Patch KB2536276 released on June 14th, 2011 causes a Windows XP machine to be unable to connect to a samba share. My network has samba shares containing versions 2.0.6, 2.0.7, 3.0.21, 3.0.23, 3.0.24, and 3.5.6. With KB2536276 installed the Windows XP machine cannot access the shares on the 2.0.X and 3.5.6 servers but can still access the shares on the 3.0.X servers. Uninstalling the patch restores the ability to access the share.
Here is a text of the samba log for today if that will help. [2011/06/15 10:08:09.278231, 0] lib/util_sock.c:474(read_fd_with_timeout) [2011/06/15 10:08:09.278613, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2011/06/15 10:08:36.750190, 0] lib/util_sock.c:675(write_data) [2011/06/15 10:08:36.750306, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer [2011/06/15 10:08:36.750413, 0] smbd/process.c:79(srv_send_smb) Error writing 4 bytes to client. -1. (Transport endpoint is not connected) [2011/06/15 13:28:15.444200, 0] lib/util_sock.c:474(read_fd_with_timeout) [2011/06/15 13:28:15.444338, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
That snippet is not really helpful. What is needed is a debug level 10 log of smbd together with a network trace. Please look at http://wiki.samba.org/index.php/Capture_Packets and http://wiki.samba.org/index.php/Client_specific_Log.
Just want to add a "me to" to this. We have a Fedora 14 server running samba-3.5.8-76.fc14.x86_64 We only have XP SP3 clients. With KB2536276 installed the clients can't connect. Remove KB2536276 and they can. Plain text passwords are enabled on the XP clients.
Wait -- you are using "encrypt passwords = no"? I can very well believe that some hotfix by Microsoft breaks clients support for that. We definitely need more information on that. Volker
I've just patch a Windows XP box including KB2536276 and I can still connect fine to at least some 3.6 pre-release. I'll compile 3.5.6 next.
Question -- your working servers, are they also using plain text passwords or are they using encrypted passwords?
Got it reproduced. Stay tuned.
*** Bug 8239 has been marked as a duplicate of this bug. ***
Created attachment 6590 [details] Packet Capture Patch capture from WinXP machine attempting to connect to a Samba 3.4.6 server.
Volker, I've followed the instructions contained on http://wiki.samba.org/index.php/Client_specific_Log but no log file is being generated for my WinXP client.
Just want to add that we also have been having the same problems as described since yesterday. The patch looks like it only breaks unencrypted samba, but encrypted samba is unaffected. Windows XP and 7 clients can't connect anymore, however Windows 2008 Server still connects just fine.
We are also experiencing this issue. Windows XP SP3 Unencrypted passwords Samba 3.5.5 We are in the process of converting to AD, but have to maintain unencrypted passwords for now, unless NTLMv2 Configuration can be performed on the samba server.
Created attachment 6593 [details] Patch
Preliminary testing on an Ubuntu 2.6.32-28-server running Samba 3.5.9 seems to work with the patch as provided.
Preliminary testing on an openSuse 11.3 running Samba 3.5.9 seems to work with the patch as provided.
(In reply to comment #15) > Preliminary testing on an openSuse 11.3 running Samba 3.5.9 seems to > work with the patch as provided. For various business reasons, we are still on 3.0.37. Would it be possible for a patch to find its way into that older release? BTW - I opened a case with MS today and it is one of several they are handling for this issue. They took a bunch of diagnostics on our test system and I provided them the patch info. We'll see what happens.
It also happens with 3.0.37? I tested 3.0.24, and it did work fine.
Volker: Any idea of which version(s) are affected by this bug between 3.5.0 and 3.6.0?
Haven't looked at all versions, but 3.5.0 also has that bug. I randomly picked 3.4.0 and 3.4.12 as well, they have the same code. So I'd very much assume they have the same or a similar problem. Volker
This is a blocker for 3.5.10.
(In reply to comment #17) > It also happens with 3.0.37? I tested 3.0.24, and it did work fine. Yes, I confirmed that the issue occurs in 3.0.37. Thanks.
(In reply to comment #21) > (In reply to comment #17) > > It also happens with 3.0.37? I tested 3.0.24, and it did work fine. > Yes, I confirmed that the issue occurs in 3.0.37. > Thanks. Also, we confirmed that 3.2 breaks. This is the SAMBA version IBM will be releasing with AIX 7.
