Network and Storage Protocols

samba 3.6.23-30 on CentOS -> error in smbclient

Jens_Eickmeier
27,441 Views

Hi,

 

last night our Linux-Servers made an update of samba from 3.6.23-25 to 3.6.23-30. After that, no smblient is possible to our NetApp:

 

Domain=[STADT-MH.DE] OS=[Windows Server 2008 R2 Standard 7601 Service Pack 1] Server=[Windows Server 2008 R2 Standard 6.1]
ntlmssp3_handle_neg_flags: Got challenge flags[0x60898205] - possible downgrade detected! missing_flags[0x00000010] - NT_STATUS_RPC_SEC_PKG_ERROR
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?

 

Any idea?

 

Rolling back to samba 3.6.23-25 works! But we want to fix the security-issues with samba 3.6.23-25.

 

Server-OS is CentOS6, NetApp is 8.3.1P2 Cdot.

 

Thanks!

 

Jens

1 ACCEPTED SOLUTION

rboyd
26,979 Views

This looks like a failure to support an essential component of the Samba feature set.  If the failing feature is part of the RFC for Samba, this isn't about Red Hat client, but about adherence to standards.

In my case just now, the workaround to turn spneg off seems to work.  Not exactly a nice way to have to deal with this.   What changed in the standards that the NetApp support for Samba isn't keeping up with?

View solution in original post

7 REPLIES 7

BenjaminWagner
27,170 Views

Hi, we have the same errors. We can connect with smbclient to several servers, but when we want to connect to a netapp, we get the error message:

 

Got challenge flags:
Got NTLMSSP neg_flags=0x60898205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
ntlmssp_handle_neg_flags: Got challenge flags[0x60898205] - possible downgrade detected! missing_flags[0x00000010] - NT code 0x80090302
  NTLMSSP_NEGOTIATE_SIGN
neg_flags[0x62088205]
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO(ntlmssp) login failed: NT code 0x80090302
SPNEGO login failed: NT code 0x80090302
session setup failed: NT code 0x80090302

 

I also compiled Samba 4.4.2 by myself, but no luck ...

georgevj
27,108 Views

Unfortunately, there is no official support for RedHat smb clients on NetApp platform.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Cannot find the answer you need? No need to open a support case - just CHAT and we’ll handle it for you.

BA
27,063 Views

as a workaround create a smb.conf file like so:

 

[global]

client use spnego = no

.....

 

 

 

Trogdor
21,094 Views

This also breaks 'rpcclient' calls to the netapp now.

 

Btw, this behavior changes depending on whehter you have SMB signing turned on or not under the 'cifs' options section.

rboyd
26,980 Views

This looks like a failure to support an essential component of the Samba feature set.  If the failing feature is part of the RFC for Samba, this isn't about Red Hat client, but about adherence to standards.

In my case just now, the workaround to turn spneg off seems to work.  Not exactly a nice way to have to deal with this.   What changed in the standards that the NetApp support for Samba isn't keeping up with?

Jens_Eickmeier
26,832 Views

Hi,

 

client use spnego = no works for me to connect to the SVM. Thanks a lot

 

But when I connect to an DFS, I get the following error:

 

session setup failed: NT_STATUS_INVALID_PARAMETER

 

Any idea?

 

Jens

Jens_Eickmeier
26,807 Views

Hi,

 

I found it:

 

I have set client ntlmv2 auth = no in smb.conf. Now we can connect to DFS.

Yes, this is just a workaround.

 

Regards,

Jens

Public