"Bad SMB2 signature for message" with kernel 5.0.0, works with 4.19.0

"Bad SMB2 signature for message" with kernel 5.0.0, works with 4.19.0

[Andreas Hasenack]

Hi,

I can't mount a share as guest using SMB2 or higher when running the
5.0.0 kernel (ubuntu's 5.0.0-7.8 specifically). When I switch to a
4.19.x kernel (4.19.0-12-generic), then it works.

This is the mount command and output:
root@ubuntu:~# mount //localhost/pub /mnt -o guest
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

The share is a simple one:
[pub]
path = /pub
guest ok = yes

The server logs this:
[2019/03/20 18:24:46.245816,  0]
../../libcli/smb/smb2_signing.c:169(smb2_signing_check_pdu)
  Bad SMB2 signature for message
[2019/03/20 18:24:46.245860,  0] ../../lib/util/util.c:508(dump_data)
  [0000] 2D 60 1F CA 49 06 92 B0   69 06 60 82 42 39 21 F8   -`..I... i.`.B9!.
[2019/03/20 18:24:46.245894,  0] ../../lib/util/util.c:508(dump_data)
  [0000] 75 F8 77 09 63 D5 4A 7B   9F 91 51 93 6D 12 6F 6F   u.w.c.J{ ..Q.m.oo

Here is a dmesg output with cifs debugging enabled:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1821053/+attachment/5247960/+files/dmesg.txt

That output was from a kernel running patch
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.0/cifs-do-not-skip-smb2-message-ids-on-send-failures.patch,
just a quick attempt to see if that fixed it, but it didn't.

mount.cifs is version 6.8

Server is samba 4.10.0.

Is this a known issue?

Thanks!

Re: "Bad SMB2 signature for message" with kernel 5.0.0, works with 4.19.0

[Paulo Alcantara]

Andreas Hasenack <andreas@canonical.com> writes:

> I can't mount a share as guest using SMB2 or higher when running the
> 5.0.0 kernel (ubuntu's 5.0.0-7.8 specifically). When I switch to a
> 4.19.x kernel (4.19.0-12-generic), then it works.
>
> This is the mount command and output:
> root@ubuntu:~# mount //localhost/pub /mnt -o guest
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>
> The share is a simple one:
> [pub]
> path = /pub
> guest ok = yes
>
> The server logs this:
> [2019/03/20 18:24:46.245816,  0]
> ../../libcli/smb/smb2_signing.c:169(smb2_signing_check_pdu)
>   Bad SMB2 signature for message
> [2019/03/20 18:24:46.245860,  0] ../../lib/util/util.c:508(dump_data)
>   [0000] 2D 60 1F CA 49 06 92 B0   69 06 60 82 42 39 21 F8   -`..I... i.`.B9!.
> [2019/03/20 18:24:46.245894,  0] ../../lib/util/util.c:508(dump_data)
>   [0000] 75 F8 77 09 63 D5 4A 7B   9F 91 51 93 6D 12 6F 6F   u.w.c.J{ ..Q.m.oo
>
> Here is a dmesg output with cifs debugging enabled:
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1821053/+attachment/5247960/+files/dmesg.txt
>
> That output was from a kernel running patch
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.0/cifs-do-not-skip-smb2-message-ids-on-send-failures.patch,
> just a quick attempt to see if that fixed it, but it didn't.
>
> mount.cifs is version 6.8
>
> Server is samba 4.10.0.
>
> Is this a known issue?

Looks like a signing issue when using guest auth in SMB3.11. Could you
please try mounting it with vers=1.0, vers=2.1 and vers=3.0 and see if
it works?

cheers,
Paulo

Re: "Bad SMB2 signature for message" with kernel 5.0.0, works with 4.19.0

[Steve French]

I am not sure it is legal to require signing and to connect as guest.
 See quote from protocol specification (MS-SMB2):

If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field
of the SMB2
SESSION_SETUP Response and if Session.SigningRequired is TRUE, this indicates a
SESSION_SETUP failure and the connection MUST be terminated. If the
SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2
SESSION_SETUP Response and if RequireMessageSigning is FALSE,
Session.SigningRequired
MUST be set to FALSE.

On Wed, Mar 20, 2019 at 1:40 PM Andreas Hasenack <andreas@canonical.com> wrote:
>
> Hi,
>
> I can't mount a share as guest using SMB2 or higher when running the
> 5.0.0 kernel (ubuntu's 5.0.0-7.8 specifically). When I switch to a
> 4.19.x kernel (4.19.0-12-generic), then it works.
>
> This is the mount command and output:
> root@ubuntu:~# mount //localhost/pub /mnt -o guest
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>
> The share is a simple one:
> [pub]
> path = /pub
> guest ok = yes
>
> The server logs this:
> [2019/03/20 18:24:46.245816,  0]
> ../../libcli/smb/smb2_signing.c:169(smb2_signing_check_pdu)
>   Bad SMB2 signature for message
> [2019/03/20 18:24:46.245860,  0] ../../lib/util/util.c:508(dump_data)
>   [0000] 2D 60 1F CA 49 06 92 B0   69 06 60 82 42 39 21 F8   -`..I... i.`.B9!.
> [2019/03/20 18:24:46.245894,  0] ../../lib/util/util.c:508(dump_data)
>   [0000] 75 F8 77 09 63 D5 4A 7B   9F 91 51 93 6D 12 6F 6F   u.w.c.J{ ..Q.m.oo
>
> Here is a dmesg output with cifs debugging enabled:
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1821053/+attachment/5247960/+files/dmesg.txt
>
> That output was from a kernel running patch
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.0/cifs-do-not-skip-smb2-message-ids-on-send-failures.patch,
> just a quick attempt to see if that fixed it, but it didn't.
>
> mount.cifs is version 6.8
>
> Server is samba 4.10.0.
>
> Is this a known issue?
>
> Thanks!



