From nobody Tue Jul 11 15:03:54 2023 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R0kfX4fwPz2thnX for ; Tue, 11 Jul 2023 15:04:04 +0000 (UTC) (envelope-from paul@gromit.dlib.vt.edu) Received: from gromit.dlib.vt.edu (gromit.dlib.ipv6.vt.edu [IPv6:2001:468:c80:a103:2:5000:5555:5555]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4R0kfX2qL4z3CZk for ; Tue, 11 Jul 2023 15:04:04 +0000 (UTC) (envelope-from paul@gromit.dlib.vt.edu) Authentication-Results: mx1.freebsd.org; none Received: from [IPv6:2607:b400:24:0:e24b:ae59:33f5:583a] (unknown [IPv6:2607:b400:24:0:e24b:ae59:33f5:583a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gromit.dlib.vt.edu (Postfix) with ESMTPSA id 2E1CB7AB60; Tue, 11 Jul 2023 11:03:55 -0400 (EDT) Message-ID: <09586bc04c827e161532db159348d8f1e904c45b.camel@gromit.dlib.vt.edu> Subject: Re: SMB =?UTF-8?Q?authentication=E2=80=A6flakiness=3F?= From: Paul Mather To: paul beard Cc: FreeBSD-questions Date: Tue, 11 Jul 2023 11:03:54 -0400 In-Reply-To: References: Content-Type: multipart/alternative; boundary="=-025siOm+dPWlYX946Ntc" User-Agent: Evolution 3.44.4-0ubuntu1 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 X-Rspamd-Queue-Id: 4R0kfX2qL4z3CZk X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:1312, ipnet:2001:468:c80::/48, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --=-025siOm+dPWlYX946Ntc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2023-07-11 at 07:12 -0700, paul beard wrote: > I'll take a look but am reluctant (read: lazy) to install a whole new > thing to do something=C2=A0that worked as recently as yesterday.=C2=A0 IIRC, you said you updated the firmware in your wireless base station device hosting the SMB volume and the SMB mount stopped working. =C2=A0Coul= d be the firmware update removed/disabled support for SMB1, which is not surprising as most everyone has done it because SMB1 is widely acknowledged to be insecure. =C2=A0Even Microsoft no longer ships support for SMB1 in Windows:=C2=A0https://techcommunity.microsoft.com/t5/storage-at-microsoft/s= mb1-now-disabled-by-default-for-windows-11-home-insiders-builds/ba-p/328947= 3 If your wireless base station appliance has quit supporting SMB1 with the current firmware then you have some decisions to make. =C2=A0Maybe you can figure out how to re-enable it? =C2=A0 Perhaps you can regress to the old (possibly vulnerable) firmware that worked and keep on that? =C2=A0Microsoft has a knowledge base of how to get old SMB1-only products working:=C2=A0https://techcommunity.microsoft.com/t5/storage-at-microsoft/s= mb1-product-clearinghouse/ba-p/426008 =C2=A0 (Interesting to note that their suggestion for FreeBSD is also to us= e sysutils/fusefs-smbnetfs :-)) =C2=A0Whatever you decide will take some work on your part. I don't know which is the "laziest" or best long-term solution for you. =C2=A0I will say that SMB1 has gone the way of the dinosaurs. =C2=A0Keeping= it alive doesn't sound like a lazy person's pursuit. :-) Cheers, Paul. >=20 > Seeing this on the client side:=C2=A0 > Jul 10 18:15:18 www kernel: smb_smb_negotiate: Don't know > how to talk with server xxx (65535) > I assume this was during the testing of smb v1, v1=C2=A0+ v2 and pure v2.