OA43395: DFS SMB RESTRICTIONS WITH PASSTHROUGH AUTHENTICATION DIGITAL SIGNING USING WINDOWS 2008

APAR status

• Closed as documentation error.

Error description

• Issue #1:
  DFS SMB does not support the use of digital signing
  If multiple sessions from the same client are in use, and the
  windows client has digital signing REQUIRED, the client will not
  be able to access the data in the shared resource.
  
  This is not restricted to any particular windows client.
  XP, WIN7 VISTA can all experience this issue. It depends upon
  the registry setting for 'digital signing'
  
  The current SMB Administration Guide needs to be more specific
  on this restriction and how to circumvent it.
  
  Digital signing on the client has two settings Enabled or
  Required.  Digital signing setting of ENABLED should work.
  Digital signing setting of REQUIRED will not.
  
  
  Digital signing setting on the client of REQUIRED IS NOT
  SUPPORTED.
  
  External symptoms of the failure include:
  The WIN7 client see the z/OS shares exported by the DFS/SMB
  server, able to connect(NetUse),
  But can not access the data
  NOTE: other clients(like VISTA) 'may' be able to access the
  data using the same user. It depends upon the setting of
  'digital signing'.
  
  
  Verification:
  Obtain an SMB trace and find the failing session setup
  Look in the trace for these entries:
  
  --SMB session setup & X PT got DC resp, com=x73 err32=220000C0
      uid=x0000 flgs=9811C0 action=0 (1=GUEST).
  --SMB session setup & X PT auth failed, DC err or guest logon
      err32=220000C0 guest=0.
  
  The error code 220000C0 indicates this problem.
  
  
  Issue #2:
  
  Windows 2008 is not supported for use with DFS SMB on releases
  prior to zOS V2R1.
  
  Check the DFSKERN trace for error 0XC000000D
  
   --SMB session setup & X PT auth failed, DC err or guest logon
  err32=0D0000C0 guest=0.
  
  REgistry keys needing modification are
    LMCompatabilityLevel
    AllowLegacySrvCall
  LMCompatabilityLevel will likely need to be set to '2' on the
  Domain Controller
  
  We only support NT,NTLM and NTLMv2(and with a WIN2008 domain
  controller, the above registry keys MUST be modified).
  
  We DO NOT support Kerberos
  
  
  Reference MS article
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;957441
  
  
  
  Issue #3
  Digital signing is NOT SUPPORTED by any current release of zOS
  DFS/SMB
  
  
  
  Additional search args:
  220000C0
  X220000C0
  C0000022
  xC0000022
  0D0000C0
  0XC000000D
  
  STATUS_ACCESS_DENIED
  STATUS_INVALID_PARAMETER
  

Local fix

• na
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of the z/OS Distributed File       *
  *                 Service SMB Server.                          *
  ****************************************************************
  * PROBLEM DESCRIPTION: Update to documentation is being added. *
  ****************************************************************
  * RECOMMENDATION: UPDATE DOCUMENTATION                         *
  ****************************************************************
  Updates are being provided for the Distributed File Service
  SMB Administration guides: SC24-5918-10, SC24-5918-11
  SC23-6886-00
  

Problem conclusion

• The following updates are being made in Chapter 7.,
  Using passthrough authentication
  
  This section applies to the Distributed File Service Server
  Message Block in Version 1, Release 12 (SC-245918-10) and
  Version 1, Release 13(SC-245918-11)
  
  The following section is being added.
  
  Restriction: The SMB server does not support digital signing
  for the SMB protocol. When using Passthrough authentication,
  any request that attempts to enforce digital signing will
  result with access denied. In these cases, the domain
  controller will return an error status code of x'C00000022'
  (STATUS_ACCESS_DENIED).
  
  To determine if you are encountering this problem, obtain an
  SMB trace and find the failing session/negotiate setup as
  follows:
  
    1. Issue the modify command to reset the SMB trace:
  
       f dfs,send dfskern,trace,reset
  
    2. Attempt the access from the client
  
    3. Issue the modify command to print the SMB trace:
  
       f dfs,send dfskern,trace,print
  
    4. Browse the DFSKERN job log and locate the trace statement
       below that corresponds to the SMB negotiate (x73) command
       of the client.
  
