With the upgrade to samba-4.2.11, I cannot access some shares using smbclient or kio-based access. The error I get using smbclient is ntlmssp_handle_neg_flags: Got challenge flags[0x60898205] - possible downgrade detected! missing_flags[0x00000010] - NT code 0x80090302 NTLMSSP_NEGOTIATE_SIGN SPNEGO(ntlmssp) login failed: NT code 0x80090302 session setup failed: NT code 0x80090302 When downgrading to 4.2.9, things work nicely. I can use 4.2.9 as a workaround, but an important question in that case is whether the vulnerabilities fixed in the 4.2.11 release also affect clients (I don't use samba's server component).
five bucks says your server is misconfigured
(In reply to Alex Xu (Hello71) from comment #1) > five bucks says your server is misconfigured My institute's server being misconfigured is a possibility. Should I pass the error message also to them or wait for a reaction from the samba team? This is mostly a Microsoft shop and they will most likely not do much effort to support my Linux system, so my first communication to them should be as precise and to the point as possible.
It seems 4.2.9 has now been removed from the tree. While I am keeping my installed version for now, this does make testing new versions for me difficult, as I cannot then return to a previous, known-good version. Is it possible to re-add 4.2.9 to the tree, please?
(In reply to Erik Quaeghebeur from comment #3) > possible to re-add 4.2.9 to the tree, please? You can add it into local overlay. In the changelog for Samba 4.2.12 fixed: ВUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego option for testing. ВUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN.
(In reply to bugs.gentoo.org from comment #4) > > You can add it into local overlay. How? (It is now only installed on my system, I don't have the ebuild anymore.) > ВUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN. https://bugzilla.samba.org/show_bug.cgi?id=11850 does indeed seem the upstream version. (I was 4 days earlier here!) Alex Xu (Hello71), you owe me $5! (If you were in any way serious about this: please donate it to Samba: https://www.samba.org/samba/donations.html.) Once I know how to preserve 4.2.9, I'll test 4.2.14 and I guess after that, successful, this can be marked as FIXED UPSTREAM or so. Perhaps this is would be reason enough to stabilize 4.2.14 then.
> (In reply to bugs.gentoo.org from comment #4) > > > > You can add it into local overlay. > > How? (It is now only installed on my system, I don't have the ebuild > anymore.) OK, I've learnt about quickpkg.
(In reply to Erik Quaeghebeur from comment #5) > > I'll test 4.2.14 and I guess after that, > if successful, this can be marked as FIXED UPSTREAM or so. Perhaps this is > would be reason enough to stabilize 4.2.14 then. Ok, tested. It's fixed with 4.2.14. I'll mark as RESOLVED UPSTREAM. The package maintainers will know best when to mark as stable.
