Windows 7 NTLM not authenticating properly with Ubuntu 18.04












1














I've spent most of my day today trying to figure this out... Not exactly what I had in mind for today... but I couldn't help myself... So, here's the problem:
My Windows 7 machine won't authenticate (for a Samba share) to my Ubuntu 18.04 system. I think I've traced this down to the protocol itself, but I'm not sure exactly what the real problem is. It could be a setting I'm missing somewhere in Windows although I've played quite a bit with the NTLM authentication settings in the Local Policy. My Macintosh file share connection to Ubuntu works fine..



So, here's what I've found:




  1. Windows is Resetting the connection from the Ubuntu 18.04 server and restarting the negotiation process with a different port (where my Mac just Acks the STATUS_LOGIN_FAILURE message and continues on it's way).


  2. Windows is sending a different user to the Ubuntu Server (For example systemnameroot as opposed to my Mac sending systemname\root) (Notice the 2 backslashes instead of 1?)


  3. Windows is sending an "Unknown Message Type" to Ubuntu where as my Mac doesn't send anything like this at all.



Here's an image of a comparison between the 2 protocols.



Packet Capture Comparison



I've run into a few sites that may help:
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP]-171201.pdf



https://docs.microsoft.com/en-us/windows/desktop/FileIO/microsoft-smb-protocol-and-cifs-protocol-overview



https://msdn.microsoft.com/en-us/library/cc246324.aspx



I've turned the packet captures from both my Mac and my Windows 7 system into .csv files and put them here for your enjoyment.



Yes, I have looked at the logs (and was 'tail'ing them while trying to connect via file explorer) This is what showed up in the logs:



After a few seconds when the nobody connection times-out (I guess) from just looking at the listing of the computer I get this in the auth.log




Nov 22 21:59:11 odroid2 smbd: pam_unix(samba:session): session closed for user nobody




I also get:




Nov 22 20:08:42 odroid2 smbd: pam_unix(samba:session): session closed for user root




I am authenticating in other ways with 'pam' including with both sshd and smbd:




Nov 22 18:52:34 odroid2 smbd[9524]: pam_unix(samba:session): session opened for user root by (uid=0)




These sessions are from my Mac authenticating. When Windows tries to authenticate, nothing shows in the auth.log other than the nobody if I view the computer (using - net view). I now have net view disabled because NetBIOS was running on port 139 and I wanted it to be the same setup as my Mac (on port 445). So I disabled NetBIOS over TCP/IP.




Nov 22 16:13:56 odroid2 sshd[428]: pam_unix(sshd:session): session opened for user root by (uid=0)

Nov 22 16:13:56 odroid2 systemd-logind[535]: New session 733 of user root.

Nov 22 16:13:57 odroid2 sshd[428]: Received disconnect from 2600:1700:7c20:1fb0:13f:338a:e270:917d port 60469:11: disconnected by user

Nov 22 16:13:57 odroid2 sshd[428]: Disconnected from user root 2600:1700:7c20:1fb0:13f:338a:e270:917d port 60469

Nov 22 16:13:57 odroid2 sshd[428]: pam_unix(sshd:session): session closed for user root




and my syslog doesn't say anything interesting.



Inside my smb.conf I have:



log level = 10
logging = 10


I assumed that 10 was the highest level and that 'all' was the default if nothing was specified. I did see 10 in a sample smb.conf on the internet so that's why I thought it was the highest level.



at https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html



they have:



Example: log level = 3 passdb:5 auth:10 winbind:2



Any help would be greatly appreciated (especially from anyone that works with Microsoft and knows these protocols and what they should look like)



Windows Packet Capture (Just the SMB and related TCP/IP packets)



No.,Time,Source,Destination,Protocol,Info
13,1.627011,10.100.1.66,10.100.1.99,TCP,50128 > microsoft-ds [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1
14,1.627457,10.100.1.99,10.100.1.66,TCP,"microsoft-ds > 50128 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=7"
15,1.627639,10.100.1.66,10.100.1.99,TCP,50128 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65700 Len=0
16,1.627723,10.100.1.66,10.100.1.99,SMB,Negotiate Protocol Request
17,1.628079,10.100.1.99,10.100.1.66,TCP,microsoft-ds > 50128 [ACK] Seq=1 Ack=160 Win=30336 Len=0
18,1.646459,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
19,1.646607,10.100.1.66,10.100.1.99,SMB2,NegotiateProtocol Request
20,1.64793,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
21,1.648412,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_NEGOTIATE"
22,1.651446,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
23,1.651682,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_AUTH, User: SMBServerSystemroot, Unknown message type"
24,1.658833,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_LOGON_FAILURE"
25,1.658923,10.100.1.66,10.100.1.99,TCP,"50128 > microsoft-ds [RST, ACK] Seq=755 Ack=743 Win=0 Len=0"
100,6.881635,10.100.1.66,10.100.1.99,TCP,50129 > microsoft-ds [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1
101,6.88205,10.100.1.99,10.100.1.66,TCP,"microsoft-ds > 50129 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=7"
102,6.882208,10.100.1.66,10.100.1.99,TCP,50129 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65700 Len=0
103,6.882313,10.100.1.66,10.100.1.99,SMB2,NegotiateProtocol Request
104,6.882666,10.100.1.99,10.100.1.66,TCP,microsoft-ds > 50129 [ACK] Seq=1 Ack=109 Win=29312 Len=0
105,6.900185,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
106,6.900746,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_NEGOTIATE"
107,6.90437,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
108,6.9046,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_AUTH, User: SMBServerSystemroot, Unknown message type"
109,6.911834,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_LOGON_FAILURE"
110,6.91193,10.100.1.66,10.100.1.99,TCP,"50129 > microsoft-ds [RST, ACK] Seq=596 Ack=537 Win=0 Len=0"


Packet capture of my Mac (SMB&TCP/IP Packets)



