When trying to download files, getting Signatures for packet SMB2_CREATE with message id <<#### >> do not match

[nddipiazza]

Env info:

• Windows Server 2012 R2 - single server, non-distributed file system.
• Smb3
• Java client run on Windows Server 2016 on JDK8 1.8.0_181

I am getting some Signatures for packet SMB2_CREATE with message id <<#### >> do not match errors when I am trying to access a specific windows share files. Some of the windows shares in my network work fine. Many however return these sorts of errors.

I have asked my admin team to try to figure out what might be special about these particular shares that are different than the ones that are working??

The strangest thing is that I can list the files and folders fine. That part works.

But when I try to access the file contents from the getInputStream, that is when these errors occur.

Error examples from my logs:

Signatures for packet SMB2_CREATE with message id << 23 >> do not match (received: [32, 118, 58, -3, -20, 82, -86, 19, -77, -58, 21, -35, 116, 41, 71, 110], calculated: [-128, -41, 125, -121, 3, 23, 61, 5, -34, -53, -47, -88, -114, -70, -125, -52, -4, 121, 116, -27, -8, -39, 98, -79, 80, -45, -51, 88, -74, 34, 34, -121])
2018-12-14T15:28:43,948 - WARN  [Packet Reader for 10.100.10.10 smbj.connection.Connection@432] - {} - Invalid packet signature for packet SMB2_CREATE with message id << 23 >>
2018-12-14T15:28:43,948 - INFO  [Packet Reader for 10.100.10.10:smbj.transport.PacketReader@53] - {} - PacketReader error, got exception.
com.hierynomus.protocol.transport.TransportException: Packet signature for packet SMB2_CREATE with message id << 23 >> was not correct

2018-12-14T16:15:46,038 - ERROR [Packet Reader for 10.100.10.10:smbj.session.PacketSignatory@82] - {} - Signatures for packet SMB2_CREATE with message id << 65 >> do not match (received: [-22, -97, 89, -12, 37, 69, -115, 13, 35, -17, 97, 10, 21, -12, -82, -67], calculated: [-5, -28, -97, -69, -49, 60, -103, -21, -46, 106, 40, -66, -85, 79, -26, 36, 49, -18, 4, 66, 122, -61, 73, 127, 74, -27, -83, 79, -102, 121, -97, -80])

