smbprotocol: Ignored auth_protocol results NTLM_USER_FILE error
Hi, Im encountering an issue when trying to authenticate a remote server. I’m using the High level API and have the following configured:
- for the register_session:
register_session(
server=hostname,
username=user,
password=password,
port=445,
encrypt=encrypt,
auth_protocol='ntlm')
- client config:
smbclient.ClientConfig(username=user, password=password, require_secure_negotiate=verify, domain_controller=dc)
where the username, password, and all other variables were verified and correct.
The issue:
Even though the auth_protocol was set to ntlm the request first attempts to use negotiate and then falls back to ntlm (we do not support Kerberos at the moment).
The problem with it is that the username field is not being passed to the ntlm request and then fails on
Logs
[smbprotocol.connection] - Negotiated dialect: (785) SMB_3_1_1
python logging: INFO [smbprotocol.connection] - Connection require signing: True
python logging: INFO [smbprotocol.session] - Initialising session with username: None
python logging: DEBUG [smbprotocol.session] - Decoding SPNEGO token containing supported auth mechanisms
python logging: DEBUG [spnego.negotiate] - SPNEGO step input: YHYGBisGAQUFAqBsMGqgPDA6BgorBgEEAYI3AgIeBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKoZIhvcSAQICAwYKKwYBBAGCNwICCqMqMCigJhskbm90X2RlZmluZWRfaW5fUkZDNDE3OEBwbGVhc2VfaWdub3Jl
python logging: DEBUG [spnego.negotiate] - Failed to create gssapi context for SPNEGO protocol ntlm: SpnegoError (16): Operation not supported or available, Context: Retrieving NTLM store without NTLM_USER_FILE set to a filepath
Exception message is [Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/smbprotocol/session.py", line 275, in connect
out_token = context.step(in_token)
File "/usr/local/lib/python3.9/site-packages/spnego/negotiate.py", line 119, in step
mech_token_in, mech_list_mic, is_spnego = self._step_spnego_input(in_token=in_token)
File "/usr/local/lib/python3.9/site-packages/spnego/negotiate.py", line 159, in _step_spnego_input
mech_list = self._rebuild_context_list(mech_types=in_token.mech_types)
File "/usr/local/lib/python3.9/site-packages/spnego/negotiate.py", line 374, in _rebuild_context_list
raise BadMechanismError(context_msg="Unable to negotiate common mechanism", base_error=last_err)
spnego.exceptions.BadMechanismError: SpnegoError (1): SpnegoError (16): Operation not supported or available, Context: Retrieving NTLM store without NTLM_USER_FILE set to a filepath, Context: Unable to negotiate common mechanism
Good to know:
- We have NTLM and LM disabled on our server but NTLMv2 enabled.
- We are using the latest version of the smbprotocol package (1.5.1)
Thanks.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 15 (8 by maintainers)
The PR https://github.com/jborean93/smbprotocol/pull/133 should fix this particular problem.
1.6.2 has just been published on PyPI with this fix https://pypi.org/project/smbprotocol/1.6.2/.
Looks like it was not, must have missed it as I wasn’t looking at the closed issues.
Glad the workaround works for now, hopefully the next release will include a bugfix where this isn’t necessary.
What I am finding confusing is that both the
uth_protocolandusername/passwordsettings are being ignored. The log indicates that the auth being used in Negotiate auth without any username and/or password being set which goes against what yourClientConfigis set as. Isusername=user, password=passwordactually set to any value other thanNoneat that point.Can you wrap all your code with the following to see the full stack trace. I would like to see what code is actually creating the session and potentially why it’s not populating the proper values.