.11.6 totally fails

Post by *ghisler(Author) »

2tantalus1983
I have now installed OpenSuSE Tumbleweed in VirtualBox and enabled Samba. However, it reports to use Samba version 4.12.0, not 4.11.6.
After allowing access to the Samba ports via command
firewall-config
and checking "samba" in the "public" zone both for "Runtime" and "Permanent", I can access the Samba server both from Windows and from my LAN plugin without problems.

So maybe updating to Samba version 4.12.0 helps in your case too?

Btw, I failed to get Samba 4.1.6 to work on Debian. I managed to compile and install it, and it started. I could connect to it, but the passwords set via smbpasswd -a username wasn't used, so I couldn't log in from Windows.
Author of Total Commander
https://www.ghisler.com
DigNative
New Member
New Member
Posts: 1
Joined: 2020-09-29, 21:02 UTC

Re: SMB connection to Samba v4.11.6 totally fails

Post by *DigNative »

I am suffering from exactly the same issue --- I suspect that this is a bug in Total Commander in conjunction with SMBv2, as all other clients I am using to access the Samba server are working fine. Upgrading/changing the server setup is, unfortunately, not an option for me.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48005
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: SMB connection to Samba v4.11.6 totally fails

Post by *ghisler(Author) »

I don't think that it's related. Samba is a very complex protocol, and there are quite a few ways to configure it so it doesn't work with my plugin:
1. Did you disable SMB1 and SMB2? Currently SMB3 is NOT supported. The author of the smbj library (used by my plugin) is working on SMB3 support, but it's a lot of work, especially to support encryption
2. Some login methods like Kerberos are not supported
3. Active directory works in some cases and not in others
Author of Total Commander
https://www.ghisler.com
kyle0815
New Member
New Member
Posts: 1
Joined: 2021-03-27, 16:57 UTC

Re: SMB connection to Samba v4.11.6 totally fails

Post by *kyle0815 »

Hi,

I have a similar issue connecting to a Samba share on my Ubuntu 20.10 laptop from Andoid Total Commander.

I used some Ubuntu "out of the box" function to share a folder with "guest access", this automatically installs and sets up samba. apt-list says I have samba 2:4.12.5+dfsg-3ubuntu4.1.

From my Windows 10 PC (using Total Commander, what else..), I can connect to the share on my Ubuntu just fine, no password needed.

Total Commander on my Android 10 phone is the current version from Google Play (3.20)
The lan plugin is also the current version from Google Play (3.20)

With total commander on my phone, I could not connect, neither with "SMB2", nor without. This is what happened:

1) Total commander always said "status_access_denied"
2) On Ubuntu, each time that I tried to connect, I got this message in log file "/var/log/samba/log.": "../../libcli/smb/smb2_signing.c:313(smb2_signing_check_pdu) Bad SMB2 signature for message"

Note: I mostly tried without a username or password in total commander, since the share is supposed to not require any. I also tried user=guest and password empty, that did not work, either.

After reading this thread a little, I found this info:
tantalus1983 wrote: 2020-03-11, 21:38 UTC Allowing SMBv1 in Samba fixes the issue:

Code: Select all

min protocol = LANMAN2
So I put "min protocol = LANMAN2" into the global section of my /etc/samba/smb.conf, then I restarted smbd, and now I can finally connect to the share from my phone (wiht SMB2 turned off, and no username/password)!
pmouse
Junior Member
Junior Member
Posts: 2
Joined: 2022-01-31, 08:16 UTC

Re: SMB connection to Samba v4.11.6 totally fails

Post by *pmouse »

I also have this problem and couldn't connect to Samba4 (v4.14.x) server. If I set the 'server max protocol' to 'NT1' (one step up from LANMAN2), it works, but only if I also leave SMBv2 support unchecked in Total Commander LAN plugin settings. I'm also trying GUEST access, which I understand means setting no username and no password in LAN plugin settings.

I get this message on the server side when SMBv2 on the LAN plugin is enabled:

Bad SMB2 signature for message

same as others have reported.

I get this message when Samba4 is set to max protocol = NT1, SMB2, or SMB3 with LAN plugin SMBv2 checked. I also get this error with Samba4 set to max protocol = SMB2 with LAN plugin SMBv2 unchecked.

It seems to me like LAN plugin is trying SMBv2, but that implementation is not compatible with Samba4. I *think* I had Samba3 before I started having this issue and I didn't have to adjust the max protocol setting on that server, so that is also consistent with the idea that something is changed in Samba4. On that server, however, I also created a bogus user, so I wasn't using GUEST auth, and I set a username in my LAN plugin auth settings. So, GUEST auth may be required to reproduce this issue, too. Also, I note in Samba4 documentation that several of the SMB2 sub protocols *are not* supported: only SMB2_02 and SMB2_10 are listed as supported, while SMB2_22 and _24 are NO LONGER listed, so I take it they have been removed from support.

Let me know if I can help more. Always willing to troubleshoot.

I'm very excited to hear that SMB3 support is in the works. How is that coming along?
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48005
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: SMB connection to Samba v4.11.6 totally fails

Post by *ghisler(Author) »

Have you tried the latest beta version? It supports SMB3 with and without encryption:
https://play.google.com/apps/testing/com.ghisler.tcplugins.LAN

I recommend not using encryption, it slows down transfers quite a lot.
Author of Total Commander
https://www.ghisler.com
pmouse
Junior Member
Junior Member
Posts: 2
Joined: 2022-01-31, 08:16 UTC

Re: SMB connection to Samba v4.11.6 totally fails

Post by *pmouse »

Okay, I think I finally figured it out. I can connect to my Samba server with SMBv2 checked, but with a guest account password.

If I understand correctly, there has always been a tension with password-less guest access. True "guest" access was part of "share-level" access control, which was deprecated in Samba a long time ago, but samba supported null passwords for "user-level" access for a long time after that. That's why I kept trying to set it up on a new Samba4 server. The bottom line is that Windows doesn't allow this access mode, any more, and neither does Samba4. Even though the "null password" option in Samba4 doesn't generate an error, like some invalid configurations, it is officially deprecated and generates an warning.

But, the problem is actually not with that setting, which I think is still effective because *I was able to authenticate* as a password-less guest. Instead, samba generates access errors and smb message signature errors. I think this post is the most clear about why it doesn't work: https://www.spinics.net/lists/samba/msg167531.html

Thanks for pointing me to the plugin beta. I think I'll just wait for the release since I got it working. But, I hope it comes out soon.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48005
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: SMB connection to Samba v4.11.6 totally fails

Post by *ghisler(Author) »

Indeed passwordless access usually doesn't work. My plugin does try to authenticate with AuthenticationContext.anonymous() when login via the provided user name fails. smbj creates an empty user name and password for this. There is also a AuthenticationContext.guest() option not used by my plugin, which sets user name to "Guest" with empty password. However, I don't know how to configure the SMB server to work with one of these. Just set a simple password and use that instead.
Author of Total Commander
https://www.ghisler.com
Post Reply