Bug 8238 - Windows security patch KB2536276 prevents access to shares
Windows security patch KB2536276 prevents access to shares
Status: RESOLVED FIXED
Product: Samba 3.5
Classification: Unclassified
Component: Nmbd
3.5.6
x86 Windows XP
: P5 regression
: ---
Assigned To: Volker Lendecke
Samba QA Contact
:
: 8239 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-15 20:29 UTC by Talderas
Modified: 2011-07-08 08:24 UTC (History)
9 users (show)

See Also:


Attachments
Packet Capture (7.16 KB, application/octet-stream)
2011-06-16 11:31 UTC, Talderas
no flags Details
Patch (826 bytes, patch)
2011-06-16 20:23 UTC, Volker Lendecke
jra: review+
Details
Backport of vl's patch for 3.2.15 (302 bytes, patch)
2011-06-22 17:54 UTC, Jeremy Allison
no flags Details
Log file - plain-text auth failure w/ local user - 3.5.9 (120.49 KB, text/plain)
2011-06-24 21:14 UTC, owtsgmi
no flags Details
config file - plain-text auth failure w/ local user - 3.5.9 (4.27 KB, text/plain)
2011-06-24 21:16 UTC, owtsgmi
no flags Details
Working 3.5.9 config (1.63 KB, text/plain)
2011-06-28 18:45 UTC, darren.pilgrim
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Talderas 2011-06-15 20:29:34 UTC
Patch KB2536276 released on June 14th, 2011 causes a Windows XP machine to be unable to connect to a samba share.

My network has samba shares containing versions 2.0.6, 2.0.7, 3.0.21, 3.0.23, 3.0.24, and 3.5.6. With KB2536276 installed the Windows XP machine cannot access the shares on the 2.0.X and 3.5.6 servers but can still access the shares on the 3.0.X servers. Uninstalling the patch restores the ability to access the share.
Comment 1 Talderas 2011-06-15 20:56:29 UTC
Here is a text of the samba log for today if that will help.

[2011/06/15 10:08:09.278231,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2011/06/15 10:08:09.278613,  0] lib/util_sock.c:1432(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2011/06/15 10:08:36.750190,  0] lib/util_sock.c:675(write_data)
[2011/06/15 10:08:36.750306,  0] lib/util_sock.c:1432(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
[2011/06/15 10:08:36.750413,  0] smbd/process.c:79(srv_send_smb)
  Error writing 4 bytes to client. -1. (Transport endpoint is not connected)
[2011/06/15 13:28:15.444200,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2011/06/15 13:28:15.444338,  0] lib/util_sock.c:1432(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
Comment 2 Volker Lendecke 2011-06-15 21:05:04 UTC
That snippet is not really helpful. What is needed is a debug level 10 log of smbd together with a network trace. Please look at http://wiki.samba.org/index.php/Capture_Packets and http://wiki.samba.org/index.php/Client_specific_Log.
Comment 3 Norman Gaywood 2011-06-16 05:19:55 UTC
Just want to add a "me to" to this.

We have a Fedora 14 server running samba-3.5.8-76.fc14.x86_64

We only have XP SP3 clients. With KB2536276 installed the clients can't connect. Remove KB2536276 and they can.

Plain text passwords are enabled on the XP clients.
Comment 4 Volker Lendecke 2011-06-16 08:23:38 UTC
Wait -- you are using "encrypt passwords = no"? I can very well believe that some hotfix by Microsoft breaks clients support for that.

We definitely need more information on that.

Volker
Comment 5 Volker Lendecke 2011-06-16 10:02:58 UTC
I've just patch a Windows XP box including KB2536276 and I can still connect fine to at least some 3.6 pre-release. I'll compile 3.5.6 next.
Comment 6 Volker Lendecke 2011-06-16 10:35:07 UTC
Question -- your working servers, are they also using plain text passwords or are they using encrypted passwords?
Comment 7 Volker Lendecke 2011-06-16 11:21:37 UTC
Got it reproduced. Stay tuned.
Comment 8 Volker Lendecke 2011-06-16 11:22:22 UTC
*** Bug 8239 has been marked as a duplicate of this bug. ***
Comment 9 Talderas 2011-06-16 11:31:44 UTC
Created attachment 6590 [details]
Packet Capture

Patch capture from WinXP machine attempting to connect to a Samba 3.4.6 server.
Comment 10 Talderas 2011-06-16 12:14:34 UTC
Volker,

I've followed the instructions contained on http://wiki.samba.org/index.php/Client_specific_Log but no log file is being generated for my WinXP client.
Comment 11 Michael 2011-06-16 18:19:56 UTC
Just want to add that we also have been having the same problems as described since yesterday. The patch looks like it only breaks unencrypted samba, but encrypted samba is unaffected. Windows XP and 7 clients can't connect anymore, however Windows 2008 Server still connects just fine.
Comment 12 KSmith 2011-06-16 20:09:08 UTC
We are also experiencing this issue.