[Packet Reader for 10.100.10.10:smbj.session.PacketSignatory@82] - {} - Signatures for packet SMB2_CREATE with message id << 1841 >> do not match (received: [-119, -29, -4, -122, -47, -83, 9, 97, -107, -118, -17, -93, 117, 79, -18, 105], calculated: [-104, -103, -15, 62, -114, 5, 103, 126, 1, 65, 68, 77, -15, -17, -48, 48, 0, 124, 99, -90, -52, 32, 42, -87, -35, -87, 13, -32, 41, -36, -41, 61])
2018-12-14T16:16:13,156 - ERROR [Packet Reader for 10.100.10.10:smbj.session.PacketSignatory@82] - {} - Signatures for packet SMB2_CREATE with message id << 1841 >> do not match (received: [-84, -94, -106, -121, -115, -66, 89, -3, 42, 38, -127, 26, 71, -7, -92, -116], calculated: [-102, 1, -128, 41, 21, 9, 42, -70, 0, -77, 69, 127, 119, -27, -116, 57, 36, 102, -4, -60, 65, -8, 22, -74, 98, 103, 68, -57, 59, -109, -108, 52])
2018-12-14T16:16:13,156 - WARN  [Packet Reader for 10.100.10.10:smbj.connection.Connection@432] - {} - Invalid packet signature for packet SMB2_CREATE with message id << 1841 >>
2018-12-14T16:16:13,156 - WARN  [Packet Reader for 10.100.10.10:smbj.connection.Connection@432] - {} - Invalid packet signature for packet SMB2_CREATE with message id << 1841 >>
2018-12-14T16:16:13,156 - INFO  [smb-fetcher-4:smbj.paths.DFSPathResolver@104] - {collectionId=test_dev, connectorType=smb2, datasourceId=smb, jobRunId=amkTJX6S0D} - Starting DFS resolution for \\10.100.10.10\XXXXX\XXXXXX\XX\XXX\XXXXXXXXXXXXXXXX
2018-12-14T16:16:13,156 - INFO  [smb-fetcher-4:smbj.session.Session@151] - {collectionId=test_dev, connectorType=smb2, datasourceId=smb, jobRunId=amkTJX6S0D} - Connecting to \\10.100.10.10\IPC$ on session 171527840465321
2018-12-14T16:16:13,156 - INFO  [Packet Reader for 10.100.10.10:smbj.transport.PacketReader@53] - {} - PacketReader error, got exception.
com.hierynomus.protocol.transport.TransportException: Packet signature for packet SMB2_CREATE with message id << 1841 >> was not correct
	at com.hierynomus.smbj.connection.Connection.verifyPacketSignature(Connection.java:434) ~[smbj-0.9.1-patched.jar:0.9.1-patched]
	at com.hierynomus.smbj.connection.Connection.handle(Connection.java:422) ~[smbj-0.9.1-patched.jar:0.9.1-patched]
	at com.hierynomus.smbj.connection.Connection.handle(Connection.java:70) ~[smbj-0.9.1-patched.jar:0.9.1-patched]
	at com.hierynomus.smbj.transport.PacketReader.readPacket(PacketReader.java:72) ~[smbj-0.9.1-patched.jar:0.9.1-patched]
	at com.hierynomus.smbj.transport.PacketReader.run(PacketReader.java:48) [smbj-0.9.1-patched.jar:0.9.1-patched]
	at java.lang.Thread.run(Unknown Source) [?:1.8.0_181]
2018-12-14T16:16:13,156 - INFO  [Packet Reader for 10.100.10.10:smbj.transport.PacketReader@53] - {} - PacketReader error, got exception.
com.hierynomus.protocol.transport.TransportException: Packet signature for packet SMB2_CREATE with message id << 1841 >> was not correct
	at com.hierynomus.smbj.connection.Connection.verifyPacketSignature(Connection.java:434) ~[smbj-0.9.1-patched.jar:0.9.1-patched]
	at com.hierynomus.smbj.connection.Connection.handle(Connection.java:422) ~[smbj-0.9.1-patched.jar:0.9.1-patched]
	at com.hierynomus.smbj.connection.Connection.handle(Connection.java:70) ~[smbj-0.9.1-patched.jar:0.9.1-patched]
	at com.hierynomus.smbj.transport.PacketReader.readPacket(PacketReader.java:72) ~[smbj-0.9.1-patched.jar:0.9.1-patched]
	at com.hierynomus.smbj.transport.PacketReader.run(PacketReader.java:48) [smbj-0.9.1-patched.jar:0.9.1-patched]
	at java.lang.Thread.run(Unknown Source) [?:1.8.0_181]

Due to security I can't get much from the environment, but I can perhaps try. What kind of things can help us diagnose this?

[hierynomus]

Hi @nddipiazza, I've just added an extra log line to the master. This will print the SMB2Header when the signatures do not match. That might give some extra clue as to what's going wrong.
Could you take a pull, build and post the log on the ticket?

[nddipiazza]

