AIX7.2 mount: Access denied as non root user (Error Context: treeConnectAndX)

General discussions about Sharity
thierry
Posts: 2
Joined: Sun Oct 01, 2017 11:45 pm

AIX7.2 mount: Access denied as non root user (Error Context: treeConnectAndX)

Postby thierry » Mon Oct 02, 2017 1:22 am

Hi ,

I'm testing Sharity 3.9 (trial version) on AIX 7.2 against a NAS servers.
I have any issues to mount the share at root and access to it. But when i try to mount the share as a non root user, i can't and haave the following erreors.

Access Denied
Error Context: treeConnectAndX


I'm aware that every users wants to access a share must first authenticate on the server. So without the GUI, i explicity authenticate whith sharity login.

Code: Select all

bash-4.3# su - jboss
$ /usr/local/sharity3/bin/sharity login
No Sharity logins.
$ /usr/local/sharity3/bin/sharity login smb://frlnasr7/reseau00 -U agu
agu's password on frlnasr7:
$ /usr/local/sharity3/bin/sharity login
Server or Share                          Remote Name          Authentication
------------------------------------------------------------------------------
smb://frlnasr7                           agu                  NTLM v2
$


So after, i try to mount the share with sharity mount because the user who mounts the share has access to the share because he entered a passwords but i can't mount.

Code: Select all

$ /usr/local/sharity3/bin/sharity mount
"x-browser:" on "/CIFS" (mounted_by=0)
$ /usr/local/sharity3/bin/sharity  mount  smb://frlnasr7/reseau00 /jboss
Access Denied
Error Context: treeConnectAndX
$


I logout from the share's server to make sure to reset internal status before do a debug log

Code: Select all

$ /usr/local/sharity3/bin/sharity logout smb://frlnasr7
$ /usr/local/sharity3/bin/sharity login
No Sharity logins.
$


I i go to sharity debug log:

Code: Select all

bash-4.3# /usr/local/sharity3/bin/sharity debug file debug
bash-4.3#


After this phase:

Code: Select all

$ /usr/local/sharity3/bin/sharity login smb://frlnasr7/reseau00 -U agu
agu's password on frlnasr7:
$ /usr/local/sharity3/bin/sharity login
Server or Share                          Remote Name          Authentication
------------------------------------------------------------------------------
smb://frlnasr7                           agu                  NTLM v2
$


and this one:

Code: Select all

$ /usr/local/sharity3/bin/sharity  mount  smb://frlnasr7/reseau00 /jboss
Access Denied
Error Context: treeConnectAndX
$


Debug log only indicate:

Code: Select all

bash-4.3# diff /tmp/sharity-debug.log.1 /tmp/sharity-debug.log.2
10a11,12
> 375.183 0 odpthread/db0: 4 worker threads, 1 active
> 397.669 2 odevntloop/db0: waking main thread because registered new fd
bash-4.3#
$


The network trace told:
AIX box -> NAS

Code: Select all

Transmission Control Protocol, Src Port: filenet-peior (32776), Dst Port: netbios-ssn (139), Seq: 1052, Ack: 1565, Len: 91
NetBIOS Session Service
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        [Response in: 115]
        SMB Command: Tree Connect AndX (0x75)
        NT Status: STATUS_SUCCESS (0x00000000)
        Flags: 0x08, Case Sensitivity
        Flags2: 0xc801, Unicode Strings, Error Code Type, Extended Security Negotiation, Long Names Allowed
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 0  (\\FRLNASR7\RESEAU00)
        Process ID: 1
        User ID: 2
        Multiplex ID: 5
    Tree Connect AndX Request (0x75)
        Word Count (WCT): 4
        AndXCommand: No further commands (0xff)
        Reserved: 00
        AndXOffset: 0
        Flags: 0x0000
        Password Length: 1
        Byte Count (BCC): 44
        Password: 00
        Path: \\FRLNASR7\RESEAU00
        Service: A:


NAS -> Aix server

Code: Select all

Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port: filenet-peior (32776), Seq: 1565, Ack: 1143, Len: 39
NetBIOS Session Service
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        [Response to: 114]
        [Time from request: 0.000374000 seconds]
        SMB Command: Tree Connect AndX (0x75)
        NT Status: STATUS_ACCESS_DENIED (0xc0000022)
        Flags: 0x88, Request/Response, Case Sensitivity
        Flags2: 0xc801, Unicode Strings, Error Code Type, Extended Security Negotiation, Long Names Allowed
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 0  (\\FRLNASR7\RESEAU00)
        Process ID: 1
        User ID: 2
        Multiplex ID: 5
    Tree Connect AndX Response (0x75)
        Word Count (WCT): 0
        Byte Count (BCC): 0


Seems indicates an access refused by the NAS server but why it's OK for root user.