-- 
Thanks,

Steve

Re: "Bad SMB2 signature for message" with kernel 5.0.0, works with 4.19.0

[Andreas Hasenack]

Hi Paulo,

On Wed, Mar 20, 2019 at 6:50 PM Paulo Alcantara <paulo@paulo.ac> wrote:
> Looks like a signing issue when using guest auth in SMB3.11. Could you
> please try mounting it with vers=1.0, vers=2.1 and vers=3.0 and see if
> it works?

vers=1.0 works:
root@ubuntu:~# mount //localhost/pub /mnt -o guest,vers=1.0
root@ubuntu:~# mount -t cifs
//localhost/pub on /mnt type cifs
(rw,relatime,vers=1.0,sec=none,cache=strict,uid=0,noforceuid,gid=0,noforcegid,addr=127.0.0.1,soft,unix,posixpaths,serverino,mapposix,acl,rsize=1048576,wsize=65536,echo_interval=60,actimeo=1)
dmesg: http://paste.ubuntu.com/p/qQz3kBkpzM/

vers=2.1 also works:
root@ubuntu:~# mount //localhost/pub /mnt -o guest,vers=2.1
root@ubuntu:~# mount -t cifs
//localhost/pub on /mnt type cifs
(rw,relatime,vers=2.1,sec=none,cache=strict,uid=0,noforceuid,gid=0,noforcegid,addr=127.0.0.1,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)
dmesg: http://paste.ubuntu.com/p/rWSsndKjPN/

vers=3.0 works:
root@ubuntu:~# mount //localhost/pub /mnt -o guest,vers=3.0
root@ubuntu:~# mount -t cifs
//localhost/pub on /mnt type cifs
(rw,relatime,vers=3.0,sec=none,cache=strict,uid=0,noforceuid,gid=0,noforcegid,addr=127.0.0.1,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,echo_interval=60,actimeo=1)
dmesg: http://paste.ubuntu.com/p/rVKhYqmTTc/

and just to be complete, vers=3.11 fails:
root@ubuntu:~# mount //localhost/pub /mnt -o guest,vers=3.11
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
dmesg: http://paste.ubuntu.com/p/sprkDFY5XH/

Re: "Bad SMB2 signature for message" with kernel 5.0.0, works with 4.19.0

[Steve French]

Looks like you have "server signing = mandatory" in
/etc/samba/smb.conf on the server.  Is that true?  That (in theory)
should not work with guest according to the protocol specification but
I am comparing with 4.19 behavior to see what changed (maybe we
ignored 'sign' if guest?)

On Wed, Mar 20, 2019 at 1:40 PM Andreas Hasenack <andreas@canonical.com> wrote:
>
> Hi,
>
> I can't mount a share as guest using SMB2 or higher when running the
> 5.0.0 kernel (ubuntu's 5.0.0-7.8 specifically). When I switch to a
> 4.19.x kernel (4.19.0-12-generic), then it works.
>
> This is the mount command and output:
> root@ubuntu:~# mount //localhost/pub /mnt -o guest
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>
> The share is a simple one:
> [pub]
> path = /pub
> guest ok = yes
>
> The server logs this:
> [2019/03/20 18:24:46.245816,  0]
> ../../libcli/smb/smb2_signing.c:169(smb2_signing_check_pdu)
>   Bad SMB2 signature for message
> [2019/03/20 18:24:46.245860,  0] ../../lib/util/util.c:508(dump_data)
>   [0000] 2D 60 1F CA 49 06 92 B0   69 06 60 82 42 39 21 F8   -`..I... i.`.B9!.
> [2019/03/20 18:24:46.245894,  0] ../../lib/util/util.c:508(dump_data)
>   [0000] 75 F8 77 09 63 D5 4A 7B   9F 91 51 93 6D 12 6F 6F   u.w.c.J{ ..Q.m.oo
>
> Here is a dmesg output with cifs debugging enabled:
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1821053/+attachment/5247960/+files/dmesg.txt
>
> That output was from a kernel running patch
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.0/cifs-do-not-skip-smb2-message-ids-on-send-failures.patch,
> just a quick attempt to see if that fixed it, but it didn't.
>
> mount.cifs is version 6.8
>
> Server is samba 4.10.0.
>
> Is this a known issue?
>
> Thanks!



