After Samba upgrade can't access unpassworded windows share

Bug #1572876 reported by greg on 2016-04-21
182
This bug affects 32 people
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Ubuntu)
High
Ubuntu Security Team

Bug Description

Ubuntu 14.04.4 LTS X64
On 19th april got an update. mainly there was Samba's update, after that, can't access anymore to unpassworded share on Win7, login and password requested, but there is no password

smbclient -N -L 192.168.1.55
WARNING: The "syslog" option is deprecated
NTLMSSP packet check failed due to short signature (0 bytes)!
NTLMSSP NTLM2 packet check failed due to invalid signature!
Anonymous login successful
Domain=[VORON] OS=[Windows 7 Professional 7601 Service Pack 1] Server=[Windows 7 Professional 6.1]

 Sharename Type Comment
 --------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Connection to 192.168.1.55 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available
========================
upgrade log:
Start-Date: 2016-04-19 09:04:37
Commandline: aptdaemon role='role-commit-packages' sender=':1.258'
Upgrade: python-samba:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), winbind:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), tdb-tools:amd64 (1.2.12-1, 1.3.8-0ubuntu0.14.04.1), samba:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), python-tdb:amd64 (1.2.12-1, 1.3.8-0ubuntu0.14.04.1), libtevent0:amd64 (0.9.19-1, 0.9.26-0ubuntu0.14.04.1), samba-dsdb-modules:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), libnss-winbind:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), samba-common-bin:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), libldb1:amd64 (1.1.16-1ubuntu0.1, 1.1.24-0ubuntu0.14.04.1), libtdb1:amd64 (1.2.12-1, 1.3.8-0ubuntu0.14.04.1), samba-libs:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), virtualbox-5.0:amd64 (5.0.16-105871~Ubuntu~trusty, 5.0.18-106667~Ubuntu~trusty), smbclient:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), libtalloc2:amd64 (2.1.0-1, 2.1.5-0ubuntu0.14.04.1), python-talloc:amd64 (2.1.0-1, 2.1.5-0ubuntu0.14.04.1), libpam-winbind:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), libwbclient0:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), samba-vfs-modules:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), python-ldb:amd64 (1.1.16-1ubuntu0.1, 1.1.24-0ubuntu0.14.04.1), samba-common:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), libsmbclient:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2)

greg (xeon-greg) on 2016-04-21
affects: usb-creator (Ubuntu) → ubuntu
affects: ubuntu → samba (Ubuntu)
description: updated
greg (xeon-greg) wrote :

when i tried to use guest as username w/o password, i've got an access via smbclient , but from gui (nautilus) it doesn't work. still no access:
smbclient -U Гость -L //192.168.1.55
WARNING: The "syslog" option is deprecated
Enter Гость's password:
Domain=[SASH] OS=[Windows 7 Professional 7601 Service Pack 1] Server=[Windows 7 Professional 6.1]

 Sharename Type Comment
 --------- ---- -------
 ADMIN$ Disk Удаленный Admin
 C$ Disk Стандартный общий ресурс
 Canon MF4320-4350 Printer Canon MF4320-4350
 D$ Disk Стандартный общий ресурс
 E Disk
 G$ Disk Общий ресурс по умолчанию
 IPC$ IPC Удаленный IPC
 print$ Disk Драйверы принтеров
 Users Disk
 Шара Disk
Connection to 192.168.1.55 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available

Changed in samba (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
wolf (direwolf) wrote :

Have exactly the same issue. With the shared printer and windows shares in general.
Happened right after update.

