The Samba-Bugzilla – Bug 3383
Reported crash of smbd with 3.0.21a in security=server mode
Last modified: 2006-01-16 11:09:38 UTC
In the tagged URL, our user reports a crash of smbd while trying to map a drive or browse the server from a WinXP machine.
The crash only happens in security=server mode. Switching to security=domain as we recommended him, fixed the problem. But this still seems worht reporting.
Created attachment 1653 [details]
Log excerpt showing the crash
Attached is a log sent by our user while experiencing the crash
Created attachment 1654 [details]
User's smb.conf file
Jeremy, this is easy to replicate. W2k3 DC, current Samba code with security=server and point an XP box to that smbd.
Here's some excerpt of a debug level 10 output:
[2006/01/07 21:03:53.926677, 10, pid=32069] libsmb/ntlmssp.c:ntlmssp_server_auth(730)
ntlmssp_server_auth: Failed to create NTLM session key.
[2006/01/07 21:03:53.926696, 5, pid=32069] libsmb/ntlmssp.c:ntlmssp_server_auth(756)
server session key is invalid (len == 0), cannot do KEY_EXCH!
[2006/01/07 21:03:53.926716, 3, pid=32069] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(332)
NTLMSSP Sign/Seal - Initialising with flags:
[2006/01/07 21:03:53.926735, 3, pid=32069] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x600082b5
[2006/01/07 21:03:53.926785, 5, pid=32069] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337)
ntlmssp_state->session_key.length, data = 8, (nil)
This debug message was added by me to current trunk code to see why we don't return here. length==8 and data==NULL seems wrong to me, this is why we segfault later on. Return with NT_STATUS_NO_USER_SESSION_KEY under this condition does not help either. this makes the xp workstation fail with an appropriate error message.
Our server have the same problem. We are currently fixing it by removing a line from the function "ntlmssp_weaken_key" temporary. Hope the samba will have a permanent fix in later version. For more destail please check:
*** Bug 3410 has been marked as a duplicate of this bug. ***
Should be fixed now.
*** This bug has been marked as a duplicate of 3401 ***