Subscribe

signed smb error: SPNEGO- NTLMSSP negotiation in wrong state

Hi I'm facing error while accessing netapp smb share,

Hostname length is less then 16 characters,

On netapp console, we observe below message when trying to access share

   Tue May  7 16:26:50 PDT [netappedge1stapr:auth.trace.spnegoAuthentication.statusMsg:info]: AUTH: SPNEGO- NTLMSSP negotiation in wrong state for Negotiate message..


What this indicates, at what point during processing NTLM Auth packet is hit. when is it expected.

Attaching pcap for your kind perusal, please apply filter (smb || smb2 && ip.addr==10.199.64.90)

  vaguely suppose it means ntlm flags is incorrect ,

signed smb connection gives error: SPNEGO- NTLMSSP negotiation in wrong state

On wireshark Session set up response is STATUS_NOT_SUPPORTED.

Re: signed smb connection gives error: SPNEGO- NTLMSSP negotiation in wrong state

what is the lmcompatibility setting on the controller and the singing settings?

Re: signed smb connection gives error: SPNEGO- NTLMSSP negotiation in wrong state

cifs.LMCompatibilityLevel   is  1

can you please tell when is this SPNEGO- NTLMSSP negotiation in wrong state is expected?

Re: signed smb error: SPNEGO- NTLMSSP negotiation in wrong state

Looking at the trace you provided, if I had to guess this is an issue with SMB signing.  My analysis is below:

frame 51 - client after determined in the initial neg protocol exchange that SMB2 is supported, now starts another neg protocol to determine which version of SMB2 can be used.  Note the "Security Mode" of 0x02 and that "Signing Require = True but Enabled = False"

frame 53 - controller response and again not the security mode section of the frame "0x03 with both Signing Required and enabled set to True"

In an SMB conversation the last exchange of frames that can occur before SMB signing needs to be confirmed is the "Tree Connect".  In your case, the conversation stops at Session Setup, which is not unexpected if SMB Signing is an issue.  Start with investigating SMB signing, could start by setting the client to "Required" and re-test.