-- 
Thanks,

Steve

Re: "Bad SMB2 signature for message" with kernel 5.0.0, works with 4.19.0

[ronnie sahlberg]

Hi Andreas.
I have reproduced the issue and sent a patch to the list.
It should show up shortly with the title "cifs: allow guest mounts to
work for smb3.11"

Can you try that patch and verify that it fixes the issue?

Regards
Ronnie Sahlberg

On Thu, Mar 21, 2019 at 4:40 AM Andreas Hasenack <andreas@canonical.com> wrote:
>
> Hi,
>
> I can't mount a share as guest using SMB2 or higher when running the
> 5.0.0 kernel (ubuntu's 5.0.0-7.8 specifically). When I switch to a
> 4.19.x kernel (4.19.0-12-generic), then it works.
>
> This is the mount command and output:
> root@ubuntu:~# mount //localhost/pub /mnt -o guest
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>
> The share is a simple one:
> [pub]
> path = /pub
> guest ok = yes
>
> The server logs this:
> [2019/03/20 18:24:46.245816,  0]
> ../../libcli/smb/smb2_signing.c:169(smb2_signing_check_pdu)
>   Bad SMB2 signature for message
> [2019/03/20 18:24:46.245860,  0] ../../lib/util/util.c:508(dump_data)
>   [0000] 2D 60 1F CA 49 06 92 B0   69 06 60 82 42 39 21 F8   -`..I... i.`.B9!.
> [2019/03/20 18:24:46.245894,  0] ../../lib/util/util.c:508(dump_data)
>   [0000] 75 F8 77 09 63 D5 4A 7B   9F 91 51 93 6D 12 6F 6F   u.w.c.J{ ..Q.m.oo
>
> Here is a dmesg output with cifs debugging enabled:
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1821053/+attachment/5247960/+files/dmesg.txt
>
> That output was from a kernel running patch
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.0/cifs-do-not-skip-smb2-message-ids-on-send-failures.patch,
> just a quick attempt to see if that fixed it, but it didn't.
>
> mount.cifs is version 6.8
>
> Server is samba 4.10.0.
>
> Is this a known issue?
>
> Thanks!

Re: "Bad SMB2 signature for message" with kernel 5.0.0, works with 4.19.0

[Andreas Hasenack]

Hello Steve,

On Wed, Mar 20, 2019 at 10:44 PM Steve French <smfrench@gmail.com> wrote:
>
> Looks like you have "server signing = mandatory" in
> /etc/samba/smb.conf on the server.  Is that true?  That (in theory)
> should not work with guest according to the protocol specification but
> I am comparing with 4.19 behavior to see what changed (maybe we
> ignored 'sign' if guest?)

I have the defaults for samba 4.10:
root@ubuntu:~# testparm -sv|grep signing
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

client ipc signing = default
client signing = default
server signing = default

According to the manpage[1], "server signing = default" means:
"""
           By default, and when smb signing is set to default, smb
signing is required when server role is active directory domain
controller and disabled otherwise.
"""

So it should be disabled in this case.


1. https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm8588

Re: "Bad SMB2 signature for message" with kernel 5.0.0, works with 4.19.0

[Andreas Hasenack]

Hello Ronnie,

On Thu, Mar 21, 2019 at 2:03 AM ronnie sahlberg
<ronniesahlberg@gmail.com> wrote:
>
> Hi Andreas.
> I have reproduced the issue and sent a patch to the list.
> It should show up shortly with the title "cifs: allow guest mounts to
> work for smb3.11"
>
> Can you try that patch and verify that it fixes the issue?

Thanks for this, I will try it and report back.

RE: "Bad SMB2 signature for message" with kernel 5.0.0, works with 4.19.0

[Tom Talpey]

> -----Original Message-----
> From: linux-cifs-owner@vger.kernel.org <linux-cifs-owner@vger.kernel.org> On
> Behalf Of Steve French
> Sent: Wednesday, March 20, 2019 5:08 PM
> To: Andreas Hasenack <andreas@canonical.com>
> Cc: CIFS <linux-cifs@vger.kernel.org>; Paulo Alcantara <palcantara@suse.de>
> Subject: Re: "Bad SMB2 signature for message" with kernel 5.0.0, works with
> 4.19.0
> 
> I am not sure it is legal to require signing and to connect as guest.
>  See quote from protocol specification (MS-SMB2):
> 
> If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field
> of the SMB2
> SESSION_SETUP Response and if Session.SigningRequired is TRUE, this indicates
> a
> SESSION_SETUP failure and the connection MUST be terminated. If the
> SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2
> SESSION_SETUP Response and if RequireMessageSigning is FALSE,
> Session.SigningRequired
> MUST be set to FALSE.

It's even more fundamental. A guest login has no secret, and without a secret
there is nothing to drive the signing algorithm. Therefore, a guest session cannot
validly sign.

If the client is attempting to sign as guest, that's a bug. If the server is accepting
a request with an invalid signature, that's another bug.

Tom.