Just in case (dont know if this is useful) -
On Arch Linux the issue was with these 2 packages - smbclient and libwbclient 4.4.2-1.
Bug was created for this issue - https://bugs.archlinux.org/index.php?do=details&action=details.addvote&task_id=48987

Hi,

we have problems with this new version too... the system stop to work (with out memory) after a time and I cant get the user list from the domain, like in this bug report:
http://www.spinics.net/lists/samba/msg133470.html

Note1: wbinfo -u not work but wbinfo -g work perfectly.
Note2: on my case, rejoin to domain not work, only making a downgrade to the previous version (2:4.1.6+dfsg-1ubuntu2) work again.

on log-wb.DOMAIN I see:

====================
[2016/04/21 21:02:50.111459, 1] ../auth/gensec/spnego.c:664(gensec_spnego_create_negTokenInit)
  Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
[2016/04/21 21:02:50.697369, 1] ../source3/libads/ldap_utils.c:91(ads_do_search_retry_internal)
  Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
[2016/04/21 21:02:51.231447, 1] ../source3/libads/ldap_utils.c:91(ads_do_search_retry_internal)
  Reducing LDAP page size from 500 to 250 due to IO_TIMEOUT
[2016/04/21 21:02:51.632155, 1] ../source3/libads/ldap_utils.c:135(ads_do_search_retry_internal)
  ads reopen failed after error Time limit exceeded
[2016/04/21 21:02:51.632204, 1] ../source3/winbindd/winbindd_ads.c:320(query_user_list)
  query_user_list ads_search: Time limit exceeded
=====================

thanks and hopping that this info help to get a solution.

Seth Arnold (seth-arnold) wrote :

Victor, that sounds like a different issue. Please open a new bug report.

Thanks

kakaroto (just2register) wrote :

I have exactly the same problem

kakaroto (just2register) wrote :

BTW, in order to be able to access the shares I had to reinstall the older packages using:

apt-get install samba=2:4.1.6+dfsg-1ubuntu2 samba-common=2:4.1.6+dfsg-1ubuntu2 samba-libs=2:4.1.6+dfsg-1ubuntu2 samba-common-bin=2:4.1.6+dfsg-1ubuntu2 samba-dsdb-modules=2:4.1.6+dfsg-1ubuntu2 python-samba=2:4.1.6+dfsg-1ubuntu2 libldb1=1:1.1.16-1 python-ldb=1:1.1.16-1

I did the downgrade also, because since last update I could not authenticate at windows shares anymore. Now I get following error message in filemanager if trying to access smb://[server-adress]/

Failed to execute child process "/usr/lib/gvfs/gvfsd-network" (No such file or directory).

any idea?

If installing the gvfsd backends again, samba will be the newest version again. If doing downgrade as you suggested, the backends are gone and I get the above mentioned error. Isn't there a method how to downgrade the samba version to get windows shares AND Mapi in evolution to work again? I know the update was done because of an security error, but it is very annoying to start windows in an VM to get access to the shared directories :-(

Chadd Hudson (chadd-hudson) wrote :

Hope this helps but I am seeing this issue with accessing password protected windows shares as well. I looked on ubuntuforums and found a thread where it is discussed also.

http://ubuntuforums.org/showthread.php?t=2321029

chuckz (mzakuta) wrote :

I get the following errors upon using smbtree command:

NTLMSSP packet check failed due to short signature (0 bytes)!
NTLMSSP NTLM2 packet check failed due to invalid signature!

Trying to connect to a Windows PC gets me a logon box asking for password, even though my Windows shares have not password set.
It started after upgrade to Ubuntu 16.04 including Samba 4.3.8

wolf (direwolf) wrote :
TLRobb (terry-maximatcher) wrote :

Me too.
Thank you wolf for the references.
New bug was driving me nuts, can't print to samba printer. can't view shares on Win7 machine.

WARNING: The "syslog" option is deprecated
Enter terry's password:
NTLMSSP packet check failed due to short signature (0 bytes)!
NTLMSSP NTLM2 packet check failed due to invalid signature!

greg (xeon-greg) wrote :

you should stop cups service, then open /etc/cups/printers.conf, modify printer's URI like that smb://guest@....... then save and start cups service. when you start printing authentication dialog pop's up, you don't have to enter any credentials , just hit enter an it will prints

Paul Privara (pprivara) wrote :

... noticed that "/run/user/1000/gvfs" was scrambled when the error of this thread also occurred with samba 4.3.8 4.4.2 as well ....

ls -l /run/user/1000/

d????? ?? ?? ?? /run/user/1000/gvfs

... produced those question marks and the directory was not accessible by root

I have rebooted the computer so this is not an exact cut/paste

TLRobb (terry-maximatcher) wrote :

Thank you, Greg.
This suggestion " smb://guest@......." works fine for printing to a Win7 share from another Xubuntu install which I did not downgrade. That is, an installation updated to samba 4.3.8.