Comment on attachment 6593 [details] Patch Great catch - good bug fix ! Jeremy.
Re-assigning to Karolin. Karolin, this should be pushed to any version 3.5.x we're still supporting, and probably added to the "recommended" patches list for any earlier versions. Jeremy.
for the 3.0.37 source of smbd/negprot.c p = q = smb_buf(outbuf); if (!negotiate_spnego) { /* Create a token value and add it to the outgoing packet. */ if (global_encrypted_passwords_negotiated) { /* note that we do not send a challenge at all if we are using plaintext */ get_challenge(p); SCVAL(outbuf,smb_vwv16+1,8); p += 8; } p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p-outbuf), STR_UNICODE|STR_TERMINATE|STR_NOALIGN); DEBUG(3,("not using SPNEGO\n")); } else { DATA_BLOB spnego_blob = negprot_spnego(); if (spnego_blob.data == NULL) { return ERROR_NT(NT_STATUS_NO_MEMORY); } memcpy(p, spnego_blob.data, spnego_blob.length); p += spnego_blob.length; data_blob_free(&spnego_blob); SCVAL(outbuf,smb_vwv16+1, 0); DEBUG(3,("using SPNEGO\n")); } What would need to change here?
When we try to enable encrypted passwords with a local smbpasswd file in the AIX box we get the followin error. Any ideas? TIA xpdp4_root:xp# ls -l private/smbpasswd -rw------- 1 root system 170 Jun 20 14:43 private/smbpasswd xpdp4_root:xp# cat private/smbpasswd abcd:203:3B0DB29A8AA3F2E9AAD3B435B51404EE:D9CFE0D08B0317F95D7E0D815C0E2F4A:abcd User root:0:RF9220222E7BFDD6AAD3B435B51404EE:13562F851B782806A899975D4404D387:Root User xpdp4_root:xp# element 31 -> now SET [2011/06/20 15:08:17, 11, pid=655412, effective(0, 0), real(0, 0)] passdb/pdb_get_set.c:pdb_set_init_flags(4 82) element 20 -> now SET [2011/06/20 15:08:17, 11, pid=655412, effective(0, 0), real(0, 0)] passdb/pdb_get_set.c:pdb_set_init_flags(4 82) element 17 -> now SET [2011/06/20 15:08:17, 11, pid=655412, effective(0, 0), real(0, 0)] passdb/pdb_get_set.c:pdb_set_init_flags(4 82) element 27 -> now SET [2011/06/20 15:08:17, 3, pid=655412, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/06/20 15:08:17, 9, pid=655412, effective(0, 0), real(0, 0)] passdb/passdb.c:pdb_update_autolock_flag( 1417) pdb_update_autolock_flag: Account abcd not autolocked, no check needed [2011/06/20 15:08:17, 4, pid=655412, effective(0, 0), real(0, 0)] libsmb/ntlm_check.c:ntlm_password_check(3 28) ntlm_password_check: Checking NT MD4 password [2011/06/20 15:08:17, 4, pid=655412, effective(0, 0), real(0, 0)] auth/auth_sam.c:sam_account_ok(137) sam_account_ok: Checking SMB password for user abcd [2011/06/20 15:08:17, 5, pid=655412, effective(0, 0), real(0, 0)] auth/auth_sam.c:logon_hours_ok(119) logon_hours_ok: user abcd allowed to logon at this time (Mon Jun 20 23:08:17 2011 ) [2011/06/20 15:08:17, 1, pid=655412, effective(0, 0), real(0, 0)] auth/auth_sam.c:sam_account_ok(172) sam_account_ok: Account for user 'abcd' password must change!. [2011/06/20 15:08:17, 5, pid=655412, effective(0, 0), real(0, 0)] auth/auth.c:check_ntlm_password(272) check_ntlm_password: sam authentication for user [abcd] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE [2011/06/20 15:08:17, 2, pid=655412, effective(0, 0), real(0, 0)] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [abcd] -> [abcd] FAILED with error NT_STATUS_PASSWORD_MUST _CHANGE [2011/06/20 15:08:17, 5, pid=655412, effective(0, 0), real(0, 0)] auth/auth_util.c:free_user_info(1951) attempting to free (and zero) a user_info structure [2011/06/20 15:08:17, 10, pid=655412, effective(0, 0), real(0, 0)] auth/auth_util.c:free_user_info(1955) structure was created for abcd [2011/06/20 15:08:17, 0, pid=655412, effective(0, 0), real(0, 0)] smbd/map_username.c:map_username(141) can't open username map /xp/xpvs/samba/winuser.map. Error No such file or directory [2011/06/20 15:08:17, 5, pid=655412, effective(0, 0), real(0, 0)] auth/auth_util.c:make_user_info_map(178) make_user_info_map: Mapping user [XP]\[abcd] from workstation [10.160.140.148] [2011/06/20 15:08:17, 5, pid=655412, effective(0, 0), real(0, 0)] auth/auth_util.c:make_user_info(92) attempting to make a user_info for abcd (abcd)
(In reply to comment #24) > Re-assigning to Karolin. Karolin, this should be pushed to any version 3.5.x > we're still supporting, and probably added to the "recommended" patches list > for any earlier versions. > > Jeremy. Pushed to v3-5-test, will be included in 3.5.10.
