Windows client probes SMB service for IPC$ share instead of actual shared folder

[icelava]

We operate an iXSystems X9SCL NAS in the office and have since last year been normally accessing its network shared folders via SMB. Our Windows 10 computers were only Azure AD-registered with our Office/Microsoft 365 user accounts.

This year we've eventually gotten everybody's computers joined to Azure AD and enrolled to MDM. Brand new computers allocated are provisioned with Windows Autopilot; I got one such new laptop. With this new computer I found it impossible to access the shared folders; Windows credential prompt keeps popping up even though I keyed in the appropriate credentials. Doesn't matter if I pre-insert the credentials in Credential Manager.

I subsequently set the FreeNAS SMB service to log events; turns out this copy of Windows wants to access the IPC$ share instead of actual shared folder path.

[2020/07/06 19:15:27.580527, 2] ../../source3/auth/auth.c:316(auth_check_ntlm_password)
check_ntlm_password: authentication for user [user] -> [user] -> [user] succeeded
[2020/07/06 19:15:27.592802, 1] ../../source3/smbd/smb2_tcon.c:234(smbd_smb2_tree_connect)
smbd_smb2_tree_connect: reject request to share [IPC$] as 'NAS\user' without encryption or signing. Disconnecting.

Windows client side the SMBClient event log also indicates the same behaviour

Log Name: Microsoft-Windows-SmbClient/Security
Source: Microsoft-Windows-SMBClient
Date: 6/7/2020 19:57:04
Event ID: 31010
Task Category: None
Level: Error
Keywords: (256)
User: N/A
Computer: AADJ-LAPTOP
Description:
The SMB client failed to connect to the share.

Error: {Access Denied}
A process has requested access to an object, but has not been granted those access rights.

Path: \NAS\IPC$
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-SMBClient" Guid="{GUID}" />
<EventID>31010</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x200000000000100</Keywords>
<TimeCreated SystemTime="2020-07-06T11:57:04.171064900Z" />
<EventRecordID>483</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3536" />
<Channel>Microsoft-Windows-SmbClient/Security</Channel>
<Computer>AADJ-LAPTOP</Computer>
<Security />
</System>
<EventData>
<Data Name="Reason">12</Data>
<Data Name="Status">3221225506</Data>
<Data Name="ShareNameLength">10</Data>
<Data Name="ShareName">\NAS\IPC$</Data>
<Data Name="ObjectNameLength">0</Data>
<Data Name="ObjectName">
</Data>
</EventData>
</Event>

Asked in TechNet forums but yet to obtain any insightful information regarding this behaviour.

Windows attempts to connect to IPC$ on FreeNAS SMB service

social.technet.microsoft.com

The very same laptop has no problem accessing my home Synology DS NAS (although in this case, Windows oddly never prompts for credentials and instantly fails authentication, forcing pre-inserting credentials in Credential Manager to solve the problem). So it seems like some weird server-client combo problem. Have any other Windows client users encountered same problems of this network?

 

[anodos]

The client might be trying to connect to the LSARPC pipe. That particular message occurs when an SMB client negotiates SMB3.11 protocol and then attempts a connection without encryption or signing. Samba puts a hard stop on it.

Try downgrading SMB max protocol to SMB3.02.

 

[anodos]

Please PM me a pcap of the exchange from client and server.
tcpdump -i <your interface> -w /tmp/smb.pcap HOST <your client ip> and hit ^c (control + c) when you're done.

 

[icelava]

The client might be trying to connect to the LSARPC pipe. That particular message occurs when an SMB client negotiates SMB3.11 protocol and then attempts a connection without encryption or signing. Samba puts a hard stop on it.

Try downgrading SMB max protocol to SMB3.02.

Does FreeNAS even such an option? I've not seen such controls. With my Synology NAS the DSM OS lets me control min-max SMB versions (set at 2-3) but not minor versions. I guess that means 3.0 thus the laptop does not attempt those "extra" steps? Thereby succeeding in regular folder access.

Earlier today I managed to enter office to test two other computers I have hands on (older AAD-registered laptop and workgroup desktop) and they have no problems accessing the shared folders.