Dorian Baciu (baciu-dorian) wrote :

I confirm that there are problems with the connection to a PC with Windows 7 installed.
Since when its updated Samba from version 4.1.6 to 4.3.8 (via Update Manager from Linux Mint 17.3), my computer with Linux Mint 17.3 x64 - Cinnamon (based on Ubuntu 14.04, kernel 3.19.58) (client) can no longer connect to another computer (host), where Windows 7 is installed (with shares files/folders) kept asking password connection. Say that Windows 7 computer don't has user password protection, and it has turn off password protected sharing for the directories and files shared, (and with HomeGroup Connections turn off in Windows 7).
(For Samba Team) Please very much to resolve urgently the problem (bug) with Samba ver. 4.3.8, which, from my point of view, was programmed by an incompetent in programming.
I apologize for my inadequate language, but I am very angry with this bug and I urgently need a solution for connecting to Windows 7 (without user password).
There are many on the forums which relate your mistake that they can't connect to computers with Windows (see here, e.g., https://bugs.launchpad.net/ubuntu/+source/samba/+bugs?orderby=targetname&start=0).
I had no problems with Samba ver. 4.1.6. Everything worked fine with Samba ver. 4.1.6.
I wait an urgent solution to resolve the bug.
(I'm beginner in Linux.)

Thank you for understanding.

Sorry for my poor English.

Ivan Zuric (zurich) wrote :

Same thing after automatic update to Samba 4.3.8 at Lubuntu 14.04 LTS 15.10 & 16.04 LTS. Can't access Win 7/8.1/10 shared unpassworded folders & printers.
But there is a temporary workaround which works for me on 15.10 & 16.04 (haven't try on 14.04 LTS).
In smb.conf [global] section put following lines:

   client use spnego = no
   client ntlmv2 auth = no
   client ipc max protocol = NT1

Now, when I'm asked for password, just enter my root password & select option "Remeber forever".
Same procedure for configuring Windows shared printers.

I hope this will help.

Robie Basak (racb) on 2016-05-03
tags: added: regression-update
Marc Deslauriers (mdeslaur) wrote :

Today's Samba update should contain the fix for this issue:

http://www.ubuntu.com/usn/usn-2950-2/

Could the original bug reporter please test the update and comment here? Thanks!

Pavlos Kairis (kairis) wrote :

I tried this with Ubuntu Mate 16.04 trying to access -> a winxp and win7 share. I did apt-get update/dist-upgrade and it brought in samba 4.3.9 I added Ivan's 3 lines in [global] of smb.conf (see 2 posts above), I entered userid & password and selected "Remember Forever" and I can access the shares. The popup window is a bit annoying but at least now I can access shares.

I will test with my 14.04 and 15.10 and report back.

Pavlos Kairis (kairis) wrote :

I followed the same steps (#20) and 14.04 and 15.10 behaved like I posted.

chuckz (mzakuta) wrote :

The fix by Ivan Zuric helped with 4.3.8:
client use spnego = no
   client ntlmv2 auth = no
   client ipc max protocol = NT1

thanks very much!

(I haven't tried 4.3.9)

greg (xeon-greg) wrote :

after yesterday upgrade to 4.3.9 in general problem isn't fixed. but some behaviour has changed. for example, now smbclient can access w/o -U guest option ( see my first comment)
smbclient -N -L //192.168.1.55/
WARNING: The "syslog" option is deprecated
WARNING: The "null passwords" option is deprecated
OS=[Windows 7 Professional 7601 Service Pack 1] Server=[Windows 7 Professional 6.1]

