Hi Aurelien, I am not sure about the username thing but the behaviour when no domain is passed is wrong in my opinion and this is why I submitted a patch few days ago. Germano On 11/29/2016 03:43 PM, Aurélien Aptel wrote: > I've tried setting up a guest share on a Windows 2016 server and > mounting it before and after your patch. Powershell setup follows. > > To setup the share I had to enable the guest account > > PS> net user guest /active:yes > > Make the directory, give perms, make share > > PS> mkdir C:\guestshare > PS> icacls C:\guestshare /grant 'Everyone:(OI)(CI)F' > PS> New-SmbShare -name guestshare -path C:\guestshare -fullaccess Everyone > > After this, smbclient -N works: > > % smbclient //$(vmip win2016)/guestshare -N > OS=[Windows Server 2016 Standard 14393] Server=[Windows Server 2016 Standard 6.3] > smb: \> ^D > > On the wire: > > CLIENT -> SERVER SMB Negotiate Protocol Request > SERVER -> CLIENT SMB Negotiate Protocol Response > CLIENT -> SERVER SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE > SERVER -> CLIENT SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED > CLIENT -> SERVER SMB Session Setup AndX Request, NTLMSSP_AUTH, User: WORKGROUP\aaptel > SERVER -> CLIENT SMB Session Setup AndX Response > | Action: 0x0001 > | .... .... .... ...1 = Guest: Logged in as GUEST > CLIENT -> SERVER SMB Tree Connect AndX Request, Path: \\SERVER\IPC$ > SERVER -> CLIENT SMB Tree Connect AndX Response > CLIENT -> SERVER SMB Trans2 Request, GET_DFS_REFERRAL, File: \SERVER\guestshare > SERVER -> CLIENT SMB Trans2 Response, GET_DFS_REFERRAL, Error: STATUS_NOT_FOUND > CLIENT -> SERVER SMB Tree Disconnect Request > SERVER -> CLIENT SMB Tree Disconnect Response > CLIENT -> SERVER SMB Tree Connect AndX Request, Path: \\SERVER\GUESTSHARE > SERVER -> CLIENT SMB Tree Connect AndX Response > CLIENT -> SERVER SMB Echo Request > SERVER -> CLIENT SMB Echo Response > CLIENT -> SERVER SMB Tree Disconnect Request > SERVER -> CLIENT SMB Tree Disconnect Response > > But from cifs.ko master (with or without your patch) I get this: > > # mount -t cifs -vvv //WS2016/guestshare /mnt -o ip=10.160.65.202,guest > CIFS VFS: SMB signature verification returned error = -13 > CIFS VFS: SMB signature verification returned error = -13 > CIFS VFS: cifs_mount failed w/return code = -13 > mount error(13): Permission denied > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) > > On the wire: > > CLIENT -> SERVER SMB Negotiate Protocol Request > SERVER -> CLIENT SMB Negotiate Protocol Response > CLIENT -> SERVER SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE > SERVER -> CLIENT SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED > CLIENT -> SERVER SMB Session Setup AndX Request, NTLMSSP_AUTH, User: SUSE\ > SERVER -> CLIENT SMB Session Setup AndX Response > | Action: 0x0000 > | .... .... .... ...0 = Guest: Not logged in as GUEST > CLIENT -> SERVER SMB Tree Connect AndX Request, Path: \\WS2016\guestshare > SERVER -> CLIENT SMB Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED > CLIENT -> SERVER SMB Logoff AndX Request > SERVER -> CLIENT SMB Logoff AndX Response > > So why is it failing in this case? The server is an AD of the domain > SUSE. I gave `guest` mount option but that option is actually ignored on > purpose. > > Since I gave no username, domain or password cifs.ko tries to login with > "SUSE\". In the Session Setup response this results in the Action field > being set to "non-guest" and the tree connect laters fails. > > smbclient uses "WORKGROUP\<my user name>" when I login with -N. If I use > -U 'SUSE\' like cifs.ko does it fails. Similarly, if I use a non-empty, > non-existing user in cifs.ko (e.g. "SUSE\xyz" instead of "SUSE\", it > works). > > So to summarize I couldn't reproduce Mark's bug against Window Server > 2016 (same behaviour with and without the patch). But I have discovered > that the way cifs.ko picks the username/domain when none are provided is > not correct in my scenario. > > ... > > After re-reading Mark email I've just realized he said it happens when > using the guest account to do a tree connect on a share that *requires* a > real account. So with the guest account still activated I've added deny > rules: > > PS> icacls C:\guestshare /deny 'Guest:(OI)(CI)F' > PS> Block-SmbShareAccess -name guestshare -accountname guest -force > > But the tree connect still works with both cifs.ko and smbclient. What > is denies with thoses rules are anything past the connexion it > seems. cifs.ko fails for permissions reasons because it tries to query > things at the root level as part of mounting. In anycase I was not able > to make cifs.ko hang during any of my tests. > > I would be curious to see a network trace of your scenario. > > -- > Aurélien Aptel / SUSE Labs Samba Team > GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 > SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany > GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