  >>>-SMB-sess=0DD29CE8 refct=00000002 csp=0DC87218 com=x73
  issue_aio_request: rb=7E6C8D60 s=10 cmd=134 pools=00000001 rv=0
    --SMB Session Setup & X LAN username=<Administrator>
  ...
  ...
  --SMB session setup & X PT got DC resp, com=x73 err32=220000C0
  
  
  The err32 code 220000C0, endian decoded to x'C00000022'
  
  Digital signing is a local security configuration option on
  both Windows clients and Windows servers. You must ensure
  the digital signing options match what is shown below.
  To access the local security policy:
  
   1. From a Windows command, prompt type
      secpol.msc.
  
   2. Select Local Policies > Security Options.
  
  For Windows clients ensure that the fields are set as follows:
  
  Microsoft network client: Digitally sign communications
  (always) Disabled
  Microsoft network client: Digitally sign communications
  (if server agrees) Either Enabled/Disabled (see note)
  
  Note: If the client is being used to to support multiple
  sessions, the setting must be set to disabled. An example of
  this would be an SMB client concurrently running multiple
  Windows processes to the SMB server, such as applications
  running as scheduled tasks.
  
  For the Windows domain controller that  the SMB server is
  using to authenticate clients, the digital signing settings
  must be as follows :
  
  Microsoft network server: Digitally sign communications
  (always) Disabled
  Microsoft network server: Digitally sign communications
  (if client agrees) Disabled
  
  Additionally,  prior to z/OS Version 2 Release 1, Passthough
  authentication is not supported when using Windows server
  2008 as a domain controller. This is the result of an attempt
  to authenticate using NTLMv2 with extended security. Attempts
  to authenticate to a Windows server 2008 domain controller
  may result in an access denied failure . In these cases,
  the domain controller will return an error status code of
  x'C0000000D' (STATUS_INAVLID_PARAMTER) to the SMB
  Server, which in returns access denied
  
  To determine if you are encountering this problem, obtain an
  SMB trace and find the failing session/negotiate setup as
  follows.
  
    1. Issue the modify command to reset the SMB trace:
  
       f dfs,send dfskern,trace,reset
  
    2. Attempt the access from the client
  
    3. Issue the modify command to print the SMB trace:
  
       f dfs,send dfskern,trace,print
  
    4. Browse the DFSKERN job log and locate the trace statement
       below that corresponds to the SMB negotiate (x73) command
       of the client.
  
  
  >>>-SMB-sess=0DD29CE8 refct=00000002 csp=0DC87218 com=x73
  issue_aio_request: rb=7E6C8D60 s=10 cmd=134 pools=00000001 rv=0
    --SMB Session Setup & X LAN username=<Administrator>
    --SMB Session Setup & X LAN domain=<LAVOKMPC>
  
  --SMB session setup & X PT got DC resp, com=x73 err32=0D0000C0
  
  
  The err32 code 0D0000C0 endian decoded to  x'C0000000D'
  _______________________________________________________________
  
  This section applies to the Distributed File Service Server
  Message Block in Version 2, Release 1 (SC23-6886-00).
  
  The following section is an update to the restriction
  section listed on page 63:
  
  Restriction: The SMB server does not support digital signing
  for the SMB protocol. When using Passthrough authentication,
  any request that attempts to enforce digital signing will
  result with access denied. In these cases, the domain
  controller will return an error status code of x'C00000022'
  (STATUS_ACCESS_DENIED).
  
  To determine if you are encountering this problem, obtain an
  SMB trace and find the failing session/negotiate setup as
  follows:
  
    1. Issue the modify command to reset the SMB trace:
  
       f dfs,send dfskern,trace,reset
  
    2. Attempt the access from the client
  
    3. Issue the modify command to print the SMB trace:
  
       f dfs,send dfskern,trace,print
  
    4. Browse the DFSKERN job log and locate the trace statement
       below that corresponds to the SMB negotiate (x73) command
       of the client.
  
  >>>-SMB-sess=0DD29CE8 refct=00000002 csp=0DC87218 com=x73
  issue_aio_request: rb=7E6C8D60 s=10 cmd=134 pools=00000001 rv=0
    --SMB Session Setup & X LAN username=<Administrator>
  ...
  ...
  --SMB session setup & X PT got DC resp, com=x73 err32=220000C0
  
  
  The err32 code 220000C0, endian decoded to x'C00000022'
  
  Digital signing is a local security configuration option on
  both Windows clients and Windows servers. You must ensure
  the digital signing options match what is shown below.
  To access the local security policy:
  
   1. From a Windows command, prompt type
      secpol.msc.
  
   2. Select Local Policies > Security Options.
  
  For Windows clients ensure that the fields are set as follows:
  
  Microsoft network client: Digitally sign communications
  (always) Disabled
  Microsoft network client: Digitally sign communications
  (if server agrees) Either Enabled/Disabled (see note)
  
  Note: If the client is being used to to support multiple
  sessions, the setting must be set to disabled. An example of
  this would be an SMB client concurrently running multiple
  Windows processes to the SMB server, such as applications
  running as scheduled tasks.
  
  For the Windows domain controller that  the SMB server is
  using to authenticate clients, the digital signing settings
  must be as follows :
  
  Microsoft network server: Digitally sign communications
  (always) Disabled
  Microsoft network server: Digitally sign communications
  (if client agrees) Disabled
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels