Access Windows 10 Samba Share from Linux commandline with minimal SMB2

Question

Environment:

• Linux X86 Server with Debian 9.3

• kernel: Debian 4.9.65-3+deb9u1

• smbclient: Version 4.5.12-Debian

• cifs-utils: 2:6.7-1

Situation:

Backupserver (backuppc) has to backup a Windows 10 Home client.

No domain

Alternative:

Cygwin/Rsync used for other Win7 Clients rejected because of manual work involved.

Prerequisites known already:

• DNS entry for Win10Client: done, tested and working

• DHCP entry for Win10Client: done, tested and working

• SMB1 is unsecure so do not go the "easy way".

The smbclient supports SMB2/3 protocol so i should not have to set the smb1 registry hack to enable SMB1 from e.g.

How to check which SMB Version is enabled on Windows Server 2008 R2

Problems: I cannot mount the administrative or any other share, nor do I see them with smbtree -b -N

What I have tried:

• I tried to use the non-administrative share (no $ at the end)

• I renamed the administrative share from C$ to mC$ or mC.

• Added a test share in documents.

• Added a test share in C:\test

None of those are visible via smbtree.

Directly connecting to the shares (or get a list of shares):

tested:

smbclient -U WIN10Username -L //CLIENT/
protocol negotiation failed: NT_STATUS_CONNECTION_RESET

smbclient -L //CLIENT/
protocol negotiation failed: NT_STATUS_CONNECTION_RESET

How do i get this working with either SMB2 or SMB3 protocol?

Answer 1

The Answer to howto includes multiple parts as the situation might be a bit different depending what you need.

I included everything i found (or believe to have found) via the various searches which helped me fix my direct problem.

The default Debian 9 Stretch Kernel does not support SMB3

Turns out my kernel seems to not support SMB3 directly

https://unix.stackexchange.com/questions/202961/mounting-smb3-share-with-encryption-fails-mount-error13-permission-denied-s/376166

Based on https://lists.debian.org/debian-kernel/2017/04/msg00266.html

qoute:

Am 22.04.2017 um 17:21 schrieb Ben Hutchings:

On Sat, 2017-04-22 at 16:19 +0100, Ben Hutchings wrote:

    On Sat, 2017-04-22 at 14:47 +0200, debian@alpenjodel.de wrote:

        Hi!

        It´s not possible to mount a enrypted CIFS Share yet. is it possible
        to add the following Kernel changes to Debian 8?

    No, we don't backport big features like that.

Of course, if this feature is in Linux 4.9 (I don't know) then you have
the option to install the new kernel version from jessie-backports
(https://backports.debian.org/).

Ben.

From my research it is not in the stretch backports either (cifs-utils to support the kernel change from 4.11?)

https://packages.debian.org/stretch-backports/allpackages 

However i am unsure on the backport part as there are newer kernels but for my case i will not upgrade to the backport kernel for this feature so i stopped here.

---

smbtree needs more parameter to work with SMB3

It was not immediatly clear to me how to get smbtree working with SMB3, and with the issue i though to found out above i dropped the idea for SMB3 altogether.

https://www.samba.org/samba/docs/current/man-html/smbtree.1.html

---

smbclient does not use SMB2 or SMB3 per default.

The default version for the smb protocol for smbclient is

SMB1

This is not supported per default in Windows 10.

If you need this for your use case you have to add the corresponding registry key:

HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 (Type DWORD32, value 1 for on, 0 for off)

Powershell Command(s):

Detect:

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force

Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

This was taken from https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

You might have to change the file-sharing encryption-level in Windows 10 to get SMB1 working as well:

as i did not test this directly i do not know if it is actually needed :

see for example how to do this from here:

https://www.tenforums.com/tutorials/51024-change-file-sharing-encryption-level-windows-10-a.html

Qoute:

To Change File Sharing Encryption Level in Network and Sharing Center

1. Open the Control Panel , and click/tap on the Network and Sharing Center icon.

2. Click/tap on the Change advanced sharing settings link on the left side. (see screenshot below)

3. Expand the All Networks network profile.

4. Under File sharing connections, select "Enable file sharing for devices that use 40- or 56-bit encryption"

Working commands

Now to get actualy things working

Non-administrative share:

changing the smbclient command

smbclient -U WIN10Username -L //Client/

to

smbclient -m SMB2 -U WIN10Username -L //Client/

lets you view the shares of that client.

