smbclient NT_STATUS_LOGON_FAILURE with "Cannot do GSE to an IP address"

3.9k views Asked by At

tl;dr smbclient -I 1.2.3.4 '\\hostname-abc\share1' prints Cannot do GSE to an IP address with final status NT_STATUS_LOGON_FAILURE. What is GSE?


Running the following smbclient command

smbclient -I 1.2.3.4 '\\host-unix1\share1' --command=ls -A /tmp/auth

where file /tmp/auth is

username = user1
password = passw0rd!
domain   = DOMAIN1

The SMB server host-unix1 at IP address 1.2.3.4 is a Unix server. Additional authentication is provided by a separate Active Directory Domain Controller, Windows Server 2012, for domain DOMAIN1.

Passing --debuglevel=99 to smbclient results in additional log messages

...
negotiated dialect[SMB3_11] against server[1.2.3.4]
...
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Cannot do GSE to an IP address
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
...
Got NTLMSSP neg_flags=0x60890215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62080215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62080215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.

  • using smbclient 4.7.6 with Likewise commercial SMB server
0

There are 0 answers