Bug 1138 - server signing failed since 3.0.1pre1
server signing failed since 3.0.1pre1
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.2
Other Linux
: P3 major
: none
Assigned To: Andrew Bartlett
:
: 1044 (view as bug list)
Depends on:
Blocks: 1044
  Show dependency treegraph
 
Reported: 2004-02-28 17:14 UTC by Andrea Prunic
Modified: 2005-08-24 10:24 UTC (History)
2 users (show)

See Also:


Attachments
Fix many smb signing issues with Samba (14.69 KB, patch)
2004-03-09 05:40 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrea Prunic 2004-02-28 17:14:56 UTC
I have discovered that server signed communication between Samba 3.0.1 and up
(including 3.02.a) is failing when Samba is communicating with Windows clients
and server signing is set to Auto, while it works fine when it is set to
Mandatory or to No.
Also, the problem does not occur when smbclient is used to access shares on
Samba server - only from Windows clients.

The problem occurs as "a network error" when trying to access the Samba server,
which is shown in network neighbourhood.

I have traced the communication between my Samba server and Wnidows client using
Samba 3.0.1pre1 which works OK, and Samba 3.0.2a which does not work, and I am
showing them here:

Samba 3.0.1pre1 with server signing = auto

adding home's share [jelena] for user 'jelena' at '/home/jelena'
Transaction 8 of length 86
switch message SMBtconX (pid 4225)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
check_access: no hostnames in host allow/deny list.
Allowed connection from  (10.20.30.11)
Connect path is '/tmp' for service [IPC$]
se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004
se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
Initialising default vfs hooks
se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004
se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0
oliver (10.20.30.11) signed connect to service IPC$ initially as user jelena 
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
(uid=1002, gid=100) (pid 4225)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
tconX service=IPC$
Transaction 9 of length 104
switch message SMBntcreateX (pid 4225)
setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0
nt_open_pipe: Known pipe srvsvc opening.
Transaction 10 of length 160
switch message SMBtrans (pid 4225)
trans <\PIPE\> data=72 params=0 setup=2

Samba 3.0.2a with server signing = auto

adding home's share [jelena] for user 'jelena' at '/home/jelena'
srv_set_signing: turning on SMB signing: signing negotiated = Yes, 
                                         ^^^^^^^^^^^^^^^^^^^^^^^^^
mandatory_signing = No.
Transaction 9 of length 86
switch message SMBtconX (pid 4538)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
check_access: no hostnames in host allow/deny list.
Allowed connection from  (10.20.30.11)
Connect path is '/tmp' for service [IPC$]
se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004
se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
Initialising default vfs hooks
se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004
se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0
oliver (10.20.30.11) connect to service IPC$ initially as user jelena (uid=1002,
gid=100) (pid 4538)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
tconX service=IPC$
timeout_processing: End of file from client (client has disconnected).
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Closing connections
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
oliver (10.20.30.11) closed connection to service IPC$
Yielding connection to IPC$
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
oliver (10.20.30.11) closed connection to service IPC$
Yielding connection to IPC$
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Yielding connection to
Server exit (normal exit)

Samba 3.0.2a with default server signing = disabled

adding home's share [jelena] for user 'jelena' at '/home/jelena'
Transaction 7 of length 86
switch message SMBtconX (pid 4597)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
check_access: no hostnames in host allow/deny list.
Allowed connection from  (10.20.30.11)
Connect path is '/tmp' for service [IPC$]
se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004
se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
Initialising default vfs hooks
se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004
se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0
oliver (10.20.30.11) connect to service IPC$ initially as user jelena (uid=1002,
gid=100) (pid 4597)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
tconX service=IPC$
Transaction 8 of length 104
switch message SMBntcreateX (pid 4597)
setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0
nt_open_pipe: Known pipe srvsvc opening.
Transaction 9 of length 160
switch message SMBtrans (pid 4597)
trans <\PIPE\> data=72 params=0 setup=2

Samba 3.0.2a with server signing = mandatory

adding home's share [jelena] for user 'jelena' at '/home/jelena'
srv_set_signing: turning on SMB signing: signing negotiated = Yes, 
                                         ^^^^^^^^^^^^^^^^^^^^^^^^
mandatory_signing = Yes.
Transaction 8 of length 86
switch message SMBtconX (pid 4662)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
check_access: no hostnames in host allow/deny list.
Allowed connection from  (10.20.30.11)
Connect path is '/tmp' for service [IPC$]
se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004
se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
Initialising default vfs hooks
se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004
se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0
oliver (10.20.30.11) signed connect to service IPC$ initially as user jelena 
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(uid=1002, gid=100) (pid 4662)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
tconX service=IPC$
Transaction 9 of length 104
switch message SMBntcreateX (pid 4662)
setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0
nt_open_pipe: Known pipe srvsvc opening.
Transaction 10 of length 160
switch message SMBtrans (pid 4662)
trans <\PIPE\> data=72 params=0 setup=2
named pipe command on <> name

As it can be seen, when server signing is set to Auto, Samba does agree to do
server signed communication with Windows client, but fails to sign the
connection when client tries to bind to IPC$, and therefore the client breaks
the connection.
On the other hand, when server signing is mandatory, everything works fine.

So, the problem must have appeared somewhere between 3.0.1pre1 and 3.0.1, or
maybe 3.0.2 versions, and that's why Samba team should check what has changed in
server signing code between those versions (sorry, I don't have time to do it
myself, and I'd probably get lost in the code).

Anyway, thanks to the team.

Greetings, Andrea
Comment 1 Gerald (Jerry) Carter 2004-03-04 07:21:15 UTC
Andrew, I'm guessing this is probably related to the 
session key changes surrounding NTLM2 we made between 
3.0.2pre1 and 3.0.2rc1.  Please look at this and see if 
anything obvious shows up?   Thanks.
Comment 2 Andrew Bartlett 2004-03-04 14:19:43 UTC
I need an ethereal trace, and level 10 logfile of the logon sequence.  (From the
*start*).

Server sigining is meant to work, but there are so many NTLMSSP flag
combinations,   and I know we don't support them all, let alone correctly.

Andrew Bartlett
Comment 3 Andrew Bartlett 2004-03-09 05:40:07 UTC
This looks just like the kind of issue I just commited to HEAD.

I'll attach the patch.
Comment 4 Andrew Bartlett 2004-03-09 05:40:49 UTC
Created attachment 430 [details]
Fix many smb signing issues with Samba
Comment 5 Gerald (Jerry) Carter 2004-03-22 05:47:02 UTC
*** Bug 1044 has been marked as a duplicate of this bug. ***
Comment 6 Andrew Bartlett 2004-03-23 15:40:00 UTC
This patch works reliably for my systems at Hawker, on a print server, with
signing enabled and optional signing clients.
Comment 7 Gerald (Jerry) Carter 2004-03-25 07:11:42 UTC
Andrew, please go ahead and apply this to the 
3.0 tree so we can get some testing.  I'm assuming
the patch is the same as what you checked into head
but I figure your better qualified to merge it across. 
Thanks (and nice work).
Comment 8 Gerald (Jerry) Carter 2004-04-04 08:34:07 UTC
applied
Comment 9 Gerald (Jerry) Carter 2005-08-24 10:24:19 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.