root@nas1:/var/log/samba4 # tail -f log.smbd
[2020/07/09 16:37:29.149957, 2] ../../source3/param/loadparm.c:2808(lp_do_section)
Processing section "[vhd-dev]"
[2020/07/09 16:37:29.150046, 2] ../../source3/param/loadparm.c:2808(lp_do_section)
Processing section "[vhd-prod]"
[2020/07/09 16:37:29.150777, 2] ../../source3/auth/auth.c:316(auth_check_ntlm_password)
check_ntlm_password: authentication for user [USER] -> [USER] -> [USER] succeeded
[2020/07/09 16:37:29.172689, 2] ../../source3/smbd/service.c:851(make_connection_snum)
desktop-iu5le0h (ipv4:10.32.34.25:49684) connect to service archive initiallyas user USER (uid=1000, gid=1000) (pid 67882)
[2020/07/09 16:43:24.484700, 2] ../../source3/smbd/server.c:843(remove_child_pid)
Could not find child 67963 -- ignoring
[2020/07/09 16:45:44.104066, 1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
Failed to fetch record!
[2020/07/09 16:45:44.104217, 1] ../../source3/smbd/server_reload.c:64(delete_and_reload_printers)
pcap cache not loaded
[2020/07/09 16:45:47.919976, 2] ../../source3/smbd/service.c:851(make_connection_snum)
tyrael (ipv4:10.10.10.10:50246) connect

Unfortunately none of my fellow admin colleagues' computers (only we can access NAS) were around for further test. I don't have enough info to tell if any AAD-joined computer (the biggest difference) consistently exhibits those additional behaviour.

 

[anodos]

Does FreeNAS even such an option? I've not seen such controls. With my Synology NAS the DSM OS lets me control min-max SMB versions (set at 2-3) but not minor versions. I guess that means 3.0 thus the laptop does not attempt those "extra" steps? Thereby succeeding in regular folder access.

Earlier today I managed to enter office to test two other computers I have hands on (older AAD-registered laptop and workgroup desktop) and they have no problems accessing the shared folders.

root@nas1:/var/log/samba4 # tail -f log.smbd
[2020/07/09 16:37:29.149957, 2] ../../source3/param/loadparm.c:2808(lp_do_section)
Processing section "[vhd-dev]"
[2020/07/09 16:37:29.150046, 2] ../../source3/param/loadparm.c:2808(lp_do_section)
Processing section "[vhd-prod]"
[2020/07/09 16:37:29.150777, 2] ../../source3/auth/auth.c:316(auth_check_ntlm_password)
check_ntlm_password: authentication for user [USER] -> [USER] -> [USER] succeeded
[2020/07/09 16:37:29.172689, 2] ../../source3/smbd/service.c:851(make_connection_snum)
desktop-iu5le0h (ipv4:10.32.34.25:49684) connect to service archive initiallyas user USER (uid=1000, gid=1000) (pid 67882)
[2020/07/09 16:43:24.484700, 2] ../../source3/smbd/server.c:843(remove_child_pid)
Could not find child 67963 -- ignoring
[2020/07/09 16:45:44.104066, 1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
Failed to fetch record!
[2020/07/09 16:45:44.104217, 1] ../../source3/smbd/server_reload.c:64(delete_and_reload_printers)
pcap cache not loaded
[2020/07/09 16:45:47.919976, 2] ../../source3/smbd/service.c:851(make_connection_snum)
tyrael (ipv4:10.10.10.10:50246) connect

Unfortunately none of my fellow admin colleagues' computers (only we can access NAS) were around for further test. I don't have enough info to tell if any AAD-joined computer (the biggest difference) consistently exhibits those additional behaviour.

The log message on our side indicates that the Windows client is explicitly sending us an SMB 3.11 Tree Connect that it should not be sending (without Encryption or Signing). I need a pcap of that to investigate further as it's possibly an undocumented behavior regarding IPC. Can you please send me the pcap?

 

[icelava]

Well even though the pandemic and lockdowns are easing, our default work arrangement is still WFH (don't enter office unless necessary). I went there yesterday to test my suspicions on other computers; since those can still access the NAS normally, thus finally able to complete the original task of backing up our ex-colleague's computer disk and archiving to the NAS (its primary operational purpose). Very unelegant workaround, but at least got the job done.

Now I have a variety of tasks of other natures to help colleagues with, and we cannot be spending so much time to keep looking into this particular matter. Of course, this is a long-term issue that needs to be thoroughly investigated but we will proceed with lower priority at a slower pace.

What I can do presently is get Wireshark to capture the traffic between this laptop and my home Synology NAS; maybe that can still offer insight into its default SMB behaviour.

 

[Patrick M. Hausen]

You can easily record the pcap on the FreeNAS system itself, remotely via SSH, with tcpdump ...

 

[anodos]

tcpdump -i <your interface> -w /tmp/smb.pcap HOST <your client ip> and hit ^c (control + c) when you're done.
^^^ on CLI of FreeNAS.

 

[icelava]

I've got both good and bad news.

Good is today I came into office and the laptop inexplicably can now connect with the NAS SMB shared folders.

Bad is it means traffic logging is likely useless since it succeeds now unlike the previous signing/encrpytion errors.

:-/