No.,Time,Source,Destination,Protocol,Length,Info
2774,8.760436,Mac-ClientSMB.local,SMBServerHostname.local,TCP,78,"49274 > 445 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=492466315 TSecr=0 SACK_PERM=1"
2776,8.761635,SMBServerHostname.local,Mac-ClientSMB.local,TCP,74,"445 > 49274 [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=288262429 TSecr=492466315 WS=128"
2777,8.761677,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49274 > 445 [ACK] Seq=1 Ack=1 Win=131712 Len=0 TSval=492466316 TSecr=288262429
2778,8.761725,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,"49274 > 445 [FIN, ACK] Seq=1 Ack=1 Win=131712 Len=0 TSval=492466316 TSecr=288262429"
2781,8.761973,Mac-ClientSMB.local,SMBServerHostname.local,TCP,78,"49276 > 445 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=128 TSval=492466316 TSecr=0 SACK_PERM=1"
2782,8.763016,SMBServerHostname.local,Mac-ClientSMB.local,TCP,74,"445 > 49276 [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=288262431 TSecr=492466316 WS=128"
2783,8.763048,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1 Ack=1 Win=7406464 Len=0 TSval=492466317 TSecr=288262431
2784,8.763082,Mac-ClientSMB.local,SMBServerHostname.local,SMB,139,Negotiate Protocol Request
2785,8.764474,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1 Ack=74 Win=29056 Len=0 TSval=288262432 TSecr=492466317
2786,8.764477,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49274 [ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=288262432 TSecr=492466316
2790,8.786105,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,272,Negotiate Protocol Response
2791,8.786172,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=74 Ack=207 Win=7406208 Len=0 TSval=492466339 TSecr=288262453
2792,8.786222,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,178,Negotiate Protocol Request
2793,8.788306,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,"445 > 49274 [FIN, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=288262456 TSecr=492466316"
2794,8.788355,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49274 > 445 [ACK] Seq=2 Ack=2 Win=131712 Len=0 TSval=492466341 TSecr=288262456
2795,8.788573,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,272,Negotiate Protocol Response
2796,8.788611,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=186 Ack=413 Win=7406080 Len=0 TSval=492466341 TSecr=288262456
2800,8.881565,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
2801,8.885411,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
2802,8.885488,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=352 Ack=666 Win=7405824 Len=0 TSval=492466436 TSecr=288262553
2803,8.887756,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
2804,8.896983,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Session Setup Response, Error: STATUS_LOGON_FAILURE"
2805,8.897079,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=826 Ack=743 Win=7405696 Len=0 TSval=492466447 TSecr=288262565
2806,8.902278,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
2807,8.905787,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
2808,8.905878,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=992 Ack=996 Win=7405440 Len=0 TSval=492466455 TSecr=288262573
2809,8.907242,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
2810,8.915419,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Session Setup Response, Error: STATUS_LOGON_FAILURE"
2811,8.915507,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1466 Ack=1073 Win=7405440 Len=0 TSval=492466464 TSecr=288262583
3769,26.062858,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
3770,26.163475,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
3771,26.163543,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1632 Ack=1326 Win=7405312 Len=0 TSval=492483488 TSecr=288279831
3772,26.165485,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
3773,26.336004,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1326 Ack=2106 Win=35456 Len=0 TSval=288279876 TSecr=492483489
3775,26.336007,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,171,Session Setup Response
3776,26.336087,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2106 Ack=1431 Win=7405440 Len=0 TSval=492483659 TSecr=288279916
3783,26.46547,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,170,Tree Connect Request Tree: \\SMBServerHostname\IPC$
3784,26.466583,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1431 Ack=2210 Win=35456 Len=0 TSval=288280134 TSecr=492483787
3785,26.46866,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3786,26.468706,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2210 Ack=1515 Win=7405440 Len=0 TSval=492483790 TSecr=288280136
3787,26.468819,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,230,Create Request File: srvsvc
3788,26.471771,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,222,Create Response File: srvsvc
3789,26.471838,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2374 Ack=1671 Win=7405312 Len=0 TSval=492483793 TSecr=288280139
3790,26.47217,Mac-ClientSMB.local,SMBServerHostname.local,DCERPC,262,"Bind: call_id: 1, Fragment: Single, 1 context items: SRVSVC V3.0 (32bit NDR)"
3791,26.474815,SMBServerHostname.local,Mac-ClientSMB.local,DCERPC,250,"Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance"
3792,26.474859,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2570 Ack=1855 Win=7405312 Len=0 TSval=492483796 TSecr=288280142
3793,26.475701,Mac-ClientSMB.local,SMBServerHostname.local,SRVSVC,278,NetShareEnumAll request
3794,26.479409,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Ioctl Response, Error: STATUS_PENDING"
3795,26.47947,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2782 Ack=1932 Win=7405440 Len=0 TSval=492483800 TSecr=288280147
3796,26.479634,SMBServerHostname.local,Mac-ClientSMB.local,SRVSVC,702,NetShareEnumAll response
3797,26.479689,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2782 Ack=2568 Win=7404928 Len=0 TSval=492483800 TSecr=288280147
3798,26.480282,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,158,Close Request File: srvsvc
3799,26.481727,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,194,Close Response
3800,26.48178,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2874 Ack=2696 Win=7405440 Len=0 TSval=492483802 TSecr=288280149
3801,26.48186,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,138,Tree Disconnect Request
3802,26.483827,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,138,Tree Disconnect Response
3803,26.483897,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2946 Ack=2768 Win=7405440 Len=0 TSval=492483804 TSecr=288280151
3824,28.16751,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,182,Tree Connect Request Tree: \\SMBServerHostname\SMBServerHostnameLOGS
3829,28.242395,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3830,28.24248,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3062 Ack=2852 Win=7405440 Len=0 TSval=492485552 TSecr=288281910
3834,28.245251,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,170,Tree Connect Request Tree: \\SMBServerHostname\IPC$
3835,28.248006,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3836,28.248048,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3166 Ack=2936 Win=7405440 Len=0 TSval=492485556 TSecr=288281915
3837,28.248134,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,230,Create Request File: lsarpc
3838,28.250815,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,222,Create Response File: lsarpc
3839,28.250856,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3330 Ack=3092 Win=7405312 Len=0 TSval=492485558 TSecr=288281918
3840,28.251021,Mac-ClientSMB.local,SMBServerHostname.local,DCERPC,262,"Bind: call_id: 3, Fragment: Single, 1 context items: LSARPC V0.0 (32bit NDR)"
3841,28.253495,SMBServerHostname.local,Mac-ClientSMB.local,DCERPC,250,"Bind_ack: call_id: 3, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance"
3842,28.253538,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3526 Ack=3276 Win=7405312 Len=0 TSval=492485560 TSecr=288281921
3843,28.253699,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,258,lsa_GetUserName request
3844,28.256607,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,286,lsa_GetUserName response
3845,28.256683,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3718 Ack=3496 Win=7405312 Len=0 TSval=492485563 TSecr=288281924
3846,28.256923,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,282,lsa_OpenPolicy2 request
3847,28.259367,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,230,lsa_OpenPolicy2 response
3848,28.259444,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3934 Ack=3660 Win=7405312 Len=0 TSval=492485565 TSecr=288281926
3849,28.259879,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,302,lsa_LookupNames request
3850,28.263534,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Ioctl Response, Error: STATUS_PENDING"
3851,28.263539,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,326,lsa_LookupNames response
3852,28.263647,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4170 Ack=3737 Win=7405440 Len=0 TSval=492485569 TSecr=288281931
3853,28.263647,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4170 Ack=3997 Win=7405184 Len=0 TSval=492485569 TSecr=288281931
3854,28.263903,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,234,lsa_Close request
3855,28.266342,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,230,lsa_Close response
3856,28.266439,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4338 Ack=4161 Win=7405312 Len=0 TSval=492485571 TSecr=288281933
3857,28.266709,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,158,Close Request File: lsarpc
3858,28.267637,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,222,Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO
3859,28.268592,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,194,Close Response


If you really need them... here are the actual pcap/pcapng files... Once this is solved... I'm taking them down because there's personal information in them and anyone who wants to view the answer will have to do so without the actual pcap data.



links:



https://drive.google.com/open?id=1AtPJ_t2CUt1NxQz84pu7xu7UMtnjvgc3



https://drive.google.com/open?id=1HO9UtQ8a5idvfsHdL6gmsUqvW6YCDFCP










share|improve this question
























  • I would almost bet that the backslash differences are an artifact of the capture tool's CSV exporting, and not actually sent on the wire. Can you attach the actual pcap files instead? And, have you tried checking the server's Samba logs yet? (Use [global] log level = 1 passdb:5 auth:5 auth_audit:5.)
    – grawity
    Nov 23 '18 at 7:21










  • I just put the actual pcap files (saved with the SMB2 marked packets) up. Thanks for taking a look at this.
    – John Byrne
    Nov 23 '18 at 8:03
















1














I've spent most of my day today trying to figure this out... Not exactly what I had in mind for today... but I couldn't help myself... So, here's the problem:
My Windows 7 machine won't authenticate (for a Samba share) to my Ubuntu 18.04 system. I think I've traced this down to the protocol itself, but I'm not sure exactly what the real problem is. It could be a setting I'm missing somewhere in Windows although I've played quite a bit with the NTLM authentication settings in the Local Policy. My Macintosh file share connection to Ubuntu works fine..



So, here's what I've found:




  1. Windows is Resetting the connection from the Ubuntu 18.04 server and restarting the negotiation process with a different port (where my Mac just Acks the STATUS_LOGIN_FAILURE message and continues on it's way).


  2. Windows is sending a different user to the Ubuntu Server (For example systemnameroot as opposed to my Mac sending systemname\root) (Notice the 2 backslashes instead of 1?)


  3. Windows is sending an "Unknown Message Type" to Ubuntu where as my Mac doesn't send anything like this at all.



Here's an image of a comparison between the 2 protocols.



Packet Capture Comparison



I've run into a few sites that may help:
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP]-171201.pdf



https://docs.microsoft.com/en-us/windows/desktop/FileIO/microsoft-smb-protocol-and-cifs-protocol-overview



https://msdn.microsoft.com/en-us/library/cc246324.aspx



I've turned the packet captures from both my Mac and my Windows 7 system into .csv files and put them here for your enjoyment.



Yes, I have looked at the logs (and was 'tail'ing them while trying to connect via file explorer) This is what showed up in the logs:



After a few seconds when the nobody connection times-out (I guess) from just looking at the listing of the computer I get this in the auth.log




Nov 22 21:59:11 odroid2 smbd: pam_unix(samba:session): session closed for user nobody




I also get:




Nov 22 20:08:42 odroid2 smbd: pam_unix(samba:session): session closed for user root




I am authenticating in other ways with 'pam' including with both sshd and smbd:




Nov 22 18:52:34 odroid2 smbd[9524]: pam_unix(samba:session): session opened for user root by (uid=0)




These sessions are from my Mac authenticating. When Windows tries to authenticate, nothing shows in the auth.log other than the nobody if I view the computer (using - net view). I now have net view disabled because NetBIOS was running on port 139 and I wanted it to be the same setup as my Mac (on port 445). So I disabled NetBIOS over TCP/IP.




Nov 22 16:13:56 odroid2 sshd[428]: pam_unix(sshd:session): session opened for user root by (uid=0)

Nov 22 16:13:56 odroid2 systemd-logind[535]: New session 733 of user root.

Nov 22 16:13:57 odroid2 sshd[428]: Received disconnect from 2600:1700:7c20:1fb0:13f:338a:e270:917d port 60469:11: disconnected by user

Nov 22 16:13:57 odroid2 sshd[428]: Disconnected from user root 2600:1700:7c20:1fb0:13f:338a:e270:917d port 60469

Nov 22 16:13:57 odroid2 sshd[428]: pam_unix(sshd:session): session closed for user root




and my syslog doesn't say anything interesting.