Re-assigning to Volker to answer the questions on 3.0.37.
I also want to confirm this issue; the KB breaks the ability of WinXP SP3 to connect to Samba 3.2.5 (debian distro) using plain text pw. What exactly can we do to fix this? Regards, John
(In reply to comment #29) > I also want to confirm this issue; the KB breaks the ability of WinXP SP3 to > connect to Samba 3.2.5 (debian distro) using plain text pw. > > What exactly can we do to fix this? > > Regards, > John We are still running with Samba 2.2.8a and are experiencing the same issue, that having installed ms patch 2536276 we cannot access shares. And when we remove the patch then we can access the shares. Am I right in thinking the patch that has been made available here would not work on such an old version of Samba that we are running? Thanks, Neil.
Ok, so people need this fix for 3.0.x, 3.2.x and (heaven forbid *) 2.2.8a ? * Just to be clear, I'm only looking at this because you're the BBC and I *REALLY LOVE* the new Dr. Who. Stop making that show and I'll drop your support like a hot rock :-) :-). Jeremy.
Two observations: It's freaking scary how many people still use a) Samba 2 (!!) and b) plain text passwords. Can we ever really deprecate or remove any kind of feature we ever put in? Volker
Created attachment 6610 [details] Backport of vl's patch for 3.2.15
I am running Samba 2.2.3a on Mandrake linux version 2.4.18-6mdk #1 Fri Mar 15 02:59:08 CET 2002. It's behind a NAT protected D-Link WiFi AP, and I've just been afraid to touch it after I spent weeks getting everything working. Ed (In reply to comment #32) > Two observations: It's freaking scary how many people still use a) Samba 2 (!!) > and b) plain text passwords. Can we ever really deprecate or remove any kind of > feature we ever put in? > > Volker
I'm running Samba 2.2.3a with encrypted passwords, so have no problem with Windows XP boxes with the KB2536276 patch, but my Windows 7 & Windows 2008 R2 boxes don't connect to my Samba share with that MS patch in place.
Ok I've looked at the code in 3.0.x and 2.2.x and they *seem* to be doing the right thing w.r.t. setting the workgroup and correct length in the negprot reply. However 2.2.x doesn't do unicode on the wire, so the packets will by necessity be different. It might be that Microsoft never tested the change with non-unicode servers. Wire packet traces from 3.0.x servers and 2.2.x using plaintext passwords and failing would be helpful. Please attach to this bug. Jeremy.
I've tested 3.0.24, and that worked. Compiling 3.0.37 and 2.2. now.
2.2.12 works for me as well.
Thanks Volker. I couldn't see anything wrong with the code for these two versions. Jeremy.
(In reply to comment #37) > I've tested 3.0.24, and that worked. Compiling 3.0.37 and 2.2. now. Any word on 3.0.37? We would be most interested. BTW - major props to you guys for doing all this work and a big thanks!
Just tested: It does work with 3.0.37. If it does not work for you, we need a network trace and debug level 10 logs. Please seee http://wiki.samba.org/index.php/Capture_Packets and http://wiki.samba.org/index.php/Client_specific_Log Volker
(In reply to comment #41) > Just tested: It does work with 3.0.37. If it does not work for you, we need a > network trace and debug level 10 logs. Please seee > http://wiki.samba.org/index.php/Capture_Packets and > http://wiki.samba.org/index.php/Client_specific_Log > Volker Our admin bit the bullet and upgraded our SAMBA installation. We were able to patch, compile and test 3.5.9 with encrypted passwords. Currently, testing with unencrypted passwords and will have a result soon. So, our plan at this point is to roll out 3.5.9 one way or the other. We won't be pursuing the 3.0.37 path at this time. Thanks again for all the support.