 Sharename Type Comment
 --------- ---- -------
 ADMIN$ Disk Удаленный Admin
 C$ Disk Стандартный общий ресурс
 Canon MF4320-4350 Printer Canon MF4320-4350
 D$ Disk Стандартный общий ресурс
 E Disk
 G$ Disk Общий ресурс по умолчанию
 IPC$ IPC Удаленный IPC
 print$ Disk Драйверы принтеров
 Users Disk
 Шара Disk
Connection to 192.168.1.55 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available

but from gui : nautilus , krusader etc still pop's up authentication window, and any credentials isn't grant access

greg (xeon-greg) wrote :

wow. from gui, when authentication window pop's up initially there is set user name from my ubuntu account and domain , but because there is no password set for share on WIn 7, i did't enter any password, just hit enter, and has no access, window continue pop's up, i've tried different user name (guest, Гость) still no luck, but when i enter my UBUNTU account username and PASSWORD i've got an access !!
so problem partially fixed, but this behaviour is not obvious
 why i should enter my local ubuntu account credentials to access remote unprotected share ????

greg (xeon-greg) on 2016-05-05
Changed in samba (Ubuntu):
status: Confirmed → Fix Released
Alex_TNT (alex-tnt89) wrote :

I managed to make it work by installing a fresh copy of ubuntu. Did all the update/upgrade and it still requested for my username and password
It did work by adding the username of the share in my case the default between windows pc is `Everyone` and adding the password for my current ubuntu platform
it may ask you again for a password, leave it blank if doesn't work type your Ubuntu password again.

TLDR :
Windows Share Username = Everyone
Ubuntu Password =
Check Forever

Ivan Zuric (zurich) wrote :

Tried this update on Lubuntu 16.04 LTS - Samba 4.3.9.

My temporary workaround (10 posts earlier)
     client use spnego = no
     client ntlmv2 auth = no
     client ipc max protocol = NT1
is not needed anymore, but problem still remains. Ubuntu still asks from password when I try to access unpassworded Windows share/printer.
The most strangest thing is when I try from terminal: smbclient -L <win_machine_name> -N, I can normally see my shares without password. Before update I would get a message "NT_STATUS_ACCESS_DENIED"..

Very close, but unfortunately not solved..

greg (xeon-greg) wrote :

no need to use
client use spnego = no
client ntlmv2 auth = no
client ipc max protocol = NT1

for UNprotected share just use your local ubuntu account credentials (login and password)
for protected share use credentials that was set on share-host machine

greg (xeon-greg) wrote :

it kind a strange solution and behaviour from samsba(ubuntu) developers but it works

Slee (geo42) wrote :

Hello, I too was hit with this issue on updating to 4.3.8, updated to 4.3.9 and still the same issue follows. Although my shares I'm trying to access aren't on another computer, but an external USB HDD on my router.

My external drive is NTFS with no password/share enabled, but in my router I set users' access(username/password) to access this external HDD. It worked fine prior to the 4.3.8 update, now when I try to access via Thunar, the login floater just keeps popping up not allowing me to access HDD.

I've even tried to set my user account in my router(HDD access) to match my Ubuntu account credentials, still fails.

I was on Xubuntu 14.04 when this update occurred, several days later I installed Xubuntu 16.04 and issue followed.

Thanks

kakaroto (just2register) wrote :

Is the status of this bug 'Fix released'? I'm asking because several people are reporting that verstion 4.3.9 does not fix the issue

Marc Deslauriers (mdeslaur) wrote :

The bug is marked as fix released because it fixed the original reporter's issue.

Please file a new bug if you are still experiencing problems after the 4.3.9 update.

Reinhard (reinhard-fink) wrote :

I am using smbpassword -i <remotehost> -U <user> to sync samba & linux password store in an LDAP - directory.
This worked well until samba-4.1.6.
In samba 4.3.9 ill get following error message:
smb_signing_good: BAD SIG: seq 1
Could not connect to machine <remotehost>: NT_STATUS_ACCESS_DENIED