Inside my smb.conf I have:



log level = 10
logging = 10


I assumed that 10 was the highest level and that 'all' was the default if nothing was specified. I did see 10 in a sample smb.conf on the internet so that's why I thought it was the highest level.



at https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html



they have:



Example: log level = 3 passdb:5 auth:10 winbind:2



Any help would be greatly appreciated (especially from anyone that works with Microsoft and knows these protocols and what they should look like)



Windows Packet Capture (Just the SMB and related TCP/IP packets)



No.,Time,Source,Destination,Protocol,Info
13,1.627011,10.100.1.66,10.100.1.99,TCP,50128 > microsoft-ds [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1
14,1.627457,10.100.1.99,10.100.1.66,TCP,"microsoft-ds > 50128 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=7"
15,1.627639,10.100.1.66,10.100.1.99,TCP,50128 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65700 Len=0
16,1.627723,10.100.1.66,10.100.1.99,SMB,Negotiate Protocol Request
17,1.628079,10.100.1.99,10.100.1.66,TCP,microsoft-ds > 50128 [ACK] Seq=1 Ack=160 Win=30336 Len=0
18,1.646459,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
19,1.646607,10.100.1.66,10.100.1.99,SMB2,NegotiateProtocol Request
20,1.64793,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
21,1.648412,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_NEGOTIATE"
22,1.651446,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
23,1.651682,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_AUTH, User: SMBServerSystemroot, Unknown message type"
24,1.658833,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_LOGON_FAILURE"
25,1.658923,10.100.1.66,10.100.1.99,TCP,"50128 > microsoft-ds [RST, ACK] Seq=755 Ack=743 Win=0 Len=0"
100,6.881635,10.100.1.66,10.100.1.99,TCP,50129 > microsoft-ds [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1
101,6.88205,10.100.1.99,10.100.1.66,TCP,"microsoft-ds > 50129 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=7"
102,6.882208,10.100.1.66,10.100.1.99,TCP,50129 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65700 Len=0
103,6.882313,10.100.1.66,10.100.1.99,SMB2,NegotiateProtocol Request
104,6.882666,10.100.1.99,10.100.1.66,TCP,microsoft-ds > 50129 [ACK] Seq=1 Ack=109 Win=29312 Len=0
105,6.900185,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
106,6.900746,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_NEGOTIATE"
107,6.90437,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
108,6.9046,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_AUTH, User: SMBServerSystemroot, Unknown message type"
109,6.911834,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_LOGON_FAILURE"
110,6.91193,10.100.1.66,10.100.1.99,TCP,"50129 > microsoft-ds [RST, ACK] Seq=596 Ack=537 Win=0 Len=0"


Packet capture of my Mac (SMB&TCP/IP Packets)



No.,Time,Source,Destination,Protocol,Length,Info
2774,8.760436,Mac-ClientSMB.local,SMBServerHostname.local,TCP,78,"49274 > 445 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=492466315 TSecr=0 SACK_PERM=1"
2776,8.761635,SMBServerHostname.local,Mac-ClientSMB.local,TCP,74,"445 > 49274 [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=288262429 TSecr=492466315 WS=128"
2777,8.761677,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49274 > 445 [ACK] Seq=1 Ack=1 Win=131712 Len=0 TSval=492466316 TSecr=288262429
2778,8.761725,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,"49274 > 445 [FIN, ACK] Seq=1 Ack=1 Win=131712 Len=0 TSval=492466316 TSecr=288262429"
2781,8.761973,Mac-ClientSMB.local,SMBServerHostname.local,TCP,78,"49276 > 445 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=128 TSval=492466316 TSecr=0 SACK_PERM=1"
2782,8.763016,SMBServerHostname.local,Mac-ClientSMB.local,TCP,74,"445 > 49276 [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=288262431 TSecr=492466316 WS=128"
2783,8.763048,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1 Ack=1 Win=7406464 Len=0 TSval=492466317 TSecr=288262431
2784,8.763082,Mac-ClientSMB.local,SMBServerHostname.local,SMB,139,Negotiate Protocol Request
2785,8.764474,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1 Ack=74 Win=29056 Len=0 TSval=288262432 TSecr=492466317
2786,8.764477,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49274 [ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=288262432 TSecr=492466316
2790,8.786105,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,272,Negotiate Protocol Response
2791,8.786172,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=74 Ack=207 Win=7406208 Len=0 TSval=492466339 TSecr=288262453
2792,8.786222,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,178,Negotiate Protocol Request
2793,8.788306,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,"445 > 49274 [FIN, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=288262456 TSecr=492466316"
2794,8.788355,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49274 > 445 [ACK] Seq=2 Ack=2 Win=131712 Len=0 TSval=492466341 TSecr=288262456
2795,8.788573,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,272,Negotiate Protocol Response
2796,8.788611,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=186 Ack=413 Win=7406080 Len=0 TSval=492466341 TSecr=288262456
2800,8.881565,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
2801,8.885411,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
2802,8.885488,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=352 Ack=666 Win=7405824 Len=0 TSval=492466436 TSecr=288262553
2803,8.887756,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
2804,8.896983,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Session Setup Response, Error: STATUS_LOGON_FAILURE"
2805,8.897079,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=826 Ack=743 Win=7405696 Len=0 TSval=492466447 TSecr=288262565
2806,8.902278,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
2807,8.905787,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
2808,8.905878,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=992 Ack=996 Win=7405440 Len=0 TSval=492466455 TSecr=288262573
2809,8.907242,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
2810,8.915419,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Session Setup Response, Error: STATUS_LOGON_FAILURE"
2811,8.915507,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1466 Ack=1073 Win=7405440 Len=0 TSval=492466464 TSecr=288262583
3769,26.062858,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
3770,26.163475,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
3771,26.163543,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1632 Ack=1326 Win=7405312 Len=0 TSval=492483488 TSecr=288279831
3772,26.165485,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
3773,26.336004,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1326 Ack=2106 Win=35456 Len=0 TSval=288279876 TSecr=492483489
3775,26.336007,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,171,Session Setup Response
3776,26.336087,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2106 Ack=1431 Win=7405440 Len=0 TSval=492483659 TSecr=288279916
3783,26.46547,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,170,Tree Connect Request Tree: \\SMBServerHostname\IPC$
3784,26.466583,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1431 Ack=2210 Win=35456 Len=0 TSval=288280134 TSecr=492483787
3785,26.46866,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3786,26.468706,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2210 Ack=1515 Win=7405440 Len=0 TSval=492483790 TSecr=288280136
3787,26.468819,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,230,Create Request File: srvsvc
3788,26.471771,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,222,Create Response File: srvsvc
3789,26.471838,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2374 Ack=1671 Win=7405312 Len=0 TSval=492483793 TSecr=288280139
3790,26.47217,Mac-ClientSMB.local,SMBServerHostname.local,DCERPC,262,"Bind: call_id: 1, Fragment: Single, 1 context items: SRVSVC V3.0 (32bit NDR)"
3791,26.474815,SMBServerHostname.local,Mac-ClientSMB.local,DCERPC,250,"Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance"
3792,26.474859,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2570 Ack=1855 Win=7405312 Len=0 TSval=492483796 TSecr=288280142
3793,26.475701,Mac-ClientSMB.local,SMBServerHostname.local,SRVSVC,278,NetShareEnumAll request
3794,26.479409,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Ioctl Response, Error: STATUS_PENDING"
3795,26.47947,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2782 Ack=1932 Win=7405440 Len=0 TSval=492483800 TSecr=288280147
3796,26.479634,SMBServerHostname.local,Mac-ClientSMB.local,SRVSVC,702,NetShareEnumAll response
3797,26.479689,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2782 Ack=2568 Win=7404928 Len=0 TSval=492483800 TSecr=288280147
3798,26.480282,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,158,Close Request File: srvsvc
3799,26.481727,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,194,Close Response
3800,26.48178,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2874 Ack=2696 Win=7405440 Len=0 TSval=492483802 TSecr=288280149
3801,26.48186,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,138,Tree Disconnect Request
3802,26.483827,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,138,Tree Disconnect Response
3803,26.483897,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2946 Ack=2768 Win=7405440 Len=0 TSval=492483804 TSecr=288280151
3824,28.16751,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,182,Tree Connect Request Tree: \\SMBServerHostname\SMBServerHostnameLOGS
3829,28.242395,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3830,28.24248,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3062 Ack=2852 Win=7405440 Len=0 TSval=492485552 TSecr=288281910
3834,28.245251,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,170,Tree Connect Request Tree: \\SMBServerHostname\IPC$
3835,28.248006,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3836,28.248048,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3166 Ack=2936 Win=7405440 Len=0 TSval=492485556 TSecr=288281915
3837,28.248134,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,230,Create Request File: lsarpc
3838,28.250815,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,222,Create Response File: lsarpc
3839,28.250856,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3330 Ack=3092 Win=7405312 Len=0 TSval=492485558 TSecr=288281918
3840,28.251021,Mac-ClientSMB.local,SMBServerHostname.local,DCERPC,262,"Bind: call_id: 3, Fragment: Single, 1 context items: LSARPC V0.0 (32bit NDR)"
3841,28.253495,SMBServerHostname.local,Mac-ClientSMB.local,DCERPC,250,"Bind_ack: call_id: 3, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance"
3842,28.253538,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3526 Ack=3276 Win=7405312 Len=0 TSval=492485560 TSecr=288281921
3843,28.253699,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,258,lsa_GetUserName request
3844,28.256607,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,286,lsa_GetUserName response
3845,28.256683,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3718 Ack=3496 Win=7405312 Len=0 TSval=492485563 TSecr=288281924
3846,28.256923,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,282,lsa_OpenPolicy2 request
3847,28.259367,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,230,lsa_OpenPolicy2 response
3848,28.259444,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3934 Ack=3660 Win=7405312 Len=0 TSval=492485565 TSecr=288281926
3849,28.259879,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,302,lsa_LookupNames request
3850,28.263534,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Ioctl Response, Error: STATUS_PENDING"
3851,28.263539,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,326,lsa_LookupNames response
3852,28.263647,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4170 Ack=3737 Win=7405440 Len=0 TSval=492485569 TSecr=288281931
3853,28.263647,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4170 Ack=3997 Win=7405184 Len=0 TSval=492485569 TSecr=288281931
3854,28.263903,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,234,lsa_Close request
3855,28.266342,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,230,lsa_Close response
3856,28.266439,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4338 Ack=4161 Win=7405312 Len=0 TSval=492485571 TSecr=288281933
3857,28.266709,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,158,Close Request File: lsarpc
3858,28.267637,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,222,Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO
3859,28.268592,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,194,Close Response


