Bug 12821 - Tree connect with Username and without password access to Windows server fails in samba4.5.4
Summary: Tree connect with Username and without password access to Windows server fail...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.5.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-06-06 02:28 UTC by shivappa
Modified: 2017-06-12 11:42 UTC (History)
1 user (show)

See Also:

wireshark packet (6.23 KB, application/octet-stream)
2017-06-06 07:26 UTC, shivappa
no flags Details
test Log (8.44 KB, text/plain)
2017-06-06 07:27 UTC, shivappa
no flags Details
Windows7 Settings (84.88 KB, image/png)
2017-06-06 07:42 UTC, shivappa
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description shivappa 2017-06-06 02:28:40 UTC
Hi Team,

samba client operations fails when I access windows server without password (only username and empty password).
Windows server is set to "password off".

samba-4.1.x Tree connects successfully when accessed without password (only username and empty password).
samba-4.5.4 Tree connect fails with NT_STATUS_WRONG_CREDENTIAL_HANDLE error.
Error is returned from.


                wbc_status = wbcCredentialCache(& params, &info, &error);
                if (!WBC_ERROR_IS_OK(wbc_status)) { 
                        return NT_STATUS_WRONG_CREDENTIAL_HANDLE; 

This issue can be reproduced always.

Thanks & Regards,
Comment 1 shivappa 2017-06-06 07:26:41 UTC
Created attachment 13254 [details]
wireshark packet

Wireshark data
Comment 2 shivappa 2017-06-06 07:27:29 UTC
Created attachment 13255 [details]
test Log
Comment 3 shivappa 2017-06-06 07:42:46 UTC
Created attachment 13256 [details]
Windows7 Settings
Comment 4 Stefan Metzmacher 2017-06-08 09:12:24 UTC
Somewhere you seem to activate the GENSEC_FEATURE_NTLM_CCACHE code path,
by using CLI_FULL_CONNECTION_USE_CCACHE or set_cmdline_auth_info_use_ccache().
Comment 5 shivappa 2017-06-08 12:08:16 UTC
(In reply to Stefan Metzmacher from comment #4)
Stefan, thanks for the info. sorry to ask again.....
Honestly speaking I don't know much on this, could you please explain me more details that would be much helpful.
Comment 6 shivappa 2017-06-10 03:53:42 UTC
(In reply to Stefan Metzmacher from comment #4)
Stefan, Thank you very much for the input.
Since I don't run windbindd I disabled ccache during smbc_init_context().
and this fix works fine for me.
Is it OK to use this way ? smbc_setOptionUseCCache(context, false);

 * Initialize the library, etc.
 * We accept a struct containing handle information.
 * valid values for info->debug from 0 to 100,
 * and insist that info->fn must be non-null.
smbc_init_context(SMBCCTX *context){
        if (smbc_getTimeout(context) > 0 && smbc_getTimeout(context) < 1000)
                smbc_setTimeout(context, 1000);

        context->internal->initialized = True;

        /* Protect access to the count of contexts in use */
        if (SMB_THREAD_LOCK(initialized_ctx_count_mutex) != 0) {
                smb_panic("error locking 'initialized_ctx_count'");


        /* Unlock the mutex */
        if (SMB_THREAD_UNLOCK(initialized_ctx_count_mutex) != 0) {
                smb_panic("error unlocking 'initialized_ctx_count'");

+        /*my change */
+        smbc_setOptionUseCCache(context, false);
+        /*my change ends*/

        return context;

Thanks & Regards,
Comment 7 Stefan Metzmacher 2017-06-12 07:39:15 UTC
(In reply to shivappa from comment #6)

It's turned on by default in smbc_new_context(),
so you may want to call smbc_setOptionUseCCache(..., false) after
calling smbc_new_context() instead of changing
Comment 8 shivappa 2017-06-12 11:36:30 UTC
(In reply to Stefan Metzmacher from comment #7)
Thank you very much Stefan.
That is proper way. I set smbc_setOptionUseCCache(ctx, false) after smbc_new_context().
Comment 9 Stefan Metzmacher 2017-06-12 11:42:27 UTC
(In reply to shivappa from comment #8)

Ok, lets close the bug...