(In reply to comment #42) > (In reply to comment #41) > > Just tested: It does work with 3.0.37. If it does not work for you, we need a > > network trace and debug level 10 logs. Please seee > > http://wiki.samba.org/index.php/Capture_Packets and > > http://wiki.samba.org/index.php/Client_specific_Log > > Volker > Our admin bit the bullet and upgraded our SAMBA installation. We were able to > patch, compile and test 3.5.9 with encrypted passwords. Currently, testing > with unencrypted passwords and will have a result soon. So, our plan at this > point is to roll out 3.5.9 one way or the other. We won't be pursuing the > 3.0.37 path at this time. Thanks again for all the support. We are testing 3.5.9 with the one-line patch for the KB fix. We cannot get plain-text authentication to work with local UNIX (AIX) users. smb.conf [global] server string = Samba:%v (%h) interfaces = 10.160.140.122/255.255.255.0 debug level = 10 protocol = NT1 ; passwd program = /bin/passwd ; passwd chat = *s New password:* %n\nEnter the new password again:* %n\n ; passwd chat debug = Yes unix password sync = No password level = 8 encrypt passwords = No update encrypted = No smb passwd file = /xp/xpvs/samba/private/smbpasswd username level = 0 username map = /xp/xpvs/samba/winuser.map lock directory = /xp/xpvs/samba/lock workgroup = XP netbios name = %h security = share ;map to guest = Bad Password root directory = / restrict anonymous = No debug pid = Yes debug uid = Yes debug timestamp = Yes debug hires timestamp = No syslog = 1 syslog only = No log file = /xp/xpvs/samba/log.smbd max log size = 128 name resolve order = host wins bcast deadtime = 0 getwd cache = Yes socket options = TCP_NODELAY load printers = Yes printcap name = /xp/xpvs/samba/printcap preferred master = Yes LOG FILE debug 10 smb_pam_auth: PAM: Authentication Error for user xpwin [2011/06/24 11:01:55, 2, pid=1949822, effective(0, 0), real(0, 0)] auth/pampass.c:77(smb_pam_error_handler) smb_pam_error_handler: PAM: Authentication Failure : Authentication failed [2011/06/24 11:01:55, 0, pid=1949822, effective(0, 0), real(0, 0)] auth/pampass.c:823(smb_pam_passcheck) smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User xpwin ! [2011/06/24 11:01:55, 4, pid=1949822, effective(0, 0), real(0, 0)] auth/pampass.c:450(smb_pam_end) smb_pam_end: PAM: PAM_END OK. [2011/06/24 11:01:55, 3, pid=1949822, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/06/24 11:01:55, 5, pid=1949822, effective(0, 0), real(0, 0)] auth/auth.c:268(check_ntlm_password) check_ntlm_password: unix authentication for user [xpwin] FAILED with error NT_STATUS_WRONG_PASSWORD [2011/06/24 11:01:55, 2, pid=1949822, effective(0, 0), real(0, 0)] auth/auth.c:314(check_ntlm_password) check_ntlm_password: Authentication for user [xpwin] -> [xpwin] FAILED with error NT_STATUS_WRONG_PASSWORD [2011/06/24 11:01:55, 5, pid=1949822, effective(0, 0), real(0, 0)] auth/auth_util.c:2119(free_user_info) attempting to free (and zero) a user_info structure [2011/06/24 11:01:55, 10, pid=1949822, effective(0, 0), real(0, 0)] auth/auth_util.c:2123(free_user_info) structure was created for xpwin [2011/06/24 11:01:55, 2, pid=1949822, effective(0, 0), real(0, 0)] smbd/service.c:626(create_connection_serve r_info) Invalid username/password for [exports] [2011/06/24 11:01:55, 1, pid=1949822, effective(0, 0), real(0, 0)] smbd/service.c:678(make_connection_snum) create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD [2011/06/24 11:01:55, 3, pid=1949822, effective(0, 0), real(0, 0)] smbd/error.c:80(error_packet_set) error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_WRONG_PASSWORD [2011/06/24 11:01:55, 5, pid=1949822, effective(0, 0), real(0, 0)] lib/util.c:617(show_msg) [2011/06/24 11:01:55, 5, pid=1949822, effective(0, 0), real(0, 0)] lib/util.c:627(show_msg) size=87 smb_com=0x73 smb_rcls=106 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=49155 smb_tid=0 smb_pid=65279 smb_uid=0 smb_mid=5954 smt_wct=3 smb_vwv[ 0]= 117 (0x75) smb_vwv[ 1]= 84 (0x54) smb_vwv[ 2]= 1 (0x1) smb_bcc=41 [2011/06/24 11:01:55, 10, pid=1949822, effective(0, 0), real(0, 0)] ../lib/util/util.c:278(_dump_data) [0000] 00 55 00 6E 00 69 00 78 00 00 00 53 00 61 00 6D .U.n.i.x ...S.a.m
Can you upload the lines before the lines you pasted?