If you really need them... here are the actual pcap/pcapng files... Once this is solved... I'm taking them down because there's personal information in them and anyone who wants to view the answer will have to do so without the actual pcap data.



links:



https://drive.google.com/open?id=1AtPJ_t2CUt1NxQz84pu7xu7UMtnjvgc3



https://drive.google.com/open?id=1HO9UtQ8a5idvfsHdL6gmsUqvW6YCDFCP










share|improve this question
























  • I would almost bet that the backslash differences are an artifact of the capture tool's CSV exporting, and not actually sent on the wire. Can you attach the actual pcap files instead? And, have you tried checking the server's Samba logs yet? (Use [global] log level = 1 passdb:5 auth:5 auth_audit:5.)
    – grawity
    Nov 23 '18 at 7:21










  • I just put the actual pcap files (saved with the SMB2 marked packets) up. Thanks for taking a look at this.
    – John Byrne
    Nov 23 '18 at 8:03














1












1








1







I've spent most of my day today trying to figure this out... Not exactly what I had in mind for today... but I couldn't help myself... So, here's the problem:
My Windows 7 machine won't authenticate (for a Samba share) to my Ubuntu 18.04 system. I think I've traced this down to the protocol itself, but I'm not sure exactly what the real problem is. It could be a setting I'm missing somewhere in Windows although I've played quite a bit with the NTLM authentication settings in the Local Policy. My Macintosh file share connection to Ubuntu works fine..



So, here's what I've found:




  1. Windows is Resetting the connection from the Ubuntu 18.04 server and restarting the negotiation process with a different port (where my Mac just Acks the STATUS_LOGIN_FAILURE message and continues on it's way).


  2. Windows is sending a different user to the Ubuntu Server (For example systemnameroot as opposed to my Mac sending systemname\root) (Notice the 2 backslashes instead of 1?)


  3. Windows is sending an "Unknown Message Type" to Ubuntu where as my Mac doesn't send anything like this at all.



Here's an image of a comparison between the 2 protocols.



Packet Capture Comparison



I've run into a few sites that may help:
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP]-171201.pdf



https://docs.microsoft.com/en-us/windows/desktop/FileIO/microsoft-smb-protocol-and-cifs-protocol-overview



https://msdn.microsoft.com/en-us/library/cc246324.aspx



I've turned the packet captures from both my Mac and my Windows 7 system into .csv files and put them here for your enjoyment.



Yes, I have looked at the logs (and was 'tail'ing them while trying to connect via file explorer) This is what showed up in the logs:



After a few seconds when the nobody connection times-out (I guess) from just looking at the listing of the computer I get this in the auth.log




Nov 22 21:59:11 odroid2 smbd: pam_unix(samba:session): session closed for user nobody




I also get:




Nov 22 20:08:42 odroid2 smbd: pam_unix(samba:session): session closed for user root




I am authenticating in other ways with 'pam' including with both sshd and smbd:




Nov 22 18:52:34 odroid2 smbd[9524]: pam_unix(samba:session): session opened for user root by (uid=0)




These sessions are from my Mac authenticating. When Windows tries to authenticate, nothing shows in the auth.log other than the nobody if I view the computer (using - net view). I now have net view disabled because NetBIOS was running on port 139 and I wanted it to be the same setup as my Mac (on port 445). So I disabled NetBIOS over TCP/IP.




Nov 22 16:13:56 odroid2 sshd[428]: pam_unix(sshd:session): session opened for user root by (uid=0)

Nov 22 16:13:56 odroid2 systemd-logind[535]: New session 733 of user root.

Nov 22 16:13:57 odroid2 sshd[428]: Received disconnect from 2600:1700:7c20:1fb0:13f:338a:e270:917d port 60469:11: disconnected by user

Nov 22 16:13:57 odroid2 sshd[428]: Disconnected from user root 2600:1700:7c20:1fb0:13f:338a:e270:917d port 60469

Nov 22 16:13:57 odroid2 sshd[428]: pam_unix(sshd:session): session closed for user root




and my syslog doesn't say anything interesting.



Inside my smb.conf I have:



log level = 10
logging = 10


I assumed that 10 was the highest level and that 'all' was the default if nothing was specified. I did see 10 in a sample smb.conf on the internet so that's why I thought it was the highest level.



at https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html



they have:



Example: log level = 3 passdb:5 auth:10 winbind:2



Any help would be greatly appreciated (especially from anyone that works with Microsoft and knows these protocols and what they should look like)



Windows Packet Capture (Just the SMB and related TCP/IP packets)



No.,Time,Source,Destination,Protocol,Info
13,1.627011,10.100.1.66,10.100.1.99,TCP,50128 > microsoft-ds [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1
14,1.627457,10.100.1.99,10.100.1.66,TCP,"microsoft-ds > 50128 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=7"
15,1.627639,10.100.1.66,10.100.1.99,TCP,50128 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65700 Len=0
16,1.627723,10.100.1.66,10.100.1.99,SMB,Negotiate Protocol Request
17,1.628079,10.100.1.99,10.100.1.66,TCP,microsoft-ds > 50128 [ACK] Seq=1 Ack=160 Win=30336 Len=0
18,1.646459,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
19,1.646607,10.100.1.66,10.100.1.99,SMB2,NegotiateProtocol Request
20,1.64793,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
21,1.648412,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_NEGOTIATE"
22,1.651446,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
23,1.651682,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_AUTH, User: SMBServerSystemroot, Unknown message type"
24,1.658833,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_LOGON_FAILURE"
25,1.658923,10.100.1.66,10.100.1.99,TCP,"50128 > microsoft-ds [RST, ACK] Seq=755 Ack=743 Win=0 Len=0"
100,6.881635,10.100.1.66,10.100.1.99,TCP,50129 > microsoft-ds [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1
101,6.88205,10.100.1.99,10.100.1.66,TCP,"microsoft-ds > 50129 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=7"
102,6.882208,10.100.1.66,10.100.1.99,TCP,50129 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65700 Len=0
103,6.882313,10.100.1.66,10.100.1.99,SMB2,NegotiateProtocol Request
104,6.882666,10.100.1.99,10.100.1.66,TCP,microsoft-ds > 50129 [ACK] Seq=1 Ack=109 Win=29312 Len=0
105,6.900185,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
106,6.900746,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_NEGOTIATE"
107,6.90437,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
108,6.9046,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_AUTH, User: SMBServerSystemroot, Unknown message type"
109,6.911834,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_LOGON_FAILURE"
110,6.91193,10.100.1.66,10.100.1.99,TCP,"50129 > microsoft-ds [RST, ACK] Seq=596 Ack=537 Win=0 Len=0"


Packet capture of my Mac (SMB&TCP/IP Packets)