@hierynomus here you go

08:12:19.497 [Packet Reader for 10.100.10.10] ERROR com.hierynomus.smbj.session.PacketSignatory - Signatures for packet SMB2_CREATE with message id << 49 >> do not match (received: [37, -78, 37, 127, -127, 66, 40, 112, -54, -28, 109, 113, 110, -33, -14, -46], calculated: [-78, -128, -15, 98, 53, -40, -55, -68, -58, 110, 41, 100, -45, 55, -34, -123, 29, 58, -36, -53, -72, 0, 47, 59, -94, 70, -122, 123, -119, 117, -60, 123])
08:12:19.497 [Packet Reader for 10.100.10.10] ERROR com.hierynomus.smbj.session.PacketSignatory - Packet SMB2_CREATE with message id << 49 >> has header: dialect=null, creditCharge=1, creditRequest=0, creditResponse=31, message=SMB2_CREATE, messageId=49, asyncId=0, sessionId=175922195992201, treeId=1, status=0xc0000103, flags=9, nextCommandOffset=0
08:12:19.497 [Packet Reader for 10.100.10.10] WARN  com.hierynomus.smbj.connection.Connection - Invalid packet signature for packet SMB2_CREATE with message id << 49 >>

[hierynomus]

@nddipiazza Thanks! The Status code of the SMB2_CREATE packet is STATUS_NOT_A_DIRECTORY. Which action are you performing?

[nddipiazza]

Here is the problematic file...

smb://10.100.10.10/My/Path/Thumbs.db

Interesting! I'll try excluding that file and see where that takes us.

[nddipiazza]

skipped Thumbs.db. Now a new error.

14:18:58.980 [Packet Reader for 10.100.10.10] ERROR com.hierynomus.smbj.session.PacketSignatory - Signatures for packet SMB2_CREATE with message id << 163 >> do not match (received: [-69, -9, -39, 69, -28, 54, -123, -114, 108, -90, -34, 118, 68, -63, -88, 123], calculated: [-110, -102, -104, -111, 28, -38, 112, 81, 53, -55, 60, 16, -7, -21, -121, 3, -113, -95, -3, -120, 81, -105, -117, -79, -74, -57, -106, -46, -52, 90, 116, 47])
14:18:58.981 [Packet Reader for 10.100.10.10] ERROR com.hierynomus.smbj.session.PacketSignatory - Packet SMB2_CREATE with message id << 163 >> has header: dialect=null, creditCharge=1, creditRequest=0, creditResponse=1, message=SMB2_CREATE, messageId=163, asyncId=0, sessionId=175923538166169, treeId=1, status=0xc0000103, flags=9, nextCommandOffset=0
14:18:58.982 [Packet Reader for 10.100.10.10] WARN  com.hierynomus.smbj.connection.Connection - Invalid packet signature for packet SMB2_CREATE with message id << 163 >>
14:18:58.982 [Packet Reader for 10.100.10.10] INFO  com.hierynomus.smbj.transport.PacketReader - PacketReader error, got exception.

[nddipiazza]

OK now i know what's going on. On this share (not others), these are the calls that are crashing

https://github.com/hierynomus/smbj/blob/master/src/main/java/com/hierynomus/smbj/share/DiskShare.java#L168

https://github.com/hierynomus/smbj/blob/master/src/main/java/com/hierynomus/smbj/share/DiskShare.java#L182

In my code, I'm taking a plain smb URL smb://10.100.10.10/myshare/my/path/to/something.pdf

So it will go in order..

if (share.folderExists(path)) {
  // ...
} else if (share.fileExists(path)) {
  // ...

If we send a path that is a folder into fileExists, it will return:

0xC00000BA | STATUS_FILE_IS_A_DIRECTORY | The file that was specified as a target is a directory, and the caller specified that it could be anything but a directory.

And if we send a path that is a file into folderExists it will return:

0xC0000103 | STATUS_NOT_A_DIRECTORY | A requested opened file is not a directory.

We have 2 windows share servers that inexplicably cause this error. Not others.

Any ideas how to fix this?

[pepijnve]

@hierynomus any idea why this would cause packet signing problems? There doesn't seem to be anything special about the message exchange itself, so that's kind of surprising. Seems like there's some problem in handling error messages in combination with signing.

[nddipiazza]

if we change this so that the error doesn't close connection to the share, that would unblock me. meaning if it would detect this issue, then return a graceful exception back to the DiskShare client instead of killing the entire samba connection.