As mountparam for console to actually access it:

mount -t cifs -o vers=2.0,username=WIN10Username,password=WIN10Password //CLIENTIP/TESTSHARE MOUNTPOINT

or as /etc/fstab entry (no automount on boot!)

 //CLIENTIP/TESTSHARE /MOUNTPOINT    cifs    vers=2.0,username=WIN10Username,password=WIN10Password 0 0

Administrative Share

For the administrative share you have to do one additional registry change (if you are not in a domain):

Powershell command:

Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -Name LocalAccountTokenFilterPolicy -Value 1 

taken from here :

Unable to mount windows share in ubuntu

basically what it does is disable the UAC for remote share access and maintenance, so be careful about it.

This might help understand the implications better, so be certain if you actually want to do this:

https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/

#note the \$ is actually needed!, i did read about Qouting the whole String "//CLIENTIP/C$" but i did not test that
mount -t cifs -o vers=2.0,username=WIN10Username,password=WIN10Password //CLIENTIP/C\$ MOUNTPOINT

backuppc Issues:

You will want another account specific for backuppc which has to have read permissions for the share.

backuppcs smbclient default options do not include -m SMB2

The command backuppc uses is:

/usr/bin/smbclient \\\\CLIENT-NAME\\SHARENAME -U Win10Username -E -N -d 1 -c tarmode\ full -Tc -

change that to include -m SMB2

After that i still got NT_STATUS_ACCESS_DENIED:

session setup failed: NT_STATUS_ACCESS_DENIED
session setup failed: NT_STATUS_ACCESS_DENIED
tarExtract: Done: 0 errors, 0 filesExist, 0 sizeExist, 0 sizeExistComp, 0 filesTotal, 0 sizeTotal

doing it manually with password added after the -U

/usr/bin/smbclient -m SMB2 \\\\CLIENT-NAME\\SHARENAME -U Win10Username WIN10Password -E -N -d 1 -c tarmode\ full -Tc -

works

removing the -N promts me the password with which it works as well.

As i did not want to store it within a configuration file from backuppc i will in the final version use the credential method.

After trying to figure out what the difference between the backuppc command and smbclient command manually was i figured out that the -N results in different behaviour during connection.

working solution without -N (with username password or credential file, did not matter. Non-administrativ or administrative share did not change anything either)

/usr/bin/smbclient -m SMB2 \\\\CLIENTNAME\\test3 -U WIN10Username WIN10Password -E -d 5 -c tarmode\ full -Tc -
/usr/bin/smbclient -m SMB2 \\\\CLIENTNAME\\test3 -A /etc/samba/smb.cred -E -d 5 -c tarmode\ full -Tc -


cut
...
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH

Domain=[CLIENTNAME] OS=[] Server=[] ... cut

Non-working Version with -N :

/usr/bin/smbclient -m SMB2 \\\\CLIENTNAME\\test3 -U WIN10Username WIN10Password -N -E -d 5 -c tarmode\ full -Tc -
/usr/bin/smbclient -m SMB2 \\\\CLIENTNAME\\test3 -A /etc/samba/smb.cred -N -E -d 5 -c tarmode\ full -Tc -


cut
...
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
...
cut
...
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED

Backuppc Win10 Client working solution

Given all above information i am able to backup the Win10 adminstrative share with following backuppc options:

SmbClientFullCmd:

Hardcoded:

$smbClientPath -m SMB2 \\$host\$shareName $I_option -U $userName WIN10Password -E -d 5 -c tarmode\ full -Tc$X_option - $fileList

I was unable to use the Password in SmbSharePasswd, but as this wasn't the desired output i did not dig deeper if i made an possible error here.

Credfile:

$smbClientPath -m SMB2 \\$host\$shareName $I_option -A /PATH/samb_creditfile -E -d 5 -c tarmode\ full -Tc$X_option - $fileList


Remember you need permissions for the backuppc user on that file.