No.,Time,Source,Destination,Protocol,Length,Info
2774,8.760436,Mac-ClientSMB.local,SMBServerHostname.local,TCP,78,"49274 > 445 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=492466315 TSecr=0 SACK_PERM=1"
2776,8.761635,SMBServerHostname.local,Mac-ClientSMB.local,TCP,74,"445 > 49274 [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=288262429 TSecr=492466315 WS=128"
2777,8.761677,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49274 > 445 [ACK] Seq=1 Ack=1 Win=131712 Len=0 TSval=492466316 TSecr=288262429
2778,8.761725,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,"49274 > 445 [FIN, ACK] Seq=1 Ack=1 Win=131712 Len=0 TSval=492466316 TSecr=288262429"
2781,8.761973,Mac-ClientSMB.local,SMBServerHostname.local,TCP,78,"49276 > 445 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=128 TSval=492466316 TSecr=0 SACK_PERM=1"
2782,8.763016,SMBServerHostname.local,Mac-ClientSMB.local,TCP,74,"445 > 49276 [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=288262431 TSecr=492466316 WS=128"
2783,8.763048,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1 Ack=1 Win=7406464 Len=0 TSval=492466317 TSecr=288262431
2784,8.763082,Mac-ClientSMB.local,SMBServerHostname.local,SMB,139,Negotiate Protocol Request
2785,8.764474,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1 Ack=74 Win=29056 Len=0 TSval=288262432 TSecr=492466317
2786,8.764477,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49274 [ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=288262432 TSecr=492466316
2790,8.786105,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,272,Negotiate Protocol Response
2791,8.786172,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=74 Ack=207 Win=7406208 Len=0 TSval=492466339 TSecr=288262453
2792,8.786222,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,178,Negotiate Protocol Request
2793,8.788306,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,"445 > 49274 [FIN, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=288262456 TSecr=492466316"
2794,8.788355,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49274 > 445 [ACK] Seq=2 Ack=2 Win=131712 Len=0 TSval=492466341 TSecr=288262456
2795,8.788573,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,272,Negotiate Protocol Response
2796,8.788611,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=186 Ack=413 Win=7406080 Len=0 TSval=492466341 TSecr=288262456
2800,8.881565,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
2801,8.885411,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
2802,8.885488,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=352 Ack=666 Win=7405824 Len=0 TSval=492466436 TSecr=288262553
2803,8.887756,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
2804,8.896983,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Session Setup Response, Error: STATUS_LOGON_FAILURE"
2805,8.897079,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=826 Ack=743 Win=7405696 Len=0 TSval=492466447 TSecr=288262565
2806,8.902278,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
2807,8.905787,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
2808,8.905878,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=992 Ack=996 Win=7405440 Len=0 TSval=492466455 TSecr=288262573
2809,8.907242,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
2810,8.915419,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Session Setup Response, Error: STATUS_LOGON_FAILURE"
2811,8.915507,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1466 Ack=1073 Win=7405440 Len=0 TSval=492466464 TSecr=288262583
3769,26.062858,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
3770,26.163475,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
3771,26.163543,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1632 Ack=1326 Win=7405312 Len=0 TSval=492483488 TSecr=288279831
3772,26.165485,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
3773,26.336004,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1326 Ack=2106 Win=35456 Len=0 TSval=288279876 TSecr=492483489
3775,26.336007,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,171,Session Setup Response
3776,26.336087,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2106 Ack=1431 Win=7405440 Len=0 TSval=492483659 TSecr=288279916
3783,26.46547,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,170,Tree Connect Request Tree: \\SMBServerHostname\IPC$
3784,26.466583,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1431 Ack=2210 Win=35456 Len=0 TSval=288280134 TSecr=492483787
3785,26.46866,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3786,26.468706,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2210 Ack=1515 Win=7405440 Len=0 TSval=492483790 TSecr=288280136
3787,26.468819,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,230,Create Request File: srvsvc
3788,26.471771,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,222,Create Response File: srvsvc
3789,26.471838,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2374 Ack=1671 Win=7405312 Len=0 TSval=492483793 TSecr=288280139
3790,26.47217,Mac-ClientSMB.local,SMBServerHostname.local,DCERPC,262,"Bind: call_id: 1, Fragment: Single, 1 context items: SRVSVC V3.0 (32bit NDR)"
3791,26.474815,SMBServerHostname.local,Mac-ClientSMB.local,DCERPC,250,"Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance"
3792,26.474859,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2570 Ack=1855 Win=7405312 Len=0 TSval=492483796 TSecr=288280142
3793,26.475701,Mac-ClientSMB.local,SMBServerHostname.local,SRVSVC,278,NetShareEnumAll request
3794,26.479409,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Ioctl Response, Error: STATUS_PENDING"
3795,26.47947,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2782 Ack=1932 Win=7405440 Len=0 TSval=492483800 TSecr=288280147
3796,26.479634,SMBServerHostname.local,Mac-ClientSMB.local,SRVSVC,702,NetShareEnumAll response
3797,26.479689,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2782 Ack=2568 Win=7404928 Len=0 TSval=492483800 TSecr=288280147
3798,26.480282,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,158,Close Request File: srvsvc
3799,26.481727,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,194,Close Response
3800,26.48178,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2874 Ack=2696 Win=7405440 Len=0 TSval=492483802 TSecr=288280149
3801,26.48186,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,138,Tree Disconnect Request
3802,26.483827,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,138,Tree Disconnect Response
3803,26.483897,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2946 Ack=2768 Win=7405440 Len=0 TSval=492483804 TSecr=288280151
3824,28.16751,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,182,Tree Connect Request Tree: \\SMBServerHostname\SMBServerHostnameLOGS
3829,28.242395,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3830,28.24248,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3062 Ack=2852 Win=7405440 Len=0 TSval=492485552 TSecr=288281910
3834,28.245251,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,170,Tree Connect Request Tree: \\SMBServerHostname\IPC$
3835,28.248006,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3836,28.248048,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3166 Ack=2936 Win=7405440 Len=0 TSval=492485556 TSecr=288281915
3837,28.248134,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,230,Create Request File: lsarpc
3838,28.250815,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,222,Create Response File: lsarpc
3839,28.250856,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3330 Ack=3092 Win=7405312 Len=0 TSval=492485558 TSecr=288281918
3840,28.251021,Mac-ClientSMB.local,SMBServerHostname.local,DCERPC,262,"Bind: call_id: 3, Fragment: Single, 1 context items: LSARPC V0.0 (32bit NDR)"
3841,28.253495,SMBServerHostname.local,Mac-ClientSMB.local,DCERPC,250,"Bind_ack: call_id: 3, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance"
3842,28.253538,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3526 Ack=3276 Win=7405312 Len=0 TSval=492485560 TSecr=288281921
3843,28.253699,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,258,lsa_GetUserName request
3844,28.256607,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,286,lsa_GetUserName response
3845,28.256683,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3718 Ack=3496 Win=7405312 Len=0 TSval=492485563 TSecr=288281924
3846,28.256923,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,282,lsa_OpenPolicy2 request
3847,28.259367,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,230,lsa_OpenPolicy2 response
3848,28.259444,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3934 Ack=3660 Win=7405312 Len=0 TSval=492485565 TSecr=288281926
3849,28.259879,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,302,lsa_LookupNames request
3850,28.263534,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Ioctl Response, Error: STATUS_PENDING"
3851,28.263539,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,326,lsa_LookupNames response
3852,28.263647,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4170 Ack=3737 Win=7405440 Len=0 TSval=492485569 TSecr=288281931
3853,28.263647,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4170 Ack=3997 Win=7405184 Len=0 TSval=492485569 TSecr=288281931
3854,28.263903,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,234,lsa_Close request
3855,28.266342,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,230,lsa_Close response
3856,28.266439,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4338 Ack=4161 Win=7405312 Len=0 TSval=492485571 TSecr=288281933
3857,28.266709,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,158,Close Request File: lsarpc
3858,28.267637,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,222,Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO
3859,28.268592,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,194,Close Response


If you really need them... here are the actual pcap/pcapng files... Once this is solved... I'm taking them down because there's personal information in them and anyone who wants to view the answer will have to do so without the actual pcap data.



links:



https://drive.google.com/open?id=1AtPJ_t2CUt1NxQz84pu7xu7UMtnjvgc3



https://drive.google.com/open?id=1HO9UtQ8a5idvfsHdL6gmsUqvW6YCDFCP










share|improve this question















I've spent most of my day today trying to figure this out... Not exactly what I had in mind for today... but I couldn't help myself... So, here's the problem:
My Windows 7 machine won't authenticate (for a Samba share) to my Ubuntu 18.04 system. I think I've traced this down to the protocol itself, but I'm not sure exactly what the real problem is. It could be a setting I'm missing somewhere in Windows although I've played quite a bit with the NTLM authentication settings in the Local Policy. My Macintosh file share connection to Ubuntu works fine..



So, here's what I've found:




  1. Windows is Resetting the connection from the Ubuntu 18.04 server and restarting the negotiation process with a different port (where my Mac just Acks the STATUS_LOGIN_FAILURE message and continues on it's way).


  2. Windows is sending a different user to the Ubuntu Server (For example systemnameroot as opposed to my Mac sending systemname\root) (Notice the 2 backslashes instead of 1?)


  3. Windows is sending an "Unknown Message Type" to Ubuntu where as my Mac doesn't send anything like this at all.



Here's an image of a comparison between the 2 protocols.



Packet Capture Comparison



I've run into a few sites that may help:
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP]-171201.pdf



https://docs.microsoft.com/en-us/windows/desktop/FileIO/microsoft-smb-protocol-and-cifs-protocol-overview



https://msdn.microsoft.com/en-us/library/cc246324.aspx



I've turned the packet captures from both my Mac and my Windows 7 system into .csv files and put them here for your enjoyment.



Yes, I have looked at the logs (and was 'tail'ing them while trying to connect via file explorer) This is what showed up in the logs:



After a few seconds when the nobody connection times-out (I guess) from just looking at the listing of the computer I get this in the auth.log




Nov 22 21:59:11 odroid2 smbd: pam_unix(samba:session): session closed for user nobody




I also get:




Nov 22 20:08:42 odroid2 smbd: pam_unix(samba:session): session closed for user root




I am authenticating in other ways with 'pam' including with both sshd and smbd:




Nov 22 18:52:34 odroid2 smbd[9524]: pam_unix(samba:session): session opened for user root by (uid=0)




These sessions are from my Mac authenticating. When Windows tries to authenticate, nothing shows in the auth.log other than the nobody if I view the computer (using - net view). I now have net view disabled because NetBIOS was running on port 139 and I wanted it to be the same setup as my Mac (on port 445). So I disabled NetBIOS over TCP/IP.




