SMBAuthenticationError sometimes

[darouwan]

Sometimes the command like smbclient.listdir has the following error, but sometimes not:

smbprotocol.exceptions.SMBAuthenticationError: Failed to authenticate with server: SpnegoError (1): SpnegoError (4294967295): Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_2000), Context: Processing security token, Context: Unable to negotiate common mechanism

When I restart my application, sometimes it works fine.

When regiester session, it seems successful:

2024-03-14 Thursday 17:57:20 - smbprotocol.connection - INFO - connection.py[741]: Initialising connection, guid: 15efed8d-aa13-4878-9cd1-365618980aa1, require_signing: True, server_name: csj-op-gench01.wdc.com, port: 445
2024-03-14 Thursday 17:57:20 - smbprotocol.connection - INFO - connection.py[861]: Setting up transport connection
2024-03-14 Thursday 17:57:20 - smbprotocol.transport - INFO - transport.py[64]: Connecting to DirectTcp socket
2024-03-14 Thursday 17:57:20 - smbprotocol.connection - INFO - connection.py[870]: Starting negotiation with SMB server
2024-03-14 Thursday 17:57:20 - smbprotocol.connection - INFO - connection.py[1539]: Negotiating with SMB2 protocol with highest client dialect of: SMB_3_1_1
2024-03-14 Thursday 17:57:20 - smbprotocol.connection - INFO - connection.py[1603]: Sending SMB2 Negotiate message
2024-03-14 Thursday 17:57:20 - smbprotocol.connection - INFO - connection.py[1608]: Receiving SMB2 Negotiate response
2024-03-14 Thursday 17:57:20 - smbprotocol.connection - INFO - connection.py[883]: Negotiated dialect: (785) SMB_3_1_1
2024-03-14 Thursday 17:57:20 - smbprotocol.connection - INFO - connection.py[895]: Connection require signing: True

The smb protocal is v2. Do I need to do more config?

[darouwan]

Solved by indicate ntlm authentication explicitly

[jborean93]

Can you share more details on how you are creating the connection. Are you using explicit credentials or relying on the ccached ticket? It sounds like there might either be some sort of race condition or something else where listdir is trying to re-authenticate the session but at that point in time it has no explicit credential so is trying to rely on the ccache which doesn't exist. Knowing what you are doing here and potentially the full traceback from Python would be very useful.

[darouwan]

@jborean93 I set auth_protocol='ntlm' in the client config before register_session. The default value is negotiate, and my smb service use ntlm rather than Kerberos. Maybe negotiate setting cannot get the correct authentication method?

smbclient.ClientConfig(username=self._username, password=self._password,auth_protocol='ntlm')
register_session(self._hostname, username=self._username,password=self._password)

[jborean93]

Setting an explicit username and password in the ClientConfig should always ensure that a credential is provided when creating a session avoiding that error you see. It is interesting that it is also fixed by using ntlm explicitly as that should suffer from the same problem but with a different error message.

If you can still replicate the problem could you try and share the traceback?

import traceback

try:
    code_that_fails()
except:
    traceback.print_exc()
    raise

[oceanofmaya]

I'm seeing this as well, where intermittently it fails. If the request is retried it succeeds.

Failed to authenticate with server: SpnegoError (1): SpnegoError (16): Operation not supported or available, Context: No username or password was specified and the credential cache did not exist or contained no credentials, Context: Unable to negotiate common mechanism

I'm not using ClientConfig though. Should I be using that?

        try:
            smbclient.register_session(
                server=self.smb_host, username=self.smb_user, password=self.smb_password
            )
        except Exception as e:
            logger.info(f"An error occurred: {e}")
            raise

[oceanofmaya]

I went through the readme and it does recommend ClientConfig for global configuration and retest and see if the issue goes away. Based on your comment, it does not look like I need to explicitly set the auth_protocol. I'm going to try without that and report back if the intermittent issue disappears. Thanks.

[oceanofmaya]

It's been ~24 hours now and I have not seen the error occur after I incorporated ClientConfig

        try:
            smbclient.ClientConfig(username=self.smb_user, password=self.smb_password)
            smbclient.register_session(
                server=self.smb_host, username=self.smb_user, password=self.smb_password
            )
        except Exception as e:
            logger.info(f"An error occurred: {e}")
            raise

[jborean93]

Setting the client config should work and ensure a consisten authentication method. There's certainly a chance that some re-auth step for something like DFS or opening a sub share in an operation may not be passing through the credentials used in the initial call which we should fix up but we would need to know those details to fix it.