Unknown status value (0x00010002) in SMB_COM_SESSION_SETUP_ANDX

[uSpike]

Hi,

I'm trying to access a server which is running Zebi OS (which is on top of Solaris). When using smbclient it shows:

internal_resolve_name: returning 1 addresses: [redac]:0
Connecting to [redac] at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 374400
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
info
cli_init_creds: user [domain]\[user] domain WORKGROUP
Domain=[domain] OS=[Windows 2000] Server=[Windows 2000 LAN Manager]
 session setup ok
num_setup=1, max_setup=0, param_total=24, this_param=24, max_param=2, data_total=0, this_data=0, max_data=65535, param_offset=68, param_pad=0, param_disp=0, data_offset=92, data_pad=0, data_disp=0
 tconx ok
smb: \>

Trying to connect via pysmb I get:

>>> from smb.SMBConnection import SMBConnection
>>> c = SMBConnection(user, passwd, 'vagrant', 'work')
>>> c.connect('[redac]')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  [snip]
  File "/home/vagrant/venv/local/lib/python2.7/site-packages/smb/base.py", line 1492, in _updateState_SMB1
    message.raw_data, message)
smb.smb_structs.ProtocolError: Unknown status value (0x00010002) in SMB_COM_SESSION_SETUP_ANDX (with extended security)
==================== SMB Message ====================
Command: 0x73 (SMB_COM_SESSION_SETUP_ANDX)
Status: ErrorClass=0x00 ErrorCode=0x0002
Flags: 0x90
Flags2: 0x8807
PID: 681
UID: 0
MID: 2
TID: 0
Security: 0x0000000000000000
Parameters: 0 bytes

Data: 0 bytes

==================== SMB Data Packet (hex) ====================
ff534d4273020001009007880000000000000000000000000000a90200000200000000

>>>

Any idea what I'm missing? pysmb works great when connecting to an Ubuntu server running samba 3.6.3. Is there more info I can provide?

Thanks!

[miketeo]

@spikergit1 : You can try turning off NTLMv2 authentication to see if it works: c = SMBConnection(user, passwd, 'vagrant', 'work', use_ntlm_v2=False)

If it still fails, can you provide the wireshark packet captures for both smbclient and pysmb communication with remote server?

[uSpike]

With use_ntlm_v2 = False, I get the same result.

With use_ntlm_v2 False and smb_structs.SUPPORT_EXTENDED_SECURITY = False, I get

INFOFO:SMB.SMBConnection:Authentication with remote machine "WORK" for user "[redac]" will be using NTLM v1 authentication (without extended security)
DEBUG:SMB.SMBConnection:Received SMB message "SMB_COM_NEGOTIATE" (command:0x72 flags:0x90 flags2:0x8003 TID:0 UID:0)
INFO:SMB.SMBConnection:SMB dialect negotiation successful (ExtendedSecurity:False)
INFO:SMB.SMBConnection:Performing NTLMv1 authentication (without extended security) with challenge "[redac]" and hashed password of "[redac]"
DEBUG:SMB.SMBConnection:Received SMB message "SMB_COM_SESSION_SETUP_ANDX" (command:0x73 flags:0x90 flags2:0x8003 TID:0 UID:0)
INFO:SMB.SMBConnection:Authentication (without extended security) failed. Please check username and password

With of course a valid user/pass. I'll post wireshark captures when I can.

[uSpike]

OK, I have captures. They are in "K12" text format and can be opened in wireshark.

# smbclient -U '[domain]\[user]' -L //work/work

https://gist.github.com/spikergit1/efda02c68d338cfcb22d

c = SMBConnection(user, passwd, 'vagrant', 'work')
c.connect('10.52.2.33')

https://gist.github.com/spikergit1/cae707a5c510a08311b7

I have sanitized the captures and replaced the domain, username, and share names with XXX.

[uSpike]

Looking over the captures myself, it seems that smbclient is using NTLMv2, even though "extended security" is disabled. It appears that pysmb cannot do that. Am I way off base here?

[miketeo]

@spikergit1 : Thanks for your packet captures. I will look into them over the next few days and see if I can come up with a patch for your issue. May I ask what is the version of the Samba service installed on the server?

[uSpike]

The server is not running samba, it's Solaris (and whatever SMB/CIFS thing runs on there).

[jdefrancesco]

Similar issue with OS X.. Working on debugging it

[miketeo]

Yes, pysmb has problems connecting with OS X shares. It's an authentication issue that fails on both SMB1 and SMB2 protocols. But I'm not sure if this issue is related to spikergit1's problem.

[nerijus]

I try to connect to Apple Time Capsule: INFO:SMB.SMBConnection:Authentication with remote machine "xxxx" for user "xxxx" will be using NTLM v1 authentication (with extended security) DEBUG:SMB.SMBConnection:Received SMB message "SMB_COM_NEGOTIATE" (command:0x72 flags:0x98 flags2:0xC001 TID:0 UID:0) INFO:SMB.SMBConnection:SMB dialect negotiation successful (ExtendedSecurity:False) INFO:SMB.SMBConnection:Performing NTLMv1 authentication (without extended security) with challenge "591effcc152a...." and hashed password of "e0f21b5305fe54e6a10878904cd7b68da31d0039........" DEBUG:SMB.SMBConnection:Received SMB message "SMB_COM_SESSION_SETUP_ANDX" (command:0x73 flags:0x88 flags2:0x4001 TID:0 UID:0) INFO:SMB.SMBConnection:Authentication (without extended security) failed. Please check username and password

Should it work with OS X shares?