Nov 22 16:13:56 odroid2 sshd[428]: pam_unix(sshd:session): session opened for user root by (uid=0)

Nov 22 16:13:56 odroid2 systemd-logind[535]: New session 733 of user root.

Nov 22 16:13:57 odroid2 sshd[428]: Received disconnect from 2600:1700:7c20:1fb0:13f:338a:e270:917d port 60469:11: disconnected by user

Nov 22 16:13:57 odroid2 sshd[428]: Disconnected from user root 2600:1700:7c20:1fb0:13f:338a:e270:917d port 60469

Nov 22 16:13:57 odroid2 sshd[428]: pam_unix(sshd:session): session closed for user root




and my syslog doesn't say anything interesting.



Inside my smb.conf I have:



log level = 10
logging = 10


I assumed that 10 was the highest level and that 'all' was the default if nothing was specified. I did see 10 in a sample smb.conf on the internet so that's why I thought it was the highest level.



at https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html



they have:



Example: log level = 3 passdb:5 auth:10 winbind:2



Any help would be greatly appreciated (especially from anyone that works with Microsoft and knows these protocols and what they should look like)



Windows Packet Capture (Just the SMB and related TCP/IP packets)



No.,Time,Source,Destination,Protocol,Info
13,1.627011,10.100.1.66,10.100.1.99,TCP,50128 > microsoft-ds [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1
14,1.627457,10.100.1.99,10.100.1.66,TCP,"microsoft-ds > 50128 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=7"
15,1.627639,10.100.1.66,10.100.1.99,TCP,50128 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65700 Len=0
16,1.627723,10.100.1.66,10.100.1.99,SMB,Negotiate Protocol Request
17,1.628079,10.100.1.99,10.100.1.66,TCP,microsoft-ds > 50128 [ACK] Seq=1 Ack=160 Win=30336 Len=0
18,1.646459,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
19,1.646607,10.100.1.66,10.100.1.99,SMB2,NegotiateProtocol Request
20,1.64793,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
21,1.648412,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_NEGOTIATE"
22,1.651446,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
23,1.651682,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_AUTH, User: SMBServerSystemroot, Unknown message type"
24,1.658833,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_LOGON_FAILURE"
25,1.658923,10.100.1.66,10.100.1.99,TCP,"50128 > microsoft-ds [RST, ACK] Seq=755 Ack=743 Win=0 Len=0"
100,6.881635,10.100.1.66,10.100.1.99,TCP,50129 > microsoft-ds [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1
101,6.88205,10.100.1.99,10.100.1.66,TCP,"microsoft-ds > 50129 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=7"
102,6.882208,10.100.1.66,10.100.1.99,TCP,50129 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65700 Len=0
103,6.882313,10.100.1.66,10.100.1.99,SMB2,NegotiateProtocol Request
104,6.882666,10.100.1.99,10.100.1.66,TCP,microsoft-ds > 50129 [ACK] Seq=1 Ack=109 Win=29312 Len=0
105,6.900185,10.100.1.99,10.100.1.66,SMB2,NegotiateProtocol Response
106,6.900746,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_NEGOTIATE"
107,6.90437,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
108,6.9046,10.100.1.66,10.100.1.99,SMB2,"SessionSetup Request, NTLMSSP_AUTH, User: SMBServerSystemroot, Unknown message type"
109,6.911834,10.100.1.99,10.100.1.66,SMB2,"SessionSetup Response, Error: STATUS_LOGON_FAILURE"
110,6.91193,10.100.1.66,10.100.1.99,TCP,"50129 > microsoft-ds [RST, ACK] Seq=596 Ack=537 Win=0 Len=0"


Packet capture of my Mac (SMB&TCP/IP Packets)



No.,Time,Source,Destination,Protocol,Length,Info
2774,8.760436,Mac-ClientSMB.local,SMBServerHostname.local,TCP,78,"49274 > 445 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=492466315 TSecr=0 SACK_PERM=1"
2776,8.761635,SMBServerHostname.local,Mac-ClientSMB.local,TCP,74,"445 > 49274 [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=288262429 TSecr=492466315 WS=128"
2777,8.761677,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49274 > 445 [ACK] Seq=1 Ack=1 Win=131712 Len=0 TSval=492466316 TSecr=288262429
2778,8.761725,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,"49274 > 445 [FIN, ACK] Seq=1 Ack=1 Win=131712 Len=0 TSval=492466316 TSecr=288262429"
2781,8.761973,Mac-ClientSMB.local,SMBServerHostname.local,TCP,78,"49276 > 445 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=128 TSval=492466316 TSecr=0 SACK_PERM=1"
2782,8.763016,SMBServerHostname.local,Mac-ClientSMB.local,TCP,74,"445 > 49276 [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=288262431 TSecr=492466316 WS=128"
2783,8.763048,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1 Ack=1 Win=7406464 Len=0 TSval=492466317 TSecr=288262431
2784,8.763082,Mac-ClientSMB.local,SMBServerHostname.local,SMB,139,Negotiate Protocol Request
2785,8.764474,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1 Ack=74 Win=29056 Len=0 TSval=288262432 TSecr=492466317
2786,8.764477,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49274 [ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=288262432 TSecr=492466316
2790,8.786105,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,272,Negotiate Protocol Response
2791,8.786172,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=74 Ack=207 Win=7406208 Len=0 TSval=492466339 TSecr=288262453
2792,8.786222,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,178,Negotiate Protocol Request
2793,8.788306,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,"445 > 49274 [FIN, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=288262456 TSecr=492466316"
2794,8.788355,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49274 > 445 [ACK] Seq=2 Ack=2 Win=131712 Len=0 TSval=492466341 TSecr=288262456
2795,8.788573,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,272,Negotiate Protocol Response
2796,8.788611,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=186 Ack=413 Win=7406080 Len=0 TSval=492466341 TSecr=288262456
2800,8.881565,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
2801,8.885411,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
2802,8.885488,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=352 Ack=666 Win=7405824 Len=0 TSval=492466436 TSecr=288262553
2803,8.887756,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
2804,8.896983,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Session Setup Response, Error: STATUS_LOGON_FAILURE"
2805,8.897079,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=826 Ack=743 Win=7405696 Len=0 TSval=492466447 TSecr=288262565
2806,8.902278,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
2807,8.905787,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
2808,8.905878,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=992 Ack=996 Win=7405440 Len=0 TSval=492466455 TSecr=288262573
2809,8.907242,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
2810,8.915419,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Session Setup Response, Error: STATUS_LOGON_FAILURE"
2811,8.915507,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1466 Ack=1073 Win=7405440 Len=0 TSval=492466464 TSecr=288262583
3769,26.062858,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,232,"Session Setup Request, NTLMSSP_NEGOTIATE"
3770,26.163475,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,319,"Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE"
3771,26.163543,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=1632 Ack=1326 Win=7405312 Len=0 TSval=492483488 TSecr=288279831
3772,26.165485,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,540,"Session Setup Request, NTLMSSP_AUTH, User: SMBServerHostname\root"
3773,26.336004,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1326 Ack=2106 Win=35456 Len=0 TSval=288279876 TSecr=492483489
3775,26.336007,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,171,Session Setup Response
3776,26.336087,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2106 Ack=1431 Win=7405440 Len=0 TSval=492483659 TSecr=288279916
3783,26.46547,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,170,Tree Connect Request Tree: \\SMBServerHostname\IPC$
3784,26.466583,SMBServerHostname.local,Mac-ClientSMB.local,TCP,66,445 > 49276 [ACK] Seq=1431 Ack=2210 Win=35456 Len=0 TSval=288280134 TSecr=492483787
3785,26.46866,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3786,26.468706,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2210 Ack=1515 Win=7405440 Len=0 TSval=492483790 TSecr=288280136
3787,26.468819,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,230,Create Request File: srvsvc
3788,26.471771,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,222,Create Response File: srvsvc
3789,26.471838,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2374 Ack=1671 Win=7405312 Len=0 TSval=492483793 TSecr=288280139
3790,26.47217,Mac-ClientSMB.local,SMBServerHostname.local,DCERPC,262,"Bind: call_id: 1, Fragment: Single, 1 context items: SRVSVC V3.0 (32bit NDR)"
3791,26.474815,SMBServerHostname.local,Mac-ClientSMB.local,DCERPC,250,"Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance"
3792,26.474859,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2570 Ack=1855 Win=7405312 Len=0 TSval=492483796 TSecr=288280142
3793,26.475701,Mac-ClientSMB.local,SMBServerHostname.local,SRVSVC,278,NetShareEnumAll request
3794,26.479409,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Ioctl Response, Error: STATUS_PENDING"
3795,26.47947,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2782 Ack=1932 Win=7405440 Len=0 TSval=492483800 TSecr=288280147
3796,26.479634,SMBServerHostname.local,Mac-ClientSMB.local,SRVSVC,702,NetShareEnumAll response
3797,26.479689,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2782 Ack=2568 Win=7404928 Len=0 TSval=492483800 TSecr=288280147
3798,26.480282,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,158,Close Request File: srvsvc
3799,26.481727,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,194,Close Response
3800,26.48178,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2874 Ack=2696 Win=7405440 Len=0 TSval=492483802 TSecr=288280149
3801,26.48186,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,138,Tree Disconnect Request
3802,26.483827,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,138,Tree Disconnect Response
3803,26.483897,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=2946 Ack=2768 Win=7405440 Len=0 TSval=492483804 TSecr=288280151
3824,28.16751,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,182,Tree Connect Request Tree: \\SMBServerHostname\SMBServerHostnameLOGS
3829,28.242395,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3830,28.24248,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3062 Ack=2852 Win=7405440 Len=0 TSval=492485552 TSecr=288281910
3834,28.245251,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,170,Tree Connect Request Tree: \\SMBServerHostname\IPC$
3835,28.248006,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,150,Tree Connect Response
3836,28.248048,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3166 Ack=2936 Win=7405440 Len=0 TSval=492485556 TSecr=288281915
3837,28.248134,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,230,Create Request File: lsarpc
3838,28.250815,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,222,Create Response File: lsarpc
3839,28.250856,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3330 Ack=3092 Win=7405312 Len=0 TSval=492485558 TSecr=288281918
3840,28.251021,Mac-ClientSMB.local,SMBServerHostname.local,DCERPC,262,"Bind: call_id: 3, Fragment: Single, 1 context items: LSARPC V0.0 (32bit NDR)"
3841,28.253495,SMBServerHostname.local,Mac-ClientSMB.local,DCERPC,250,"Bind_ack: call_id: 3, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance"
3842,28.253538,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3526 Ack=3276 Win=7405312 Len=0 TSval=492485560 TSecr=288281921
3843,28.253699,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,258,lsa_GetUserName request
3844,28.256607,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,286,lsa_GetUserName response
3845,28.256683,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3718 Ack=3496 Win=7405312 Len=0 TSval=492485563 TSecr=288281924
3846,28.256923,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,282,lsa_OpenPolicy2 request
3847,28.259367,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,230,lsa_OpenPolicy2 response
3848,28.259444,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=3934 Ack=3660 Win=7405312 Len=0 TSval=492485565 TSecr=288281926
3849,28.259879,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,302,lsa_LookupNames request
3850,28.263534,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,143,"Ioctl Response, Error: STATUS_PENDING"
3851,28.263539,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,326,lsa_LookupNames response
3852,28.263647,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4170 Ack=3737 Win=7405440 Len=0 TSval=492485569 TSecr=288281931
3853,28.263647,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4170 Ack=3997 Win=7405184 Len=0 TSval=492485569 TSecr=288281931
3854,28.263903,Mac-ClientSMB.local,SMBServerHostname.local,LSARPC,234,lsa_Close request
3855,28.266342,SMBServerHostname.local,Mac-ClientSMB.local,LSARPC,230,lsa_Close response
3856,28.266439,Mac-ClientSMB.local,SMBServerHostname.local,TCP,66,49276 > 445 [ACK] Seq=4338 Ack=4161 Win=7405312 Len=0 TSval=492485571 TSecr=288281933
3857,28.266709,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,158,Close Request File: lsarpc
3858,28.267637,Mac-ClientSMB.local,SMBServerHostname.local,SMB2,222,Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO
3859,28.268592,SMBServerHostname.local,Mac-ClientSMB.local,SMB2,194,Close Response