Windows XP SP3 Unencrypted passwords
Samba 3.5.5

We are in the process of converting to AD, but have to maintain unencrypted passwords for now, unless NTLMv2 Configuration can be performed on the samba server.
Comment 13 Volker Lendecke 2011-06-16 20:23:32 UTC
Created attachment 6593 [details]
Patch
Comment 14 KSmith 2011-06-17 14:53:17 UTC
Preliminary testing on an Ubuntu 2.6.32-28-server running Samba 3.5.9 seems to work with the patch as provided.
Comment 15 rue 2011-06-17 19:45:26 UTC
Preliminary testing on an openSuse 11.3 running Samba 3.5.9 seems to
work with the patch as provided.
Comment 16 owtsgmi 2011-06-18 00:21:04 UTC
(In reply to comment #15)
> Preliminary testing on an openSuse 11.3 running Samba 3.5.9 seems to
> work with the patch as provided.

For various business reasons, we are still on 3.0.37.  Would it be possible for a patch to find its way into that older release?

BTW - I opened a case with MS today and it is one of several they are handling for this issue.  They took a bunch of diagnostics on our test system and I provided them the patch info.  We'll see what happens.
Comment 17 Volker Lendecke 2011-06-18 04:05:20 UTC
It also happens with 3.0.37? I tested 3.0.24, and it did work fine.
Comment 18 Yannick Bergeron 2011-06-20 15:45:38 UTC
Volker: Any idea of which version(s) are affected by this bug between 3.5.0 and 3.6.0?
Comment 19 Volker Lendecke 2011-06-20 16:13:39 UTC
Haven't looked at all versions, but 3.5.0 also has that bug. I randomly picked 3.4.0 and 3.4.12 as well, they have the same code. So I'd very much assume they have the same or a similar problem.

Volker
Comment 20 Karolin Seeger 2011-06-20 18:38:15 UTC
This is a blocker for 3.5.10.
Comment 21 owtsgmi 2011-06-20 18:39:45 UTC
(In reply to comment #17)
> It also happens with 3.0.37? I tested 3.0.24, and it did work fine.

Yes, I confirmed that the issue occurs in 3.0.37.

Thanks.
Comment 22 owtsgmi 2011-06-20 18:53:41 UTC
(In reply to comment #21)
> (In reply to comment #17)
> > It also happens with 3.0.37? I tested 3.0.24, and it did work fine.
> Yes, I confirmed that the issue occurs in 3.0.37.
> Thanks.

Also, we confirmed that 3.2 breaks.  This is the SAMBA version IBM will be releasing with AIX 7.
Comment 23 Jeremy Allison 2011-06-20 19:05:11 UTC
Comment on attachment 6593 [details]
Patch

Great catch - good bug fix !
Jeremy.
Comment 24 Jeremy Allison 2011-06-20 19:06:15 UTC
Re-assigning to Karolin. Karolin, this should be pushed to any version 3.5.x we're still supporting, and probably added to the "recommended" patches list for any earlier versions.

Jeremy.
Comment 25 owtsgmi 2011-06-20 20:26:55 UTC
for the 3.0.37 source of smbd/negprot.c 

       p = q = smb_buf(outbuf);
        if (!negotiate_spnego) {
                /* Create a token value and add it to the outgoing packet. */
                if (global_encrypted_passwords_negotiated) {
                        /* note that we do not send a challenge at all if
                           we are using plaintext */
                        get_challenge(p);
                        SCVAL(outbuf,smb_vwv16+1,8);
                        p += 8;
                }
                p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p-outbuf),
                                 STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
 
                DEBUG(3,("not using SPNEGO\n"));
        } else {
                DATA_BLOB spnego_blob = negprot_spnego();
 
                if (spnego_blob.data == NULL) {
                        return ERROR_NT(NT_STATUS_NO_MEMORY);
                }
 
                memcpy(p, spnego_blob.data, spnego_blob.length);
                p += spnego_blob.length;
                data_blob_free(&spnego_blob);
 
