Bug 2167 - bad signatures with krb1.2.7 (RHEL3 WS)
bad signatures with krb1.2.7 (RHEL3 WS)
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.10
All Linux
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-16 09:46 UTC by Gerald (Jerry) Carter
Modified: 2005-08-24 10:23 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gerald (Jerry) Carter 2004-12-16 09:46:00 UTC
while joined to a 2000 AD domain:

=======================
get_sequence_for_reply: found seq = 1 mid = 2
simple_packet_signature: sequence number 1
client_check_incoming_message: BAD SIG: wanted SMB signature of
[000] 5F 98 69 62 2D 7D DD 91                           _.ib-}..
client_check_incoming_message: BAD SIG: got SMB signature of
[000] 0D 58 5E 2E 4A D3 CB E2                           .X^.J...
simple_packet_signature: sequence number 4294967292
simple_packet_signature: sequence number 4294967293
simple_packet_signature: sequence number 4294967294
simple_packet_signature: sequence number 4294967295
simple_packet_signature: sequence number 0
simple_packet_signature: sequence number 1
simple_packet_signature: sequence number 2
simple_packet_signature: sequence number 3
simple_packet_signature: sequence number 4
simple_packet_signature: sequence number 5
signing_good: BAD SIG: seq 1
SMB Signature verification failed on incoming packet!
failed kerberos session setup with Undetermined error
anonymous connection attempt to BLUE from RHEL3-WS
failed anonymous session setup with NT_STATUS_OK
secrets_named_mutex: released mutex for BLUE
add_failed_connection_entry: domain AQUA (BLUE) already tried and failed
Could not open a connection to AQUA for \PIPE\lsarpc
(NT_STATUS_UNSUCCESSFUL)

=======================

works fine on RH9 + krb1.3.1
Comment 1 Duane Rezac 2004-12-21 04:56:01 UTC
I'm not on the samba team, but I have seen this.  Can you do a kinit from the
krb1.2.7 system and get a ticket?   I have never been able to get at ticket from
a windows AD controller with 1.2.7.  I had to update to 1.3.1 in order to get a
ticket.  1.2.7 did not support the type of encryption our AD controller was
using.  I have had no problems after upgrading to 1.3.1.

Duane Rezac
Comment 2 Andrew Bartlett 2004-12-22 19:03:13 UTC
Isn't this the issue with key padding (pad from 8 to 16 bytes with zeros) that
RH reported and jra patched?
Comment 3 Gerald (Jerry) Carter 2004-12-23 07:19:28 UTC
i dunno.  Haven't looked into it.  I filed the bug so I wouldn't forget about it.
Comment 4 Gerald (Jerry) Carter 2005-02-03 12:34:43 UTC
no one else has confirmed it so closing.
Comment 5 Gerald (Jerry) Carter 2005-08-24 10:23:27 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.