If you really need them... here are the actual pcap/pcapng files... Once this is solved... I'm taking them down because there's personal information in them and anyone who wants to view the answer will have to do so without the actual pcap data.



links:



https://drive.google.com/open?id=1AtPJ_t2CUt1NxQz84pu7xu7UMtnjvgc3



https://drive.google.com/open?id=1HO9UtQ8a5idvfsHdL6gmsUqvW6YCDFCP







linux windows networking tcpip smb2






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 23 '18 at 11:54









Twisty Impersonator

17.7k146395




17.7k146395










asked Nov 23 '18 at 6:11









John Byrne

62




62












  • I would almost bet that the backslash differences are an artifact of the capture tool's CSV exporting, and not actually sent on the wire. Can you attach the actual pcap files instead? And, have you tried checking the server's Samba logs yet? (Use [global] log level = 1 passdb:5 auth:5 auth_audit:5.)
    – grawity
    Nov 23 '18 at 7:21










  • I just put the actual pcap files (saved with the SMB2 marked packets) up. Thanks for taking a look at this.
    – John Byrne
    Nov 23 '18 at 8:03


















  • I would almost bet that the backslash differences are an artifact of the capture tool's CSV exporting, and not actually sent on the wire. Can you attach the actual pcap files instead? And, have you tried checking the server's Samba logs yet? (Use [global] log level = 1 passdb:5 auth:5 auth_audit:5.)
    – grawity
    Nov 23 '18 at 7:21










  • I just put the actual pcap files (saved with the SMB2 marked packets) up. Thanks for taking a look at this.
    – John Byrne
    Nov 23 '18 at 8:03
















I would almost bet that the backslash differences are an artifact of the capture tool's CSV exporting, and not actually sent on the wire. Can you attach the actual pcap files instead? And, have you tried checking the server's Samba logs yet? (Use [global] log level = 1 passdb:5 auth:5 auth_audit:5.)
– grawity
Nov 23 '18 at 7:21




I would almost bet that the backslash differences are an artifact of the capture tool's CSV exporting, and not actually sent on the wire. Can you attach the actual pcap files instead? And, have you tried checking the server's Samba logs yet? (Use [global] log level = 1 passdb:5 auth:5 auth_audit:5.)
– grawity
Nov 23 '18 at 7:21












I just put the actual pcap files (saved with the SMB2 marked packets) up. Thanks for taking a look at this.
– John Byrne
Nov 23 '18 at 8:03




I just put the actual pcap files (saved with the SMB2 marked packets) up. Thanks for taking a look at this.
– John Byrne
Nov 23 '18 at 8:03










1 Answer
1






active

oldest

votes


















1














SMBv2/v3 always runs in 'raw' mode over TCP port 445, with no NetBIOS in sight. (The older SMBv1 can be run over either TCP/445 or TCP/139.) But the port is not actually important for authentication at all – it's done entirely at SMB level, not at NetBIOS (session/transport) level.



You should check whether both sides agree on which authentication protocols should be used. Specifically:





  1. whether Samba accepts NTLMv1 or requires NTLMv2, according to smb.conf:



    [general]
    ;ntlm auth = ntlmv1-permitted
    ntlm auth = ntlmv2-only


    (Previous versions used yes to allow NTLMv1, no to require NTLMv2.)




  2. whether Windows sends NTLMv1 or v2, according to secpol.msc:



    Security Settings
    └─ Local Policies
    └─ Security Options
    └─ Network security: LAN Manager authentication level
    ( ) Send LM & NTLM
    ( ) Send NTLM response only
    (*) Send NTLMv2 response only



You won't see PAM "auth" messages in the server logs, because PAM authentication would require the plaintext password, which the client does not reveal. Instead, Samba handles authentication internally and only on success calls PAM to do various other checks.



Instead, search for the smbd daemon's own logs. You may want to enable logging = syslog or logging = systemd so that they always go to a standard location; but by default they're kept in /var/log/samba instead.






share|improve this answer





















  • Thank you so much! It works now. I just changed Windows negotiation of NTLMv2. So it was a windows setting after all... I spent like 8 hours on this I was pretty stumped. I was looking for some sort of negotiation error, but there is none in the Wireshark protocol display. In any case, I really appreciate your help!
    – John Byrne
    Nov 23 '18 at 14:02










  • Unfortunately, at least as far as I know, the two NTLM versions aren't exactly negotiated as such – the packets only differ in how the challenge/response is generated... (It's an old and clunky protocol that began in MS-DOS as "LM" and just has a thick layer of paint on top.) If you can, set all hosts to use NTLMv2 only – it's somewhat more secure and that's already the default in new OS versions.
    – grawity
    Nov 23 '18 at 16:33













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377726%2fwindows-7-ntlm-not-authenticating-properly-with-ubuntu-18-04%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














SMBv2/v3 always runs in 'raw' mode over TCP port 445, with no NetBIOS in sight. (The older SMBv1 can be run over either TCP/445 or TCP/139.) But the port is not actually important for authentication at all – it's done entirely at SMB level, not at NetBIOS (session/transport) level.



You should check whether both sides agree on which authentication protocols should be used. Specifically:





  1. whether Samba accepts NTLMv1 or requires NTLMv2, according to smb.conf:



    [general]
    ;ntlm auth = ntlmv1-permitted
    ntlm auth = ntlmv2-only


    (Previous versions used yes to allow NTLMv1, no to require NTLMv2.)