= =C2=A0 >=20 > I did install samba on the client so I could use smbclient, hoping > for more debugging info.=C2=A0 >=20 > smbclient -U www -I omphalos -N /tmp/mnt/storage =C2=A0//mnt/storage > session setup failed: NT_STATUS_LOGON_FAILURE >=20 > and of course, now smbutil doesn't work as it used to.=C2=A0 >=20 > The client on busybox allows some custom config to added: is there > any logging I can toggle on there?=C2=A0 >=20 > On Tue, Jul 11, 2023 at 5:47=E2=80=AFAM Paul Mather > wrote: > > On Mon, 2023-07-10 at 18:30 -0700, paul beard wrote: > > > having some trouble mounting an smb volume hosted by a wireless > > > base station running linux/busybox.=20 > > >=20 > > > smbutil works, mount_smbfs doesn't. password is in .nsmbrc, seems > > > to be readable by smbutil.=C2=A0 > > >=20 > > > smbutil view //www@omphalos > > > Share =C2=A0 =C2=A0 =C2=A0 =C2=A0Type =C2=A0 =C2=A0 =C2=A0 Comment > > > ------------------------------- > > > jffs =C2=A0 =C2=A0 =C2=A0 =C2=A0 disk =C2=A0 =C2=A0 =C2=A0 JFFS > > > storage =C2=A0 =C2=A0 =C2=A0disk =C2=A0 =C2=A0 =C2=A0 STORAGE > > > EFI =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0disk =C2=A0 =C2=A0 =C2=A0 EFI > > > IPC$ =C2=A0 =C2=A0 =C2=A0 =C2=A0 pipe =C2=A0 =C2=A0 =C2=A0 IPC Servic= e (FreshTomato Samba Server) > > >=20 > > > mount_smbfs -I omphalos -N //tmp/mnt/storage /mnt/storage > > > mount_smbfs: unable to open connection: syserr =3D Authentication > > > error > > >=20 > > > tail -1 /etc/fstab=20 > > > //omphalos/STORAGE =C2=A0 =C2=A0 =C2=A0/mnt/storage =C2=A0 =C2=A0smbf= s =C2=A0 rw,noauto, -N,- > > > I192.168.0.1 00 > > >=20 > > > This all used to work, but a couple of firmware upgrades have > > > taken place. This was working yesterday after the latest update > > > but now is failing and I am not seeing what's wrong with it.=C2=A0 > > >=20 > > > The server offers Samba protocol version=C2=A0v1, v2 or mixed v1/v2. > > > v1 doesn't work at all, returns=C2=A0 > > > mount_smbfs: unable to open connection: syserr =3D RPC struct is > > > bad > > >=20 > > >=20 > > > The others will allow smbutil to work but not mount_smbfs. > > > Logging=C2=A0isn't telling me much on the server side. I could mount > > > the disk on macOS but that's not working now either. smbutil > > > still works there but not mount_smbfs. > >=20 > >=20 > >=20 > > When my OpenELEC server stopped supporting SMB1 by default I > > decided to bite the bullet and abandon mount_smbfs, which does not > > support anything higher than SMB1. =C2=A0(See the STANDARDS section of > > the mount_smbfs(8) manual page.) > >=20 > > In my case, I switched to the sysutils/fusefs-smbnetfs port.=C2=A0 It > > uses Samba4 under the hood, so supports both SMB2 and SMB3, making > > it more compatible with other OSes (like macOS).=C2=A0 I found fusefs- > > smbnetfs a little bit of a pain to set up, but very reliable.=C2=A0 Its > > main advantage, for me, is supporting modern SMB standards. > >=20 > > Cheers, > >=20 > > Paul. >=20 >=20 > --=20 > Paul Beard / www.paulbeard.org/ --=-025siOm+dPWlYX946Ntc Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
On Tue, 2023-07-11 at 07:12 -0700, paul beard= wrote:
I'll take a look b= ut am reluctant (read: lazy) to install a whole new thing to do something&n= bsp;that worked as recently as yesterday. 

