id = 2829
title = "SMB sharing on FIPS enabled hosts with Samba broken"
state = "opened"
created_at = "2025-02-21T20:06:48.512Z"
closed_at = "n/a"
labels = []
url = "https://gitlab.com/qemu-project/qemu/-/issues/2829"
host-os = "Ubuntu 22.04 (FIPS enabled)"
host-arch = "x86"
qemu-version = "QEMU emulator version 9.2.0"
guest-os = "Win7sp1"
guest-arch = "x86"
description = """Similar to #2593 , newer security features on GNU+Linux host OSes are continuing
to break communication with guests running older OSes.

QEMU executes the `smbd` process in [slirp.c](net/slirp.c) to facilitate the SMB
sharing between guest and host.

The host `smbd` process links in GnuTLS for authentication ciphers and algorithm
primitives.  When `smbd` processes SMB requests from these older OS's SMB implementations,
it errors out with error lines:

`Failed to setup SPNEGO negTokenInit request`

`Failed to start SPNEGO handler for negprot OID list!`"""
reproduce = """1. Access a GNU+Linux machine with GnuTLS library in FIPS mode which `smbd` links against
2. Run `qemu-system-*` with an older guest OS with a `smb` share to host
3. See errors in `/tmp/qemu.smb*/log.smbd`"""
additional = """#"""