  2. whether Windows sends NTLMv1 or v2, according to secpol.msc:



    Security Settings
    └─ Local Policies
    └─ Security Options
    └─ Network security: LAN Manager authentication level
    ( ) Send LM & NTLM
    ( ) Send NTLM response only
    (*) Send NTLMv2 response only



You won't see PAM "auth" messages in the server logs, because PAM authentication would require the plaintext password, which the client does not reveal. Instead, Samba handles authentication internally and only on success calls PAM to do various other checks.



Instead, search for the smbd daemon's own logs. You may want to enable logging = syslog or logging = systemd so that they always go to a standard location; but by default they're kept in /var/log/samba instead.






share|improve this answer





















  • Thank you so much! It works now. I just changed Windows negotiation of NTLMv2. So it was a windows setting after all... I spent like 8 hours on this I was pretty stumped. I was looking for some sort of negotiation error, but there is none in the Wireshark protocol display. In any case, I really appreciate your help!
    – John Byrne
    Nov 23 '18 at 14:02










  • Unfortunately, at least as far as I know, the two NTLM versions aren't exactly negotiated as such – the packets only differ in how the challenge/response is generated... (It's an old and clunky protocol that began in MS-DOS as "LM" and just has a thick layer of paint on top.) If you can, set all hosts to use NTLMv2 only – it's somewhat more secure and that's already the default in new OS versions.
    – grawity
    Nov 23 '18 at 16:33


















1














SMBv2/v3 always runs in 'raw' mode over TCP port 445, with no NetBIOS in sight. (The older SMBv1 can be run over either TCP/445 or TCP/139.) But the port is not actually important for authentication at all – it's done entirely at SMB level, not at NetBIOS (session/transport) level.



You should check whether both sides agree on which authentication protocols should be used. Specifically:





  1. whether Samba accepts NTLMv1 or requires NTLMv2, according to smb.conf:



    [general]
    ;ntlm auth = ntlmv1-permitted
    ntlm auth = ntlmv2-only


    (Previous versions used yes to allow NTLMv1, no to require NTLMv2.)




  2. whether Windows sends NTLMv1 or v2, according to secpol.msc:



    Security Settings
    └─ Local Policies
    └─ Security Options
    └─ Network security: LAN Manager authentication level
    ( ) Send LM & NTLM
    ( ) Send NTLM response only
    (*) Send NTLMv2 response only



You won't see PAM "auth" messages in the server logs, because PAM authentication would require the plaintext password, which the client does not reveal. Instead, Samba handles authentication internally and only on success calls PAM to do various other checks.



Instead, search for the smbd daemon's own logs. You may want to enable logging = syslog or logging = systemd so that they always go to a standard location; but by default they're kept in /var/log/samba instead.






share|improve this answer





















  • Thank you so much! It works now. I just changed Windows negotiation of NTLMv2. So it was a windows setting after all... I spent like 8 hours on this I was pretty stumped. I was looking for some sort of negotiation error, but there is none in the Wireshark protocol display. In any case, I really appreciate your help!
    – John Byrne
    Nov 23 '18 at 14:02










  • Unfortunately, at least as far as I know, the two NTLM versions aren't exactly negotiated as such – the packets only differ in how the challenge/response is generated... (It's an old and clunky protocol that began in MS-DOS as "LM" and just has a thick layer of paint on top.) If you can, set all hosts to use NTLMv2 only – it's somewhat more secure and that's already the default in new OS versions.
    – grawity
    Nov 23 '18 at 16:33
















1












1








1






SMBv2/v3 always runs in 'raw' mode over TCP port 445, with no NetBIOS in sight. (The older SMBv1 can be run over either TCP/445 or TCP/139.) But the port is not actually important for authentication at all – it's done entirely at SMB level, not at NetBIOS (session/transport) level.



You should check whether both sides agree on which authentication protocols should be used. Specifically:





  1. whether Samba accepts NTLMv1 or requires NTLMv2, according to smb.conf:



    [general]
    ;ntlm auth = ntlmv1-permitted
    ntlm auth = ntlmv2-only


    (Previous versions used yes to allow NTLMv1, no to require NTLMv2.)




  2. whether Windows sends NTLMv1 or v2, according to secpol.msc:



    Security Settings
    └─ Local Policies
    └─ Security Options
    └─ Network security: LAN Manager authentication level
    ( ) Send LM & NTLM
    ( ) Send NTLM response only
    (*) Send NTLMv2 response only



You won't see PAM "auth" messages in the server logs, because PAM authentication would require the plaintext password, which the client does not reveal. Instead, Samba handles authentication internally and only on success calls PAM to do various other checks.



Instead, search for the smbd daemon's own logs. You may want to enable logging = syslog or logging = systemd so that they always go to a standard location; but by default they're kept in /var/log/samba instead.






share|improve this answer












SMBv2/v3 always runs in 'raw' mode over TCP port 445, with no NetBIOS in sight. (The older SMBv1 can be run over either TCP/445 or TCP/139.) But the port is not actually important for authentication at all – it's done entirely at SMB level, not at NetBIOS (session/transport) level.



You should check whether both sides agree on which authentication protocols should be used. Specifically:





  1. whether Samba accepts NTLMv1 or requires NTLMv2, according to smb.conf:



    [general]
    ;ntlm auth = ntlmv1-permitted
    ntlm auth = ntlmv2-only


    (Previous versions used yes to allow NTLMv1, no to require NTLMv2.)




  2. whether Windows sends NTLMv1 or v2, according to secpol.msc:



    Security Settings
    └─ Local Policies
    └─ Security Options
    └─ Network security: LAN Manager authentication level
    ( ) Send LM & NTLM
    ( ) Send NTLM response only
    (*) Send NTLMv2 response only



You won't see PAM "auth" messages in the server logs, because PAM authentication would require the plaintext password, which the client does not reveal. Instead, Samba handles authentication internally and only on success calls PAM to do various other checks.



Instead, search for the smbd daemon's own logs. You may want to enable logging = syslog or logging = systemd so that they always go to a standard location; but by default they're kept in /var/log/samba instead.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 23 '18 at 9:01









grawity

232k35491546




232k35491546












  • Thank you so much! It works now. I just changed Windows negotiation of NTLMv2. So it was a windows setting after all... I spent like 8 hours on this I was pretty stumped. I was looking for some sort of negotiation error, but there is none in the Wireshark protocol display. In any case, I really appreciate your help!
    – John Byrne
    Nov 23 '18 at 14:02










  • Unfortunately, at least as far as I know, the two NTLM versions aren't exactly negotiated as such – the packets only differ in how the challenge/response is generated... (It's an old and clunky protocol that began in MS-DOS as "LM" and just has a thick layer of paint on top.) If you can, set all hosts to use NTLMv2 only – it's somewhat more secure and that's already the default in new OS versions.
    – grawity
    Nov 23 '18 at 16:33




















  • Thank you so much! It works now. I just changed Windows negotiation of NTLMv2. So it was a windows setting after all... I spent like 8 hours on this I was pretty stumped. I was looking for some sort of negotiation error, but there is none in the Wireshark protocol display. In any case, I really appreciate your help!
    – John Byrne
    Nov 23 '18 at 14:02










  • Unfortunately, at least as far as I know, the two NTLM versions aren't exactly negotiated as such – the packets only differ in how the challenge/response is generated... (It's an old and clunky protocol that began in MS-DOS as "LM" and just has a thick layer of paint on top.) If you can, set all hosts to use NTLMv2 only – it's somewhat more secure and that's already the default in new OS versions.
    – grawity
    Nov 23 '18 at 16:33


















Thank you so much! It works now. I just changed Windows negotiation of NTLMv2. So it was a windows setting after all... I spent like 8 hours on this I was pretty stumped. I was looking for some sort of negotiation error, but there is none in the Wireshark protocol display. In any case, I really appreciate your help!
– John Byrne
Nov 23 '18 at 14:02




Thank you so much! It works now. I just changed Windows negotiation of NTLMv2. So it was a windows setting after all... I spent like 8 hours on this I was pretty stumped. I was looking for some sort of negotiation error, but there is none in the Wireshark protocol display. In any case, I really appreciate your help!
– John Byrne
Nov 23 '18 at 14:02












Unfortunately, at least as far as I know, the two NTLM versions aren't exactly negotiated as such – the packets only differ in how the challenge/response is generated... (It's an old and clunky protocol that began in MS-DOS as "LM" and just has a thick layer of paint on top.) If you can, set all hosts to use NTLMv2 only – it's somewhat more secure and that's already the default in new OS versions.
– grawity
Nov 23 '18 at 16:33






Unfortunately, at least as far as I know, the two NTLM versions aren't exactly negotiated as such – the packets only differ in how the challenge/response is generated... (It's an old and clunky protocol that began in MS-DOS as "LM" and just has a thick layer of paint on top.) If you can, set all hosts to use NTLMv2 only – it's somewhat more secure and that's already the default in new OS versions.
– grawity
Nov 23 '18 at 16:33




















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377726%2fwindows-7-ntlm-not-authenticating-properly-with-ubuntu-18-04%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

AnyDesk - Fatal Program Failure

How to calibrate 16:9 built-in touch-screen to a 4:3 resolution?

QoS: MAC-Priority for clients behind a repeater