Thanks in advance for your time and help.

christian
Objective Development
Objective Development
Posts: 1369
Joined: Thu Nov 09, 2006 11:46 am

Re: AIX7.2 mount: Access denied as non root user (Error Context: treeConnectAndX)

Postby christian » Wed Oct 04, 2017 12:52 pm

First of all: SMB1 (the protocol used by Sharity) is very complex. When two parties implement it independently, it's very likely that they are not interoperable. You have to test every combination of client and server and fix incompatibilities and different interpretations of the spec.

Having that said: Sharity has been tested against Windows versions ranging from Windows 95 to Windows 2013. It has also been tested against various versions of Samba which were available in the years 2000 to 2008. It has been tested with SOME of the NAS devices which were sold in that time range, but it has not been tested against current versions.

The network trace indicates that Sharity receives an error code for the TreeConnectAndX command. The server may refuse the connect because the same user-ID has already made this connection (root and your user share the UID if the remote user name is the same). The SMB spec does not talk about the scope of User-IDs (UIDs) and Tree-IDs (TIDs), whether a TID must be obtained for each UID or not. So I suspect an incompatibility here.

thierry
Posts: 2
Joined: Sun Oct 01, 2017 11:45 pm

Re: AIX7.2 mount: Access denied as non root user (Error Context: treeConnectAndX)

Postby thierry » Wed Oct 04, 2017 1:29 pm

Thanks very much for your update. Please find below the full log from sharity if it helps to progress and confirm that there are an icompability.

Code: Select all

# cat /tmp/sharity-debug.log
117.124 0 odpthread/db0: 4 worker threads, 1 active
222.926 0 odpthread/db0: 3 worker threads, 1 active
275.182 2 odevntloop/db0: waking main thread because registered new fd
311.715 1 odevntloop/db0: waking main thread because registered new fd
311.717 4 odutil/db0: odUtilResolveName(frlnasr7): IP=0x0a504628, canonicalName=frlnas2.fr.conforama.grp
311.718 4 odevntloop/db0: waking main thread because registered new fd
311.731 4 cifsserver/db0: cifsSrvKrbPrincipal: guessed principal name = FRLNAS2$@FR.CONFORAMA.GRP
311.748 4 main/db0: sending GUI update; reason=user login succeeded
311.749 4 odevntloop/db0: waking main thread because registered timer
329.108 2 odevntloop/db0: waking main thread because registered new fd
375.183 0 odpthread/db0: 4 worker threads, 1 active
397.669 2 odevntloop/db0: waking main thread because registered new fd
497.670 0 odpthread/db0: 4 worker threads, 1 active
642.941 0 odpthread/db0: 3 worker threads, 1 active
762.945 0 odpthread/db0: 3 worker threads, 1 active
808.692 2 odevntloop/db0: waking main thread because registered new fd
#

christian
Objective Development
Objective Development
Posts: 1369
Joined: Thu Nov 09, 2006 11:46 am

Re: AIX7.2 mount: Access denied as non root user (Error Context: treeConnectAndX)

Postby christian » Wed Oct 04, 2017 1:41 pm

Two things:
(1) I see that you have installed the Kerberos module. If you log in with password, you don't need it. It just adds complexity.
(2) Your debug log does not list the relevant info. Please do the following:

(*) To enable debugging, type (as root):
rm -f /tmp/sharity-debug.log
sharity debug file logLevelsDebug
(*) Reproduce the problem.
(*) Turn off debugging again:
sharity debug syslog
(*) Mail me the file /tmp/sharity-debug.log. If this file is large (>100k), please compress it before mailing it.

Please mail me the debug log in support, it's large and may contain private data such as the names of files, the names of computers, user names etc.


Return to “Sharity General”

Who is online

Users browsing this forum: No registered users and 2 guests

cron