I have discovered that server signed communication between Samba 3.0.1 and up (including 3.02.a) is failing when Samba is communicating with Windows clients and server signing is set to Auto, while it works fine when it is set to Mandatory or to No. Also, the problem does not occur when smbclient is used to access shares on Samba server - only from Windows clients. The problem occurs as "a network error" when trying to access the Samba server, which is shown in network neighbourhood. I have traced the communication between my Samba server and Wnidows client using Samba 3.0.1pre1 which works OK, and Samba 3.0.2a which does not work, and I am showing them here: Samba 3.0.1pre1 with server signing = auto adding home's share [jelena] for user 'jelena' at '/home/jelena' Transaction 8 of length 86 switch message SMBtconX (pid 4225) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 check_access: no hostnames in host allow/deny list. Allowed connection from (10.20.30.11) Connect path is '/tmp' for service [IPC$] se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004 se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 Initialising default vfs hooks se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004 se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0 oliver (10.20.30.11) signed connect to service IPC$ initially as user jelena ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (uid=1002, gid=100) (pid 4225) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 tconX service=IPC$ Transaction 9 of length 104 switch message SMBntcreateX (pid 4225) setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0 nt_open_pipe: Known pipe srvsvc opening. Transaction 10 of length 160 switch message SMBtrans (pid 4225) trans <\PIPE\> data=72 params=0 setup=2 Samba 3.0.2a with server signing = auto adding home's share [jelena] for user 'jelena' at '/home/jelena' srv_set_signing: turning on SMB signing: signing negotiated = Yes, ^^^^^^^^^^^^^^^^^^^^^^^^^ mandatory_signing = No. Transaction 9 of length 86 switch message SMBtconX (pid 4538) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 check_access: no hostnames in host allow/deny list. Allowed connection from (10.20.30.11) Connect path is '/tmp' for service [IPC$] se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004 se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 Initialising default vfs hooks se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004 se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0 oliver (10.20.30.11) connect to service IPC$ initially as user jelena (uid=1002, gid=100) (pid 4538) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 tconX service=IPC$ timeout_processing: End of file from client (client has disconnected). ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Closing connections setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 oliver (10.20.30.11) closed connection to service IPC$ Yielding connection to IPC$ setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 oliver (10.20.30.11) closed connection to service IPC$ Yielding connection to IPC$ setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Yielding connection to Server exit (normal exit) Samba 3.0.2a with default server signing = disabled adding home's share [jelena] for user 'jelena' at '/home/jelena' Transaction 7 of length 86 switch message SMBtconX (pid 4597) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 check_access: no hostnames in host allow/deny list. Allowed connection from (10.20.30.11) Connect path is '/tmp' for service [IPC$] se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004 se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 Initialising default vfs hooks se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004 se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0 oliver (10.20.30.11) connect to service IPC$ initially as user jelena (uid=1002, gid=100) (pid 4597) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 tconX service=IPC$ Transaction 8 of length 104 switch message SMBntcreateX (pid 4597) setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0 nt_open_pipe: Known pipe srvsvc opening. Transaction 9 of length 160 switch message SMBtrans (pid 4597) trans <\PIPE\> data=72 params=0 setup=2 Samba 3.0.2a with server signing = mandatory adding home's share [jelena] for user 'jelena' at '/home/jelena' srv_set_signing: turning on SMB signing: signing negotiated = Yes, ^^^^^^^^^^^^^^^^^^^^^^^^ mandatory_signing = Yes. Transaction 8 of length 86 switch message SMBtconX (pid 4662) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 check_access: no hostnames in host allow/deny list. Allowed connection from (10.20.30.11) Connect path is '/tmp' for service [IPC$] se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004 se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 Initialising default vfs hooks se_access_check: user sid is S-1-5-21-2732100628-1696329933-2814377117-3004 se_access_check: also S-1-5-21-2732100628-1696329933-2814377117-1201 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0 oliver (10.20.30.11) signed connect to service IPC$ initially as user jelena ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (uid=1002, gid=100) (pid 4662) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 tconX service=IPC$ Transaction 9 of length 104 switch message SMBntcreateX (pid 4662) setting sec ctx (1002, 100) - sec_ctx_stack_ndx = 0 nt_open_pipe: Known pipe srvsvc opening. Transaction 10 of length 160 switch message SMBtrans (pid 4662) trans <\PIPE\> data=72 params=0 setup=2 named pipe command on <> name As it can be seen, when server signing is set to Auto, Samba does agree to do server signed communication with Windows client, but fails to sign the connection when client tries to bind to IPC$, and therefore the client breaks the connection. On the other hand, when server signing is mandatory, everything works fine. So, the problem must have appeared somewhere between 3.0.1pre1 and 3.0.1, or maybe 3.0.2 versions, and that's why Samba team should check what has changed in server signing code between those versions (sorry, I don't have time to do it myself, and I'd probably get lost in the code). Anyway, thanks to the team. Greetings, Andrea
Andrew, I'm guessing this is probably related to the session key changes surrounding NTLM2 we made between 3.0.2pre1 and 3.0.2rc1. Please look at this and see if anything obvious shows up? Thanks.
I need an ethereal trace, and level 10 logfile of the logon sequence. (From the *start*). Server sigining is meant to work, but there are so many NTLMSSP flag combinations, and I know we don't support them all, let alone correctly. Andrew Bartlett
This looks just like the kind of issue I just commited to HEAD. I'll attach the patch.
Created attachment 430 [details] Fix many smb signing issues with Samba
*** Bug 1044 has been marked as a duplicate of this bug. ***
This patch works reliably for my systems at Hawker, on a print server, with signing enabled and optional signing clients.
Andrew, please go ahead and apply this to the 3.0 tree so we can get some testing. I'm assuming the patch is the same as what you checked into head but I figure your better qualified to merge it across. Thanks (and nice work).
applied
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.