3383 – Reported crash of smbd with 3.0.21a in security=server mode

Bug 3383 - Reported crash of smbd with 3.0.21a in security=server mode

Summary: Reported crash of smbd with 3.0.21a in security=server mode

Status:	RESOLVED DUPLICATE of bug 3401

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	File Services (show other bugs)
Version:	3.0.21a
Hardware:	Other Linux

Importance:	P3 normal
Target Milestone:	none
Assignee:	Jeremy Allison
QA Contact:	Samba QA Contact

URL:	http://bugs.debian.org/346069
Keywords:

Duplicates (1):	3410 (view as bug list)
Depends on:	3401
Blocks:
	Show dependency tree / graph

Reported:	2006-01-07 00:59 UTC by Christian Perrier (dead mail address)
Modified:	2006-01-16 11:09 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Log excerpt showing the crash (10.62 KB, text/plain) 2006-01-07 01:02 UTC, Christian Perrier (dead mail address)	no flags	Details
User's smb.conf file (5.58 KB, text/plain) 2006-01-07 01:04 UTC, Christian Perrier (dead mail address)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christian Perrier (dead mail address) 2006-01-07 00:59:44 UTC

In the tagged URL, our user reports a crash of smbd while trying to map a drive or browse the server from a WinXP machine.

The crash only happens in security=server mode. Switching to security=domain as we recommended him, fixed the problem. But this still seems worht reporting.

Comment 1 Christian Perrier (dead mail address) 2006-01-07 01:02:26 UTC

Created attachment 1653 [details]
Log excerpt showing the crash

Attached is a log sent by our user while experiencing the crash

Comment 2 Christian Perrier (dead mail address) 2006-01-07 01:04:20 UTC

Created attachment 1654 [details]
User's smb.conf file

Comment 3 Volker Lendecke 2006-01-07 14:33:31 UTC

Jeremy, this is easy to replicate. W2k3 DC, current Samba code with security=server and point an XP box to that smbd.

Here's some excerpt of a debug level 10 output:

[2006/01/07 21:03:53.926677, 10, pid=32069] libsmb/ntlmssp.c:ntlmssp_server_auth(730)
  ntlmssp_server_auth: Failed to create NTLM session key.
[2006/01/07 21:03:53.926696, 5, pid=32069] libsmb/ntlmssp.c:ntlmssp_server_auth(756)
  server session key is invalid (len == 0), cannot do KEY_EXCH!
[2006/01/07 21:03:53.926716, 3, pid=32069] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(332)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/01/07 21:03:53.926735, 3, pid=32069] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x600082b5
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_SEAL
    NTLMSSP_NEGOTIATE_LM_KEY
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
[2006/01/07 21:03:53.926785, 5, pid=32069] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337)
  ntlmssp_state->session_key.length, data = 8, (nil)

This debug message was added by me to current trunk code to see why we don't return here. length==8 and data==NULL seems wrong to me, this is why we segfault later on. Return with  NT_STATUS_NO_USER_SESSION_KEY under this condition does not help either. this makes the xp workstation fail with an appropriate error message.

Volker

Comment 4 Yau Lam Yiu 2006-01-12 23:06:04 UTC

Our server have the same problem. We are currently fixing it by removing a line from the function "ntlmssp_weaken_key" temporary. Hope the samba will have a permanent fix in later version. For more destail please check:

https://bugzilla.samba.org/show_bug.cgi?id=3401

Comment 5 Gerald (Jerry) Carter (dead mail address) 2006-01-16 00:17:26 UTC

*** Bug 3410 has been marked as a duplicate of this bug. ***

Comment 6 Gerald (Jerry) Carter (dead mail address) 2006-01-16 11:09:38 UTC

Should be fixed now.

*** This bug has been marked as a duplicate of 3401 ***