Bug 7568 - ntlmssp & spnego sign & seal fails against samba member in AD running winbindd
Summary: ntlmssp & spnego sign & seal fails against samba member in AD running winbindd
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.5.4
Hardware: Other Linux
: P3 critical
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 7944 7945
  Show dependency treegraph
 
Reported: 2010-07-15 08:55 UTC by Guenther Deschner
Modified: 2014-10-01 13:56 UTC (History)
2 users (show)

See Also:

Attachments
patch for master (2.18 KB, patch)
2010-08-09 09:41 UTC, Guenther Deschner 		no flags Details
patch for 3.5 (2.31 KB, patch)
2010-08-09 17:04 UTC, Guenther Deschner 		metze: review+
Details
patch for 3.4 (2.22 KB, patch)
2010-08-09 17:16 UTC, Guenther Deschner 		metze: review+
Details
patch for 3.3 (2.21 KB, patch)
2010-08-09 17:21 UTC, Guenther Deschner 		metze: review+
Details
the log files, network traces (377.79 KB, application/zip)
2010-12-15 23:29 UTC, Zhou Weikuan 		no flags Details
part1 for logfile-windows (1000.00 KB, application/octet-stream)
2010-12-15 23:33 UTC, Zhou Weikuan 		no flags Details
part2 for logfile-windows (922.89 KB, application/octet-stream)
2010-12-15 23:35 UTC, Zhou Weikuan 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Guenther Deschner 2010-07-15 08:55:57 UTC 
to reproduce: simply run RPC-BIND smbtorture test against a 3.5.4 member server in w2k8r2 domain with winbindd.
Comment 1 Jeremy Allison 2010-07-15 11:46:56 UTC 
Arg. In the middle of moving all my VM's to VirtualBox means I don't have an active W2K8R2 DC at work at the moment. Is this repeatable on a W2K8 (not R2) DC ?
Can you post logs from client and server side ?
Jeremy.
Comment 2 Guenther Deschner 2010-07-15 16:49:59 UTC 
fails with a w2k3 sp3 DC as well.

Note that once you kill winbind, and let smbd do the samlogon on its own, it works.
Comment 3 Guenther Deschner 2010-08-09 09:41:43 UTC 
Created attachment 5891 [details]
patch for master

This patch fixed it (and was pushed to master)
Comment 4 Guenther Deschner 2010-08-09 17:04:49 UTC 
Created attachment 5893 [details]
patch for 3.5
Comment 5 Guenther Deschner 2010-08-09 17:16:53 UTC 
Created attachment 5894 [details]
patch for 3.4
Comment 6 Guenther Deschner 2010-08-09 17:21:44 UTC 
Created attachment 5895 [details]
patch for 3.3
Comment 7 Stefan Metzmacher 2010-08-10 01:51:52 UTC 
Comment on attachment 5893 [details]
patch for 3.5

Looks good
Comment 8 Stefan Metzmacher 2010-08-10 01:52:19 UTC 
Comment on attachment 5894 [details]
patch for 3.4

Looks good
Comment 9 Stefan Metzmacher 2010-08-10 01:53:08 UTC 
Comment on attachment 5895 [details]
patch for 3.3

Looks good, but 3.3 is in security release only mode...
Comment 10 Stefan Metzmacher 2010-08-10 01:53:47 UTC 
Karolin, please pick for the next releases
Comment 11 Karolin Seeger 2010-08-11 04:26:05 UTC 
Pushed to v3-5-test and v3-4-test.
Will be included in the next 3.5 and 3.4 maintenance releases.
Closing out bug report.

Thanks!
Comment 12 Zhou Weikuan 2010-12-15 23:29:27 UTC 
Created attachment 6133 [details]
the log files, network traces

hi samba,

we have re-tested the NTLM signing patch recently, it seems that the bug is not fully fixed.

the repro steps are as follows:

1) net ads join
2) from a unix workstation run smbclient and logon as an AD user xyz
3) From a Windows XP run smbclient and logon as the same user
* it has to be an NTLM authentication, so we use the IP address instead of the server name

In the log we see the following message:
[2010/11/09 10:06:17.748568,  5] libsmb/smb_signing.c:90(smb_signing_good)
  smb_signing_good: signing negotiated but not required and peer
  isn't sending correct signatures. Turning off.

Windows XP does not like this so it breaks the connection and tries again (several times).
Eventually either Samba gets on track or it does not and the XP machine gives up.

All.zip includes:
  log_samba.zip is an example showing the smbclient succeeding and XP failing
  logfile-windows.zip it the network trace corresponding to this log file.

  smbserver.zip is another example of a network trace where initially the signing is failing but eventually fixes itself.

Thanks,

Weikuan Zhou
Comment 13 Zhou Weikuan 2010-12-15 23:33:24 UTC 
Created attachment 6134 [details]
part1 for logfile-windows

The log file-windows are too large for 1M, so I split it into two parts.
Comment 14 Zhou Weikuan 2010-12-15 23:35:11 UTC 
Created attachment 6135 [details]
part2 for logfile-windows
Comment 15 Stefan Metzmacher 2014-10-01 13:56:57 UTC 
(In reply to comment #12)
> we have re-tested the NTLM signing patch recently, it seems that the bug is not
> fully fixed.

The problem should be mostly fixed in the latest 3.6, 4.0 and 4.1 releases.
While a more advanced fix will be in 4.2.0.