Created attachment 6622 [details] Log file - plain-text auth failure w/ local user - 3.5.9 per request by Volker
Created attachment 6623 [details] config file - plain-text auth failure w/ local user - 3.5.9 as requested by Volker
Can't reproduce that, sorry. I've tested 3.5.9 on debian lenny. I don't have access to AIX right now, so I'm a bit lost. Sorry. Volker
I got bit by this bug, but what fixed it for me is incongruous with what's documented so far. We had three Windows 7 machines install the KB2536276 update, then a few days later, I updated Samba to 3.5.9, then downgraded back to 3.4.9 due to an unrelated problem with libtdb. After that, all three machines could not talk to the server. We could connect and authenticate (i.e., map drives) and smbtree would work correctly for all accounts, but as soon as we tried to copy a file from the server, it would fail. The server has been configured without an "encrypt passwords" directive in smb.conf for a long time. When it stopped working, I spotted the "call_nt_transact_ioctl(0x900eb): Currently not implemented." lines in the log and ultimately found this bug. What's strange was, the patch was redundant: both 3.4.9 and 3.5.9 have the added line already in source3/smbd/negprot.c at the place indicated by the diff. So I rebuilt and tested, rebuilt the tdbsam databases, setting "min protocol" and "max protocol" to various levels trying to force the Windows clients to not use NTLMv2/SMB2. In my testing, I found I could transfer small files (a few KB) without issue, but any large file would error out. When I removed "aio read size" and "aio write size" (disabling asynchronous IO) it magically started working again. Further testing showed I could undo all previous changes. I did not undo "encrypt passwords = Yes" since I'd been meaning to change that anyway. I still get "call_nt_transact_ioctl(0x900eb): Currently not implemented." lines in the log when a client first connects, but the client effects don't manifest. The only lasting change in the clients is one of the Windows 7 machines now crashes its wireless interface when trying to move data to or from the file server. It can do everything else fine (including downloading large files from the internet) and has talked to the Samba server just fine for years, regularly transferring batches of hundreds of large, RAW-format photos. Attached working smb.conf to follow. I'm not sure what or how else to test, what parts of the many hundreds of MB of logs I have from testing you want. I can provide those logs and do more testing this week, after which I won't have access for about 2 months.
Created attachment 6641 [details] Working 3.5.9 config This is my now-production Samba config. The only significant changes from the previous production config I've had for months are the removal of: aio read size = 16384 aio write size = 16384 and the addition of: encrypt passwords = Yes update encrypted = Yes
Googling has revealed a configuration fix to our problem with getting the unencrypted shares to work with the KB fix. We successfully tested this with 3.0.37 and are using this as a workaround until we can roll out encrypted passwords... From groups: This problem occurs if the following condition is true: "bytecount <8" & & encryptkeylength=0 "Bytecount" is the length of the computer's workgroup or domain name. This problem occurs if the workgroup or domain name is less than 8 bytes, including the null terminator. Therefore, the problem occurs if the workgroup or domain name uses fewer than 3 Unicode characters. All Samba versions that support plain text passwords are affected by this problem. To fix: Change the domain name on SMB config file to greater than 7 characters. Doesn't even need to be a legitimate domain name just anything then restart the SMB share, doesn't appear to be anything to do with encryption for us.
Just FYI: Microsoft has updated http://support.microsoft.com/kb/2536276, now mentioning instructions for Samba config changes. Marking this bug as fixed, as the <3char workgroup name problem won't be fixed by Microsoft. Volker