Project

General

Profile

Bug #12868

CIFS - SAMBA DC says schannel_check_required

Added by M. van O. about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

My omnios CIFS server (version omnios-r151032-c2a701036f), joined to a samba v4.10.4 DC controller on Centos 7.8. SMB config no smbv1, no netbios, singing and encryption turned on, guest access off.
The CIFS server runs fine with normal kerberos authentication.
On another Centos server a web application (php-7.3) runs that does not use kerberos, but authenticates users via LDAP connection. Connections to shares on the CIFS omnios machine are made with php-smbclient which authticates with username and password. This does not work.

The weird thing is, command line smbclient connections from the web app machine work without problems. So I took some time to investigate and made pcaps from working and not working connections. Attached is a screen dump of the pcap in wireshark latest version of the session that fails.
In the DC logs in debug mode the follwing errors occurs:

Jun 13 12:23:47 mydc.mydomain.tld samba[]: schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/MY-CIFSSERVER
Jun 13 12:23:47 mydc.mydomain.tld samba[]: schannel_check_required: [MY-CIFSSERVER] is not using schannel

The server authenticates successfully (see packet 30-33), first line in DC log.
Then, the username/password verification of the end user starts (packet 34 authenticate2). It shows STATUS_ACCESS_DENIED (packet 37). The DC log shows
schannel_check_required: [MY-CIFSSERVER] is not using schannel.
On this page (search for schannel): [[https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html]] from samba v4.8 ( March 13, 2018) it shows the schannel setting is mandatory.
My SMB knowledge is limited but it seems to me something is wrong with the signature of the authetication2 request when the CIFS server starts user authentication session with the DC (packet 21, STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE).

192.168.25.5 - Wepp app
192.168.25.8 - Centos 7.8 - Samba4 DC
192.168.25.9 - omnios server Eth0
192.168.25.10 - omnios server Eth1

Full packet trace available on request.


Files

pcaperror2.JPG (223 KB) pcaperror2.JPG PCAP CIFS -SAMBA4 DC schannel error M. van O., 2020-06-15 07:51 PM

Also available in: Atom PDF