Connecting to SMB share on OS X 10.11.5 broken

[naxos]

Looks like everything worked with OS X 10.11.4 but the update to 10.11.5 broke the functionality.

Login now always runs into status 0xC000A000 (NT_STATUS_INVALID_SIGNATURE).

[jbkempf]

That is problematic :)
@fkuehne can you check?

[fkuehne]

I can't confirm, but this matches reports we saw on App Store reviews.

[fkuehne]

Confirmed. https://forum.videolan.org/viewtopic.php?p=442125#p442125

[naxos]

Can I take from the link above, that a connection against Windows 10 doesn't work either? (Sorry, don't have a Windows 10 box to test myself)

[jbkempf]

No, this is OS X specific.

[sylverb]

I've done few quick tests,
SMB server in 10.11.5 is returning a 0xC000A000 error as an answer to the NTLMSSP_AUTH request.
This error is a SMB2 error defined as STATUS_INVALID_SIGNATURE , I'll try to understand the cause of this now ...

[sylverb]

Ok the problem is that OS X 10.11.5 smb server is telling to the client that security signature is mandatory and the client is telling that it is not supporting security signature.

Changing flag2 value in smb header to tell that we are supporting signatures allows to pass authentication phase but after that, requests are not answered by server because signature is not correctly filled in requests ...

Security signature management has to be implemented in libdsm to be able to connect to 10.11.5 servers (and servers configured to force security management use).

[sylverb]

On interesting point is that smbclient 3.6.25 which is implementing security signature is not able to get share's list from server (same behaviour than with my modifications in libdsm : server is not answering to the Tree connect request). It's possible that Apple's server is not supporting signatures using MD5 ! I'll try to check with a more recent version of smbclient ...

[jbkempf]

That's a bit weird, tbh :)

[naxos]

As a side-note for those who need a workaround for OS X 10.11.5:

Adding the two lines

    <key>SigningRequired</key>
    <false/>

to /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist and restarting the server (or switching SMB sharing off and on again) re-enables connectivity.

[jbkempf]

I'd guess this requires some wiresharking :)

[sylverb]

It's just changing the security policies returned by the server (singing is no more mandatory) and therefore making the server accepting not signed messages. Unfortunately wireshark will not help here ...

[naxos]

Yes, just a workaround until there is a solution.

[sylverb]

I've done a test with smbclient Version 4.5.0pre1-GIT-3b5e3ef (git clone from today) and it's giving me a NT_STATUS_INVALID_SIGNATURE error in front of 10.11.5 server (when doing a smbclient -L server_ip).
When trying to connect to the server from ubuntu 16.04 file manager, I also have NT_STATUS_INVALID_SIGNATURE error (according to wireshark as app is not returning any error) !

I managed to connect to server from another MacOS computer, but in this case, SMB2 dialect is used, so it won't help !

I'm not sure we should spend some time trying to fix this, it seems that Apple fucked up SMB support in their smbx server ... The best solution may be to disable server's "SigningRequire" as pointed by @naxos ...

[TimOliver]

If it's looking like Apple has legitimately goofed up their implementation of the protocol, it might be worth filing a radar to see if they'll look at fixing it in a later version of OS X macOS. :)

[fkuehne]

just for the record, competing implementations like nPlayer's were able to fix this, so maybe we can, also? :)

[albianto]

I think this is a security feature, not a bug in their implementation.
The following message can be found in the console upon smb server start:
smbd[8779]: Server requires signing while bound to unauthenticated Directory Service

Also when trying to connect:
smbd[8779]: signing is required, but 192.168.0.11 is not signing smbd[8779]: session_setup_transact: activate_signing returned status 0xc000a000: status

[fkuehne]

This conclusion is correct. This is a missing feature. libDSM cannot do signed requests at the moment, which needs to be added.

[sylverb]

FYI i'm working on implementing signatures in libDSM !
But I'm facing a small problem : basically the signature is a part of the MD5 hash performed on a key and bytes of SMB message (with a message counter instead of the signature), but documentation are not clear about everything. The point is that this is not well documented in M$ specification and websites describing the signature are not clear and they are sometimes telling different things ...

Anyway I have some wireshark traces of a client (mentionned by @fkuehne : nPlayer) successfully dialoging with my 10.11.5 server using NT LM 0.12, it should allow me to find the correct combination for signing messages ...
But if anyone has knowledge or a clear documentation of how exactly we should compute signature, he's more than welcome to share it :)

[jbkempf]

SMB never has a clear documentation...

[jabohn]

Any progress being made?

[TimOliver]

@jabohn I'm sure they'll let us know when and if they've made progress. 😉

@sylverb This might already be common knowledge. I'm not sure if this helps, but Apple has released their implementation of SMB on their Open Source site: https://opensource.apple.com/source/smb/smb-115.1/

It's apparently all based on Boris Popov's FreeBSD implementation of smbfs: https://sourceforge.net/projects/smbfs/

Hopefully there might be some information about how the signature is generated in there. I'm pretty strapped for time these days, but an effective SMB implementation is going to be very critical in my app. So I'm happy to help out if there's anything I can do. :)

[MrMC]

@sylverb, you have a branch somewhere with your efforts ? Like to take a stab at completing it.

[jbkempf]

https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/