Re: Can't mount Windows DFS root using NTLMv2 (fwd)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Nov 30, 2010 at 11:00 AM, Robbert Kouprie <robbert@xxxxxx> wrote:
> Hi Shirish,
>
> On Tue, 30 Nov 2010, Shirish Pargaonkar wrote:
>
>> On Tue, Nov 30, 2010 at 7:35 AM, Robbert Kouprie <robbert@xxxxxx> wrote:
>>>
>>> Here is an overview of what I tested:
>>>
>>>          2         )   2008 (+DF   2008 (+DFS)
>>> NTLM        (1)      OK                 OK
>>> NTLMv2      (1)      (2)                (2)
>>> NTLMSSP     (3)      (3)                (3)
>>>
>>> 1 = Fails with "Required key not available"
>>> 2 = Fails with "NT_STATUS_INVALID_PARAMETER"
>>> 3 = Fails with "NT_STATUS_NOT_SUPPORTED"
>>>
>>> I will send you some detailed logs and pcaps off-list.
>>>
>>> Regards,
>>> Robbert
>>
>> This is strange wrt ntlmssp.  In negotiate protocol response, server
>> does state NTLMSSP as one of the mechanism types.
>> It must be related to bits in flag2 that that client sends in type 1
>> ntlmssp
>> session setup that server eitther expects from client but is missing or
>> does not support/like one of the flags2 bits.
>> Is 10.0.0.7 a box that runs cifs client?
>
> Yes, 10.0.0.7 is an Debian box with vanilla 2.6.37-rc3 kernel and mount.cifs
> 4.5.
>
>> ntlmv2 is not going to work as it is against Windows 2008, it will return
>> invalid parameter error.
>> Jeff Layton had pointed to this which you can try (I have not tried it
>> yet)
>> http://support.microsoft.com/kb/957441/en-us
>
> Ok, this registry fix indeed fixes mount.cifs sec=ntlmv2 auth on both my
> 2008 and 2008R2 DC's.
>
> So, now I have:
>
>          2003sp2   2008r2 (+DFS)   2008 (+DFS)
> NTLM        (1)      OK                 OK
> NTLMv2      (1)      OK(2)              OK(2)
> NTLMSSP     (3)      (3)                (3)
>
>  1 = Fails with "Required key not available"
>  2 = Works after applying KB957441 regfix on DC's
>  3 = Fails with "NT_STATUS_NOT_SUPPORTED"
>
> Do you also have an idea on (1), the resolving problem?
>
> Best regards,
> Robbert

That is good to know.  Thanks Jeff.

Robbert, did you send me a wireshark trace with that error?
I do not see that error in any of the trace files you sent.
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux