smbclient 4.3.9 can't connect WITH password to OSX share due to NTLMSSP "short signature" & workarounds don't fix

Bug #1579540 reported by Jamie Lokier on 2016-05-08
This bug affects 8 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)

Bug Description

This bug may be related to the security fixes in Samba 4.3.8 which have broken Samba in a number of scenarios, and #1572301 (OSX clients can't connect) and #1572876 (smbclient can't connect to Windows shares without password).

However I didn't see a bug files for Samba as client to a share WITH password.

I'm using Ubuntu 16.04 LTS as my client (in a VM on the Mac), connecting to Mac OSX 10.9 which is serving my home directory to the Ubuntu client. I haven't changed the samba configuration files from defaults in any way.

The client is running version 2:4.3.9+dfsg-0ubuntu0.16.04.1 of smbclient, libsmbclient, libwbclient, samba-common and samba-libs.

The symptoms if I enter the correct password:

    $ smbclient //Jamies-Macbook-Pro.local/jamie -U jamie
    WARNING: The "syslog" option is deprecated
    Enter jamie's password:
    NTLMSSP packet check failed due to short signature (0 bytes)!
    NTLMSSP NTLM2 packet check failed due to invalid signature!
    session setup failed: NT_STATUS_ACCESS_DENIED

The options suggested in #1572876 do change the authentication result, but don't make access to the share possible:

    $ smbclient //Jamies-Macbook-Pro.local/jamie -U jamie \
        --option='client use spnego = no' \
        --option='client ntlmv2 auth = no' \
        --option='client ipc max protocol = NT1'
    WARNING: The "syslog" option is deprecated
    Enter jamie's password:
    protocol negotiation failed: NT_STATUS_NOT_SUPPORTED

The SMB server is working fine when the client is Linux kernel CIFS. Unfortunately for me, OSX SMB server doesn't support the POSIX extensions so file permissions are all the same, which is what motivated me to try smbclient and see if the server does better with SMB2/SMB3.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

Perhaps OS X doesn't support the ipc signing changes required to fix Badlock.

Could you try adding the following to your /etc/samba/smb.conf, in the [global] section, and then rebooting?:

client ipc signing = disabled

rduke15 (rduke15) wrote :

For smbclient, you may need to add

    --option="ntlmssp_client:force_old_spnego = yes"

For me, this now lists shares on a Mac OSX server:

    smbclient -U$user%$password -L $mac_osx_host --option="ntlmssp_client:force_old_spnego = yes"

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers