Server: Linux kernel 2.6.15 Client: Windows XP with SP2 and latest update The "net view" command returns "System error 64 has occured." at the client side. It general a "PANIC: internal error" at the server side. After traced the source code, it seems to be the function "libsmb/ntlmssp.c:ntlmssp_weaken_keys(NTLMSSP_STATE)" casusing the problem. If the "ntlmssp_state->session_key" is (NULL,0) and "ntlmssp_state->neg_flags" is set with NTLMSSP_NEGOTIATE_LM_KEY, session_key.length will be set to "8" without checking "session_key.data" is NULL. A session key with (NULL,8) will cause invalid pointer access in the later code. Our modification is following. It may not be appropriate in general and work for our environment only. Thank you very much. void ntlmssp_weaken_keys(NTLMSSP_STATE *ntlmssp_state) { /* Key weakening not performed on the master key for NTLM2 and does not occour for NTLM1. Therefore we only need to do this for the LM_KEY. */ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) { if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) { ; } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) { ntlmssp_state->session_key.data[7] = 0xa0; ntlmssp_state->session_key.length = 8; /* new */ } else { /* forty bits */ ntlmssp_state->session_key.data[5] = 0xe5; ntlmssp_state->session_key.data[6] = 0x38; ntlmssp_state->session_key.data[7] = 0xb0; ntlmssp_state->session_key.length = 8; /* new */ } /* ntlmssp_state->session_key.length = 8; */ /* original */ } }
I can verify that this fix worked for FreeBSD-6.0-STABLE with samba 3.0.21a,1 Thanks
Applied (a version created by Andrew Bartlett). Thanks ! Jeremy.
I realize this bug is closed, however, although the solution did work for FreeBSD-6.0-STABLE, it didn't seem to solve the problem with Arch-0.7.1. Due to circumstances, I wasn't able to thoroughly investigate so I'm reluctant to reopen the bug.
If the fix in current SVN doesn't fix things, then I suspect you are seeing a different bug. Many things lead to segfaults...
*** Bug 3383 has been marked as a duplicate of this bug. ***
I stated that the problem didn't seem to be solved with ArchLinux. However I now realize that by the time I tried applying the patch, I had already played around so much with it (trying another suggested fix, et al) that I must have broken something else. :) On a fresh install, I was able to duplicate the problem, and then solve it by commenting out the suggested line (session_key.length = 8 ). So this fix also applies to Arch Linux (and has been incorporated in their latest package for samba-3.0.21a. Thank you for your efforts. Apparently it was the same bug. Regardless, it was fixed with the given solution.