Bug #12868


CIFS - SAMBA DC says schannel_check_required

Added by M. van O. almost 2 years ago. Updated over 1 year ago.

Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:


My omnios CIFS server (version omnios-r151032-c2a701036f), joined to a samba v4.10.4 DC controller on Centos 7.8. SMB config no smbv1, no netbios, singing and encryption turned on, guest access off.
The CIFS server runs fine with normal kerberos authentication.
On another Centos server a web application (php-7.3) runs that does not use kerberos, but authenticates users via LDAP connection. Connections to shares on the CIFS omnios machine are made with php-smbclient which authticates with username and password. This does not work.

The weird thing is, command line smbclient connections from the web app machine work without problems. So I took some time to investigate and made pcaps from working and not working connections. Attached is a screen dump of the pcap in wireshark latest version of the session that fails.
In the DC logs in debug mode the follwing errors occurs:

Jun 13 12:23:47 mydc.mydomain.tld samba[]: schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/MY-CIFSSERVER
Jun 13 12:23:47 mydc.mydomain.tld samba[]: schannel_check_required: [MY-CIFSSERVER] is not using schannel

The server authenticates successfully (see packet 30-33), first line in DC log.
Then, the username/password verification of the end user starts (packet 34 authenticate2). It shows STATUS_ACCESS_DENIED (packet 37). The DC log shows
schannel_check_required: [MY-CIFSSERVER] is not using schannel.
On this page (search for schannel): [[]] from samba v4.8 ( March 13, 2018) it shows the schannel setting is mandatory.
My SMB knowledge is limited but it seems to me something is wrong with the signature of the authetication2 request when the CIFS server starts user authentication session with the DC (packet 21, STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE). - Wepp app - Centos 7.8 - Samba4 DC - omnios server Eth0 - omnios server Eth1

Full packet trace available on request.


pcaperror2.JPG (223 KB) pcaperror2.JPG PCAP CIFS -SAMBA4 DC schannel error M. van O., 2020-06-15 07:51 PM
Actions #1

Updated by Gordon Ross over 1 year ago

  • Status changed from New to Feedback

This was probably fixed with: #13169 CVE-2020-1472 (ZeroLogon) and SMB authentication
Could you please check and update this issue?


Also available in: Atom PDF