Downgrade to 4.1.6 brings password sync to work again:
aptitude -y install samba-libs=2:4.1.6+dfsg-1ubuntu2 libsmbclient=2:4.1.6+dfsg-1ubuntu2 libwbclient0=2:4.1.6+dfsg-1ubuntu2 python-samba=2:4.1.6+dfsg-1ubuntu2 samba=2:4.1.6+dfsg-1ubuntu2 samba-common=2:4.1.6+dfsg-1ubuntu2 samba-common-bin=2:4.1.6+dfsg-1ubuntu2 samba-dsdb-modules=2:4.1.6+dfsg-1ubuntu2 samba-vfs-modules=2:4.1.6+dfsg-1ubuntu2 smbclient=2:4.1.6+dfsg-1ubuntu2 libldb1=1:1.1.16-1 python-ldb=1:1.1.16-1 winbind=2:4.1.6+dfsg-1ubuntu2 libpam-winbind=2:4.1.6+dfsg-1ubuntu2 libnss-winbind=2:4.1.6+dfsg-1ubuntu2

an errormessage from :
>> smbpasswd -D 10 -r smb01 -U teacher01
is included

Reinhard (reinhard-fink) wrote :

Did not recognize message #31 to open a new bug.
Sorry will do this now.

Geunsik Lim (leemgs) wrote :

@Reinhard , I have also experienced same issue as you commented. After downloading the samba version from 4.3.9 to 4.1.6, I can again access to Ubuntu 14.04 samba server from windows 7.

David Scarlatti (d-scarlatti) wrote :

Upgraded to 4.3.9 ans I see

NTLMSSP packet check failed due to short signature (0 bytes)!
NTLMSSP NTLM2 packet check failed due to invalid signature!
session setup failed: NT_STATUS_ACCESS_DENIED

I think it is not solved.

Ubuntu mate 16.10 64 beta1 . Bug still present, when trying to add a samba printer at a windows 10 machine keep asking: user ,WORKGROUP, and password.

Stefan Metzmacher (metze) wrote :

This seems to be the same as https://bugzilla.samba.org/show_bug.cgi?id=11994
It's fixed in Samba 4.5.0 and will also be fixed in the next 4.4 and 4.3 maintenance releases.

Stefan Metzmacher (metze) wrote :

https://bugzilla.samba.org/show_bug.cgi?id=11994 is about the

 NTLMSSP packet check failed due to short signature (0 bytes)!
 NTLMSSP NTLM2 packet check failed due to invalid signature!
 session setup failed: NT_STATUS_ACCESS_DENIED

problem...

Reinhard (reinhard-fink) wrote :

I am still blocked by the security-changes made in samba-4.3.8/9.

Here is an overview on my experience:

What was/is still WORKING:
Sambaserver (Ubuntu 11.10) with samba 3.5 works together with:
1. Windows 7 Clients in an NT-Domain
2. Ubuntu 14.04 Clients (samba 4.1.6) using
   "smbpasswd -D 10 -r smb01 -U teacher01" for password syncronisation.

BROCKEN on Ubuntu Client 14.04 and 16.04:
After update from samba 4.1.6 to 4.3.9 smbpasswd ... broken with:
Could not connect to machine <remotehost>: NT_STATUS_ACCESS_DENIED

What is WORKING in MY future network:
Sambaserver updated to 16.04 with samba 4.3.9 and Ubuntu 16.04 clients, then smbpasswd ... is OK.

BUT
this is NOT WORKING in MY future network:
1.
my standard user named "user" without an password (Flag [N ] in LDAP) can not access then new sambaserver.
that means: no NETLOGON, ..., but "user" can logged in and can even access a share on an other samba 4.1.6 server.
2.
other users with password, get all shares as expected BUT can not change their password.

chuckz (mzakuta) wrote :

My samba version is 4.3.11.
I havent noticed when it upgraded to this version. Before today Xenial 16.04 worked Ok. Not sure which version of samba before 4.3.11.
Ay this point no access to Windows shares neither GUI not in terminal.
with the authentication loop in GUI and the following errors in terminal:

smbclient -L Server -N
WARNING: The "syslog" option is deprecated
Anonymous login successful
Domain=[WORKGROUP] OS=[Windows 10 Pro 14393] Server=[Windows 10 Pro 6.3]

 Sharename Type Comment
 --------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Anonymous login successful
Domain=[WORKGROUP] OS=[Windows 10 Pro 14393] Server=[Windows 10 Pro 6.3]

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.