                SCVAL(outbuf,smb_vwv16+1, 0);
                DEBUG(3,("using SPNEGO\n"));
        }
 
What would need to change here?
Comment 26 owtsgmi 2011-06-20 21:19:46 UTC
When we try to enable encrypted passwords with a local smbpasswd file in the AIX box we get the followin error.  Any ideas?  TIA

xpdp4_root:xp# ls -l private/smbpasswd
-rw-------    1 root     system          170 Jun 20 14:43 private/smbpasswd
xpdp4_root:xp# cat private/smbpasswd  
abcd:203:3B0DB29A8AA3F2E9AAD3B435B51404EE:D9CFE0D08B0317F95D7E0D815C0E2F4A:abcd User
root:0:RF9220222E7BFDD6AAD3B435B51404EE:13562F851B782806A899975D4404D387:Root User

xpdp4_root:xp# 
  element 31 -> now SET
[2011/06/20 15:08:17, 11, pid=655412, effective(0, 0), real(0, 0)] passdb/pdb_get_set.c:pdb_set_init_flags(4
82)
  element 20 -> now SET
[2011/06/20 15:08:17, 11, pid=655412, effective(0, 0), real(0, 0)] passdb/pdb_get_set.c:pdb_set_init_flags(4
82)
  element 17 -> now SET
[2011/06/20 15:08:17, 11, pid=655412, effective(0, 0), real(0, 0)] passdb/pdb_get_set.c:pdb_set_init_flags(4
82)
  element 27 -> now SET
[2011/06/20 15:08:17,  3, pid=655412, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/06/20 15:08:17,  9, pid=655412, effective(0, 0), real(0, 0)] passdb/passdb.c:pdb_update_autolock_flag(
1417)
  pdb_update_autolock_flag: Account abcd not autolocked, no check needed
[2011/06/20 15:08:17,  4, pid=655412, effective(0, 0), real(0, 0)] libsmb/ntlm_check.c:ntlm_password_check(3
28)
  ntlm_password_check: Checking NT MD4 password
[2011/06/20 15:08:17,  4, pid=655412, effective(0, 0), real(0, 0)] auth/auth_sam.c:sam_account_ok(137)
  sam_account_ok: Checking SMB password for user abcd
[2011/06/20 15:08:17,  5, pid=655412, effective(0, 0), real(0, 0)] auth/auth_sam.c:logon_hours_ok(119)
  logon_hours_ok: user abcd allowed to logon at this time (Mon Jun 20 23:08:17 2011
  )
[2011/06/20 15:08:17,  1, pid=655412, effective(0, 0), real(0, 0)] auth/auth_sam.c:sam_account_ok(172)
  sam_account_ok: Account for user 'abcd' password must change!.
[2011/06/20 15:08:17,  5, pid=655412, effective(0, 0), real(0, 0)] auth/auth.c:check_ntlm_password(272)
  check_ntlm_password: sam authentication for user [abcd] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE
[2011/06/20 15:08:17,  2, pid=655412, effective(0, 0), real(0, 0)] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [abcd] -> [abcd] FAILED with error NT_STATUS_PASSWORD_MUST
_CHANGE
[2011/06/20 15:08:17,  5, pid=655412, effective(0, 0), real(0, 0)] auth/auth_util.c:free_user_info(1951)
  attempting to free (and zero) a user_info structure
[2011/06/20 15:08:17, 10, pid=655412, effective(0, 0), real(0, 0)] auth/auth_util.c:free_user_info(1955)
  structure was created for abcd
[2011/06/20 15:08:17,  0, pid=655412, effective(0, 0), real(0, 0)] smbd/map_username.c:map_username(141)
  can't open username map /xp/xpvs/samba/winuser.map. Error No such file or directory
[2011/06/20 15:08:17,  5, pid=655412, effective(0, 0), real(0, 0)] auth/auth_util.c:make_user_info_map(178)
  make_user_info_map: Mapping user [XP]\[abcd] from workstation [10.160.140.148]
[2011/06/20 15:08:17,  5, pid=655412, effective(0, 0), real(0, 0)] auth/auth_util.c:make_user_info(92)
  attempting to make a user_info for abcd (abcd)
Comment 27 Karolin Seeger 2011-06-21 17:50:56 UTC
(In reply to comment #24)
> Re-assigning to Karolin. Karolin, this should be pushed to any version 3.5.x
> we're still supporting, and probably added to the "recommended" patches list
> for any earlier versions.
> 
> Jeremy.

