Bug 5733 - Samba 3.2.3 smb signing
Summary: Samba 3.2.3 smb signing
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.2.6
Hardware: Sparc Solaris
: P3 critical
Target Milestone: ---
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
: 5735 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-09-03 11:57 UTC by Peng Diaz (mail address dead)
Modified: 2010-02-07 11:23 UTC (History)
1 user (show)

See Also:


Attachments
Split smbd.log level 10 (800.00 KB, text/plain)
2008-09-04 11:01 UTC, Peng Diaz (mail address dead)
no flags Details
Split smbd.log.splitab (800.00 KB, text/plain)
2008-09-04 11:02 UTC, Peng Diaz (mail address dead)
no flags Details
Split smbd.log.splitac (800.00 KB, text/plain)
2008-09-04 11:03 UTC, Peng Diaz (mail address dead)
no flags Details
Splitsmbd.log.splitad (800.00 KB, text/plain)
2008-09-04 11:04 UTC, Peng Diaz (mail address dead)
no flags Details
Split smbd.log.splitae (800.00 KB, text/plain)
2008-09-04 11:05 UTC, Peng Diaz (mail address dead)
no flags Details
Split smbd.log.splitaf (317.86 KB, text/plain)
2008-09-04 11:06 UTC, Peng Diaz (mail address dead)
no flags Details
machinename log file (44.24 KB, application/octet-stream)
2008-09-05 10:41 UTC, Peng Diaz (mail address dead)
no flags Details
My smb.conf file (output of 'net conf list') (4.13 KB, text/plain)
2009-09-10 10:41 UTC, John H Terpstra (mail address dead(
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peng Diaz (mail address dead) 2008-09-03 11:57:59 UTC
We are having issue with the smb signing on Samba 3.2.3.  I understand that there was a bug on 3.2.0 and the status was fixed on 3.2.1. It seems to be the problem still there.

We have two domains (domain A and domain B).  Both domains are on a different forest. We have a one way external trust relationship between the two domains.  Domain B trusting Domain A.  The samba server 3.2.3 is a member of domain B, UserIDs and workstations (Windows XP) are member and are logging on domain A.  Workstations on domain “A” have the following digital signing policies enable.

Microsoft network client: Digitally sign communications (always) Security Setting: enable 
Microsoft network client: Digitally sign communications (if server agrees) Security Setting: enabled
Microsoft network server: Digitally sign communications (always) Security Setting: enable 
Microsoft network server: Digitally sign communications (if client agrees) Security Setting: enable


The problem is, even if the samba 3.2.3 server/client signing were set to “Yes, No and Auto”.  Accessing its share from domain A workstations were denied.  And then I get these client logs below.


[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 1
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:srv_sign_outgoing_message(708)
  srv_sign_outgoing_message: seq 1: sent SMB signature of
[2008/08/28 16:06:10, 10] lib/util.c:dump_data(2223)
  [000] 8A 2E D9 6B 17 D8 02 19                           ...k....
[2008/08/28 16:06:10, 10] lib/util_sock.c:read_smb_length_return_keepalive(1118)
  got smb length of 80
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 2
[2008/08/28 16:06:10,  0] libsmb/smb_signing.c:srv_check_incoming_message(754)
  srv_check_incoming_message: BAD SIG: seq 2 wanted SMB signature of
[2008/08/28 16:06:10,  5] lib/util.c:dump_data(2223)
  [000] 2E D4 47 83 26 B0 94 D6                           ..G.&...
[2008/08/28 16:06:10,  0] libsmb/smb_signing.c:srv_check_incoming_message(758)
  srv_check_incoming_message: BAD SIG: seq 2 got SMB signature of
[2008/08/28 16:06:10,  5] lib/util.c:dump_data(2223)
  [000] 8B 45 BE F4 8D 45 40 10                           .E...E@.
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 4294967293
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 4294967294
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 4294967295
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 0
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 1
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 2
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 3
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 4
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 5
[2008/08/28 16:06:10, 10] libsmb/smb_signing.c:simple_packet_signature(285)
  simple_packet_signature: sequence number 6
[2008/08/28 16:06:10,  5] libsmb/smb_signing.c:signing_good(243)
  srv_check_incoming_message: signing negotiated but not required and peer
  isn't sending correct signatures. Turning off.
Comment 1 Volker Lendecke 2008-09-04 05:07:25 UTC
Are the clients logging in using Kerberos or NTLM?