[yin19941005]

hi @nddipiazza,

May I ask something stupid: What's the dialect you are using? Because I see you are saying the env is using SMB3. I want to make sure we understand your issue correctly.

Env info:

Windows Server 2012 R2 - single server, non-distributed file system.
Smb3
Java client run on Windows Server 2016 on JDK8 1.8.0_181

Did the negotiation really go for SMB3.x family? The signing method is different.

From the [MS-SMB2] document 3.1.4.1 Signing An Outgoing Message,

If Connection.Dialect belongs to the SMB 3.x dialect family, the sender MUST compute a 16-byte hash using AES-128-CMAC...

If Connection.Dialect is "2.0.2" or "2.1", the sender MUST compute a 32-byte hash using HMAC-SHA256 over the entire message...

[nddipiazza]

I was told smb3 by the administrators but I never tried to prove it.

Looks like from https://serverfault.com/questions/770345/how-do-you-check-what-version-of-server-message-block-client-a-workstation-is-us I can check this myself. i will do this and let you know.

[yin19941005]

Hi @nddipiazza,

Actually this library is not supported SMB3 yet. But you are saying you are using it, so, I am just making sure you are not actually using it (i.e. you haven't change it) and I didn't go wrong direction on the very beginning.

[hierynomus]

@yin19941005 SMB2 and 3 are the same protocol, just a slightly different dialect where SMB3 for instance allows encryption. If the server supports SMB3, most probably SMB2 (non-encrypted) is still also enabled, else it would've stopped at the protocol negotiation already.

@pepijnve Yes, I think there is a problem in the SMB2Error handling. We're probably missing the read of a few padding bits, which makes that the signature calculation is off.

@nddipiazza Can you get us a packet capture using wireshark? I'd like to analyze the full bytes of the erroneous message.

[nddipiazza]

Get-SmbConnection reports version 3.0.2 of SMB.

I very likely cannot get wireshark installed on the server. I will try.

[hierynomus]

Just the client, grab it from there. Op vr 21 dec. 2018 om 14:14 schreef Nicholas DiPiazza < notifications@github.com>:

…

Get-SmbConnection reports version 3.0.2 of SMB. I very likely cannot get wireshark installed on the server. I will try. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#420 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAHLo5U1UxVOkKT8qtcsBZb0VbjVrhlUks5u7N62gaJpZM4ZYkvV> .

[nddipiazza]

Right. I have asked them hopefully they can get this for me. I cant install wireshark anywhere.

[nddipiazza]

Experienced this error again with another client. we will try to get you wireshark from them.

[burkolter]

Having the same issue here. Wireshark is difficult as we have the same error randomly occurring calling the same file over and over again. Max dialect on the server is 3.0.2.

Code to establish the connection:
SmbConfig config = SmbConfig.builder().withTimeout(DEFAULT_SMBJ_TIMEOUT, TimeUnit.MILLISECONDS)
.withNegotiatedBufferSize()
.build();

this.client = new SMBClient(config);
this.conn = this.client.connect(smbPath.getHostname());
this.session = conn.authenticate(auth);
this.share = (DiskShare) session.connectShare(this.smbPath.getShareName());

[nddipiazza]

@hierynomus i have sent your email a scrubbed tcpdump capture of the issue. please let me know if it helps.

[nddipiazza]

Hi @hierynomus did you have a chance to see this? Thanks!

[hierynomus]

I've had a look, but am curious which SMB2 CREATE was mismatched? There are a few 100 in there ;)

[hierynomus]

If you've got a log which corresponds to the PCAP, I can correlate the message and see what's wrong.

[nddipiazza]

I sent that. I'm trying to also get you a version of these logs with less going on to help isolate too.

[hierynomus]

@nddipiazza Can you try to build the code in #458 and see whether that solves the problem?

[burkolter]

@hierynomus I hope to find time to test this as well next week. I can't promise yet...

[nddipiazza]

@hierynomus this seems successful now.

[hierynomus]

Merged #458