Pushed to v3-5-test, will be included in 3.5.10.
Comment 28 Karolin Seeger 2011-06-21 17:51:50 UTC
Re-assigning to Volker to answer the questions on 3.0.37.
Comment 29 JohnK 2011-06-22 14:14:55 UTC
I also want to confirm this issue; the KB breaks the ability of WinXP SP3 to connect to Samba 3.2.5 (debian distro) using plain text pw.

What exactly can we do to fix this?

Regards,
John
Comment 30 neil.loffhagen 2011-06-22 14:59:09 UTC
(In reply to comment #29)
> I also want to confirm this issue; the KB breaks the ability of WinXP SP3 to
> connect to Samba 3.2.5 (debian distro) using plain text pw.
> 
> What exactly can we do to fix this?
> 
> Regards,
> John

We are still running with Samba 2.2.8a and are experiencing the same issue, that having installed ms patch 2536276 we cannot access shares. And when we remove the patch then we can access the shares. Am I right in thinking the patch that has been made available here would not work on such an old version of Samba that we are running?

Thanks,

Neil.
Comment 31 Jeremy Allison 2011-06-22 17:10:04 UTC
Ok, so people need this fix for 3.0.x, 3.2.x and (heaven forbid *) 2.2.8a ?

* Just to be clear, I'm only looking at this because you're the BBC and I *REALLY LOVE* the new Dr. Who. Stop making that show and I'll drop your support like a hot rock :-) :-).

Jeremy.
Comment 32 Volker Lendecke 2011-06-22 17:16:46 UTC
Two observations: It's freaking scary how many people still use a) Samba 2 (!!) and b) plain text passwords. Can we ever really deprecate or remove any kind of feature we ever put in?

Volker
Comment 33 Jeremy Allison 2011-06-22 17:54:32 UTC
Created attachment 6610 [details]
Backport of vl's patch for 3.2.15
Comment 34 Ed 2011-06-22 21:09:59 UTC
I am running Samba 2.2.3a on Mandrake linux version 2.4.18-6mdk #1 Fri Mar 15 02:59:08 CET 2002.  It's behind a NAT protected D-Link WiFi AP, and I've just been afraid to touch it after I spent weeks getting everything working.

Ed

(In reply to comment #32)
> Two observations: It's freaking scary how many people still use a) Samba 2 (!!)
> and b) plain text passwords. Can we ever really deprecate or remove any kind of
> feature we ever put in?
> 
> Volker
Comment 35 June Kendrick 2011-06-23 02:56:50 UTC
I'm running Samba 2.2.3a with encrypted passwords, so have no problem with Windows XP boxes with the KB2536276 patch, but my Windows 7 & Windows 2008 R2 boxes don't connect to my Samba share with that MS patch in place.
Comment 36 Jeremy Allison 2011-06-23 17:54:29 UTC
Ok I've looked at the code in 3.0.x and 2.2.x and they *seem* to be doing the right thing w.r.t. setting the workgroup and correct length in the negprot reply.

However 2.2.x doesn't do unicode on the wire, so the packets will by necessity be different. It might be that Microsoft never tested the change with non-unicode servers.

Wire packet traces from 3.0.x servers and 2.2.x using plaintext passwords and failing would be helpful. Please attach to this bug.

Jeremy.
Comment 37 Volker Lendecke 2011-06-23 21:00:23 UTC
I've tested 3.0.24, and that worked. Compiling 3.0.37 and 2.2. now.
Comment 38 Volker Lendecke 2011-06-23 21:09:19 UTC
2.2.12 works for me as well.
Comment 39 Jeremy Allison 2011-06-23 21:12:04 UTC
Thanks Volker. I couldn't see anything wrong with the code for these two versions.

Jeremy.
Comment 40 owtsgmi 2011-06-24 00:03:50 UTC
(In reply to comment #37)
> I've tested 3.0.24, and that worked. Compiling 3.0.37 and 2.2. now.

Any word on 3.0.37?  We would be most interested.

BTW - major props to you guys for doing all this work and a big thanks!
Comment 41 Volker Lendecke 2011-06-24 05:32:31 UTC
Just tested: It does work with 3.0.37. If it does not work for you, we need a network trace and debug level 10 logs. Please seee

http://wiki.samba.org/index.php/Capture_Packets and 
http://wiki.samba.org/index.php/Client_specific_Log

Volker
Comment 42 owtsgmi 2011-06-24 17:24:27 UTC
(In reply to comment #41)
> Just tested: It does work with 3.0.37. If it does not work for you, we need a
> network trace and debug level 10 logs. Please seee
> http://wiki.samba.org/index.php/Capture_Packets and 
> http://wiki.samba.org/index.php/Client_specific_Log
> Volker

Our admin bit the bullet and upgraded our SAMBA installation.  We were able to patch, compile and test 3.5.9 with encrypted passwords.  Currently, testing with unencrypted passwords and will have a result soon.  So, our plan at this point is to roll out 3.5.9 one way or the other.  We won't be pursuing the 3.0.37 path at this time.  Thanks again for all the support.
Comment 43 owtsgmi 2011-06-24 19:09:06 UTC
(In reply to comment #42)
> (In reply to comment #41)
> > Just tested: It does work with 3.0.37. If it does not work for you, we need a
> > network trace and debug level 10 logs. Please seee
> > http://wiki.samba.org/index.php/Capture_Packets and 
> > http://wiki.samba.org/index.php/Client_specific_Log
> > Volker
> Our admin bit the bullet and upgraded our SAMBA installation.  We were able to
> patch, compile and test 3.5.9 with encrypted passwords.  Currently, testing
> with unencrypted passwords and will have a result soon.  So, our plan at this
> point is to roll out 3.5.9 one way or the other.  We won't be pursuing the
> 3.0.37 path at this time.  Thanks again for all the support.

We are testing 3.5.9 with the one-line patch for the KB fix.  We cannot get plain-text authentication to work with local UNIX (AIX) users.
smb.conf 
[global]
    server string = Samba:%v (%h)
    interfaces =   10.160.140.122/255.255.255.0
    debug level = 10

    protocol = NT1
;    passwd program = /bin/passwd
;    passwd chat = *s New password:* %n\nEnter the new password again:* %n\n
;    passwd chat debug = Yes
    unix password sync = No
    password level = 8
    encrypt passwords = No
    update encrypted = No
    smb passwd file = /xp/xpvs/samba/private/smbpasswd
    username level = 0
    username map = /xp/xpvs/samba/winuser.map
    lock directory = /xp/xpvs/samba/lock
    workgroup = XP
    netbios name = %h
    security = share
    ;map to guest = Bad Password
    root directory = /
    restrict anonymous = No
    debug pid = Yes
    debug uid = Yes
    debug timestamp = Yes
    debug hires timestamp = No
    syslog = 1
    syslog only = No
    log file = /xp/xpvs/samba/log.smbd
    max log size = 128
    name resolve order = host wins bcast
    deadtime = 0
    getwd cache = Yes
    socket options = TCP_NODELAY
    load printers = Yes
    printcap name = /xp/xpvs/samba/printcap
    preferred master = Yes

LOG FILE debug 10
  smb_pam_auth: PAM: Authentication Error for user xpwin
[2011/06/24 11:01:55,  2, pid=1949822, effective(0, 0), real(0, 0)] auth/pampass.c:77(smb_pam_error_handler)
  smb_pam_error_handler: PAM: Authentication Failure : Authentication failed
[2011/06/24 11:01:55,  0, pid=1949822, effective(0, 0), real(0, 0)] auth/pampass.c:823(smb_pam_passcheck)
  smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User xpwin !
[2011/06/24 11:01:55,  4, pid=1949822, effective(0, 0), real(0, 0)] auth/pampass.c:450(smb_pam_end)
  smb_pam_end: PAM: PAM_END OK.
[2011/06/24 11:01:55,  3, pid=1949822, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/06/24 11:01:55,  5, pid=1949822, effective(0, 0), real(0, 0)] auth/auth.c:268(check_ntlm_password)
  check_ntlm_password: unix authentication for user [xpwin] FAILED with error NT_STATUS_WRONG_PASSWORD
[2011/06/24 11:01:55,  2, pid=1949822, effective(0, 0), real(0, 0)] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [xpwin] -> [xpwin] FAILED with error NT_STATUS_WRONG_PASSWORD
[2011/06/24 11:01:55,  5, pid=1949822, effective(0, 0), real(0, 0)] auth/auth_util.c:2119(free_user_info)
  attempting to free (and zero) a user_info structure
[2011/06/24 11:01:55, 10, pid=1949822, effective(0, 0), real(0, 0)] auth/auth_util.c:2123(free_user_info)
  structure was created for xpwin
[2011/06/24 11:01:55,  2, pid=1949822, effective(0, 0), real(0, 0)] smbd/service.c:626(create_connection_serve
r_info)
  Invalid username/password for [exports]
[2011/06/24 11:01:55,  1, pid=1949822, effective(0, 0), real(0, 0)] smbd/service.c:678(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD
[2011/06/24 11:01:55,  3, pid=1949822, effective(0, 0), real(0, 0)] smbd/error.c:80(error_packet_set)
  error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_WRONG_PASSWORD
[2011/06/24 11:01:55,  5, pid=1949822, effective(0, 0), real(0, 0)] lib/util.c:617(show_msg)
[2011/06/24 11:01:55,  5, pid=1949822, effective(0, 0), real(0, 0)] lib/util.c:627(show_msg)
  size=87
  smb_com=0x73
  smb_rcls=106
  smb_reh=0
  smb_err=49152
  smb_flg=136
  smb_flg2=49155
  smb_tid=0
  smb_pid=65279
  smb_uid=0
  smb_mid=5954
  smt_wct=3
  smb_vwv[ 0]=  117 (0x75)
  smb_vwv[ 1]=   84 (0x54)
  smb_vwv[ 2]=    1 (0x1)
  smb_bcc=41
[2011/06/24 11:01:55, 10, pid=1949822, effective(0, 0), real(0, 0)] ../lib/util/util.c:278(_dump_data)
  [0000] 00 55 00 6E 00 69 00 78   00 00 00 53 00 61 00 6D   .U.n.i.x ...S.a.m
Comment 44 Volker Lendecke 2011-06-24 19:16:56 UTC
Can you upload the lines before the lines you pasted?
Comment 45 owtsgmi 2011-06-24 21:14:24 UTC
Created attachment 6622 [details]
Log file - plain-text auth failure w/ local user - 3.5.9