[uSpike]

@jdefrancesco any luck debugging on OSX?

[aaratn]

This happens with Windows Server 2008 R2 aswell

Here's log when use_ntlm_v2=False

Unknown status value (0xC0000234) in SMB_COM_SESSION_SETUP_ANDX (with extended security) ==================== SMB Message ==================== Command: 0x01 (SMB2_COM_SESSION_SETUP) Status: 0xC0000234 Flags: 0x01 PID: 13626 MID: 2 TID: 0 Data: 9 bytes 090000000000000000 ==================== SMB Data Packet (hex) ==================== fe534d4240000000340200c001000100010000000000000002000000000000003a35000000000000310000200004000000000000000000000000000000000000090000000000000000

And here's log when use_ntlm_v2=True

Unknown status value (0xC0000234) in SMB_COM_SESSION_SETUP_ANDX (with extended security) ==================== SMB Message ==================== Command: 0x01 (SMB2_COM_SESSION_SETUP) Status: 0xC0000234 Flags: 0x01 PID: 13644 MID: 2 TID: 0 Data: 9 bytes 090000000000000000 ==================== SMB Data Packet (hex) ==================== fe534d4240000000340200c001000100010000000000000002000000000000004c35000000000000410000200004000000000000000000000000000000000000090000000000000000

The Server is in active directory and I am using domain=domain.local flag.

EDIT: I figured this out, the active directory account was locked out.

[javieranselmi]

Hi, I am having this exact same issue when connecting to a samba server. Getting the same message whether I use NTLMv1 or v2.:

Traceback (most recent call last):
  File "samba_client.py", line 34, in <module>
    c = conn.connect(ip=remote_ip, port=port)
  File "/home/ec2-user/.local/lib/python3.7/site-packages/smb/SMBConnection.py", line 127, in connect
    self._pollForNetBIOSPacket(timeout)
  File "/home/ec2-user/.local/lib/python3.7/site-packages/smb/SMBConnection.py", line 642, in _pollForNetBIOSPacket
    self.feedData(data)
  File "/home/ec2-user/.local/lib/python3.7/site-packages/nmb/base.py", line 54, in feedData
    self._processNMBSessionPacket(self.data_nmb)
  File "/home/ec2-user/.local/lib/python3.7/site-packages/nmb/base.py", line 75, in _processNMBSessionPacket
    self.onNMBSessionMessage(packet.flags, packet.data)
  File "/home/ec2-user/.local/lib/python3.7/site-packages/smb/base.py", line 144, in onNMBSessionMessage
    if self._updateState(self.smb_message):
  File "/home/ec2-user/.local/lib/python3.7/site-packages/smb/base.py", line 323, in _updateState_SMB2
    message.raw_data, message)
smb.smb_structs.ProtocolError: Unknown status value (0xC0000022) in SMB_COM_SESSION_SETUP_ANDX (with extended security)
==================== SMB Message ====================
Command: 0x01 (SMB2_COM_SESSION_SETUP)
Status: 0xC0000022
Flags: 0x01
PID: 27565
MID: 1
TID: 0
Data: 9 bytes
b'090000000000000000'
==================== SMB Data Packet (hex) ====================
b'fe534d4240000000220000c00100010001000000000000000100000000000000ad6b000000000000000000000000000000000000000000000000000000000000090000000000000000'

this is the code, I masked the IP , user and pass for security reasons:

conf = {
  "USERNAME": "[email protected]",
  "PASSWORD": "password",
  "REMOTE_IP": "10.2.2.2",
  "REMOTE_SHARED_NAME": "IT",
  "PORT": 445
}
   
username = conf['USERNAME'] # User to connect to S-Drive
password = conf['PASSWORD'] # Password to connect to S-Drive
remote_ip = conf['REMOTE_IP'] # IP of the remote S-Drive server
remote_name = conf['REMOTE_IP'] # Name of the remote S-Drive server (same as IP)
shared_name = conf['REMOTE_SHARED_NAME'] # Name of the drive
port = conf['PORT'] # Name of the port
my_name = gethostname()

smb_structs.SUPPORT_SMB2 = True
smb_structs.SUPPORT_EXTENDED_SECURITY = False
print("SETTING UP SMB")
conn = SMBConnection(username=username, password=password, my_name=my_name, remote_name=remote_name, domain=my_name, use_ntlm_v2 =False, sign_options=SMBConnection.SIGN_WHEN_SUPPORTED, is_direct_tcp=True)
print("CONNECTING TO", remote_ip, "PORT", port)
c = conn.connect(ip=remote_ip, port=port) 
print("CONNECTION STATUS:", str(c))
print("PATH LISTING")
files = conn.listPath(shared_name, "\\Reporting\\Data\\SellerCodeManagement\\Archive", "*")

[washi29]

Hey were you able to fix the problem? I'm having same issue