Can you please upload a full debug level 10 log of smbd up to this point? This will answer that question.

Volker
Comment 2 Volker Lendecke 2008-09-04 05:20:36 UTC
*** Bug 5735 has been marked as a duplicate of this bug. ***
Comment 3 Peng Diaz (mail address dead) 2008-09-04 11:01:07 UTC
Created attachment 3519 [details]
Split smbd.log level 10

I user split command to split the smbd.log file
smbd.log.splitaa
smbd.log.splitab
smbd.log.splitac
smbd.log.splitad
smbd.log.splitae
smbd.log.splitaf
Comment 4 Peng Diaz (mail address dead) 2008-09-04 11:02:36 UTC
Created attachment 3520 [details]
Split smbd.log.splitab

I user split command to split the smbd.log file
smbd.log.splitaa
smbd.log.splitab
smbd.log.splitac
smbd.log.splitad
smbd.log.splitae
smbd.log.splitaf
Comment 5 Peng Diaz (mail address dead) 2008-09-04 11:03:56 UTC
Created attachment 3521 [details]
Split smbd.log.splitac

I user split command to split the smbd.log file
smbd.log.splitaa
smbd.log.splitab
smbd.log.splitac
smbd.log.splitad
smbd.log.splitae
smbd.log.splitaf
Comment 6 Peng Diaz (mail address dead) 2008-09-04 11:04:41 UTC
Created attachment 3522 [details]
Splitsmbd.log.splitad

I user split command to split the smbd.log file
smbd.log.splitaa
smbd.log.splitab
smbd.log.splitac
smbd.log.splitad
smbd.log.splitae
smbd.log.splitaf
Comment 7 Peng Diaz (mail address dead) 2008-09-04 11:05:21 UTC
Created attachment 3523 [details]
Split smbd.log.splitae

I user split command to split the smbd.log file
smbd.log.splitaa
smbd.log.splitab
smbd.log.splitac
smbd.log.splitad
smbd.log.splitae
smbd.log.splitaf
Comment 8 Peng Diaz (mail address dead) 2008-09-04 11:06:06 UTC
Created attachment 3524 [details]
Split smbd.log.splitaf

I user split command to split the smbd.log file
smbd.log.splitaa
smbd.log.splitab
smbd.log.splitac
smbd.log.splitad
smbd.log.splitae
smbd.log.splitaf
Comment 9 Volker Lendecke 2008-09-05 09:14:54 UTC
I'm afraid the error is not in the log file you sent. In your smb.conf you seem to have the option 

log file = /var/log/samba/%m.log

which means that you have split log files in /var/log/samba/<machinename>.log. What we need the machine-specific file for the client that can not connect. You might also want to compress the log file with bzip2 -9 before you upload it. It might become small enough so that you do not have to split it up into several parts.

Volker

Comment 10 Peng Diaz (mail address dead) 2008-09-05 10:41:44 UTC
Created attachment 3530 [details]
machinename log file

Here is the machine log file that can not connect.

Peng
Comment 11 Peng Diaz (mail address dead) 2008-12-02 10:44:11 UTC
Hi,

Any status with smb signing on Samba 3.2.3?

Thanks
Comment 12 Peng Diaz (mail address dead) 2009-02-05 09:58:14 UTC
I upgraded my version to 3.2.6, It seems that smb signing is working if the host is not yet connected to the trusted domain. But after you run wbinfo -u and the wbinfo --online-status and all domain connected, workstations will not connect to samba.
Comment 13 Guenther Deschner 2009-08-06 09:04:04 UTC
Since 3.2.3 smb signing has been worked on various times, any chance to retest with the latest 3.2.x release ?
Comment 14 John H Terpstra (mail address dead( 2009-09-10 10:41:04 UTC
Created attachment 4679 [details]
My smb.conf file (output of 'net conf list')

smb.conf file from PDC.
Comment 15 John H Terpstra (mail address dead( 2009-09-10 10:42:12 UTC
(In reply to comment #14)
> Created an attachment (id=4679) [details]
> My smb.conf file (output of 'net conf list')
> 
> smb.conf file from PDC.
> 

Darn! Wrong bug report! Please disregard.

- John T.
Comment 16 Volker Lendecke 2010-02-07 11:23:39 UTC
Cleaning database.... As Günther said, SMB signing has been worked on quite a few times, so I'm assuming it is fixed. If you can reproduce this with 3.2.15, please re-open this bug.

Thanks,

Volker