=

IIRC, you said you updated the firmware in your w= ireless base station device hosting the SMB volume and the SMB mount stoppe= d working.  Could be the firmware update removed/disabled support for = SMB1, which is not surprising as most everyone has done it because SMB1 is = widely acknowledged to be insecure.  Even Microsoft no longer ships su= pport for SMB1 in Windows: https://techcommunity.microsoft.com/t5/stor= age-at-microsoft/smb1-now-disabled-by-default-for-windows-11-home-insiders-= builds/ba-p/3289473

If your wireless base stat= ion appliance has quit supporting SMB1 with the current firmware then you h= ave some decisions to make.  Maybe you can figure out how to re-enable= it?   Perhaps you can regress to the old (possibly vulnerable) firmwa= re that worked and keep on that?  Microsoft has a knowledge base of ho= w to get old SMB1-only products working: https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb1-pro= duct-clearinghouse/ba-p/426008  (Interesting to note that their su= ggestion for FreeBSD is also to use sysutils/fusefs-smbnetfs :-))  Wha= tever you decide will take some work on your part.

I don't know which is the "laziest" or best long-term solution for you. &n= bsp;I will say that SMB1 has gone the way of the dinosaurs.  Keeping i= t alive doesn't sound like a lazy person's pursuit. :-)

Cheers,

Paul.


<= /div>

Seeing= this on the client side: 
Jul 10 18:15:18 <kern.crit>= www kernel: smb_smb_negotiate: Don't know how to talk with server xxx (655= 35)
I assume this was during the testing of smb v1, v1 += v2 and pure v2. 

I did install samba on the = client so I could use smbclient, hoping for more debugging info. 

smbclient -U www -I omphalos -N /tmp/mnt/storage  = ;//mnt/storage
session setup failed: NT_STATUS_LOGON_FAILURE<= br>

and of course, now smbutil doesn't work as it = used to. 

The client on busybox allows some c= ustom config to added: is there any logging I can toggle on there? 

On Tue, Jul 11, 2023 at 5:47=E2=80=AFAM Paul Mather <paul@gromit.dlib.vt.edu> wro= te:
On Mon, 2023-07-10 at 18:= 30 -0700, paul beard wrote:
having some trouble mounting an smb volume hosted by a wireless base stat= ion running linux/busybox.

smbutil works, mount_smbfs doesn't. pass= word is in .nsmbrc, seems to be readable by smbutil. 

smbutil view //www@omphalos
Share       &= nbsp;Type       Comment
-------------------------------jffs         disk       JFFS
storag= e      disk       STORAGE
EFI    = ;      disk       EFI
IPC$     &= nbsp;   pipe       IPC Service (FreshTomato Samba Serve= r)

mount_smbfs -I omphalos -N //tmp/= mnt/storage /mnt/storage
mount_smbfs: unable to open connection: syserr = =3D Authentication error

tail -1 /etc/fstab
/= /omphalos/STORAGE      /mnt/storage    smbfs  = ; rw,noauto, -N,-I192.168.0.1 00

This all used to work, but a = couple of firmware upgrades have taken place. This was working yesterday af= ter the latest update but now is failing and I am not seeing what's wrong w= ith it. 

The server offers Samba protocol version&n= bsp;v1, v2 or mixed v1/v2. v1 doesn't work at all, returns 
mount_smbfs: unable to open connection: syserr =3D RPC = struct is bad

The others will allow smbutil t= o work but not mount_smbfs. Logging isn't telling me much on the serve= r side. I could mount the disk on macOS but that's not working now either. = smbutil still works there but not mount_smbfs.


When my OpenELEC server stopped supporting S= MB1 by default I decided to bite the bullet and abandon mount_smbfs, which = does not support anything higher than SMB1.  (See the STANDARDS sectio= n of the mount_smbfs(8) manual page.)

In my case, = I switched to the sysutils/fusefs-smbnetfs port.  It uses Samba4 under= the hood, so supports both SMB2 and SMB3, making it more compatible with o= ther OSes (like macOS).  I found fusefs-smbnetfs a little bit of a pai= n to set up, but very reliable.  Its main advantage, for me, is suppor= ting modern SMB standards.

Cheers,

<= /div>
Paul.
=

--
Paul= Beard / www.paulbe= ard.org/

<= /body> --=-025siOm+dPWlYX946Ntc--