per request by Volker
Comment 46 owtsgmi 2011-06-24 21:16:13 UTC
Created attachment 6623 [details]
config file - plain-text auth failure w/ local user - 3.5.9

as requested by Volker
Comment 47 Volker Lendecke 2011-06-25 10:30:23 UTC
Can't reproduce that, sorry. I've tested 3.5.9 on debian lenny. I don't have access to AIX right now, so I'm a bit lost. Sorry.

Volker
Comment 48 darren.pilgrim 2011-06-28 18:40:50 UTC
I got bit by this bug, but what fixed it for me is incongruous with what's documented so far.  We had three Windows 7 machines install the KB2536276 update, then a few days later, I updated Samba to 3.5.9, then downgraded back to 3.4.9 due to an unrelated problem with libtdb.  After that, all three machines could not talk to the server.  We could connect and authenticate (i.e., map drives) and smbtree would work correctly for all accounts, but as soon as we tried to copy a file from the server, it would fail.  The server has been configured without an "encrypt passwords" directive in smb.conf for a long time.

When it stopped working, I spotted the "call_nt_transact_ioctl(0x900eb): Currently not implemented." lines in the log and ultimately found this bug.  What's strange was, the patch was redundant: both 3.4.9 and 3.5.9 have the added line already in source3/smbd/negprot.c at the place indicated by the diff.  So I rebuilt and tested, rebuilt the tdbsam databases, setting "min protocol" and "max protocol" to various levels trying to force the Windows clients to not use NTLMv2/SMB2.

In my testing, I found I could transfer small files (a few KB) without issue, but any large file would error out.  When I removed "aio read size" and "aio write size" (disabling asynchronous IO) it magically started working again.  Further testing showed I could undo all previous changes.  I did not undo "encrypt passwords = Yes" since I'd been meaning to change that anyway.  I still get "call_nt_transact_ioctl(0x900eb): Currently not implemented." lines in the log when a client first connects, but the client effects don't manifest.  The only lasting change in the clients is one of the Windows 7 machines now crashes its wireless interface when trying to move data to or from the file server.  It can do everything else fine (including downloading large files from the internet) and has talked to the Samba server just fine for years, regularly transferring batches of hundreds of large, RAW-format photos.

Attached working smb.conf to follow.

I'm not sure what or how else to test, what parts of the many hundreds of MB of logs I have from testing you want.  I can provide those logs and do more testing this week, after which I won't have access for about 2 months.
Comment 49 darren.pilgrim 2011-06-28 18:45:20 UTC
Created attachment 6641 [details]
Working 3.5.9 config

This is my now-production Samba config.  The only significant changes from the previous production config I've had for months are the removal of:

aio read size = 16384
aio write size = 16384

and the addition of:

encrypt passwords = Yes
update encrypted = Yes
Comment 50 owtsgmi 2011-06-30 22:01:10 UTC
Googling has revealed a configuration fix to our problem with getting the unencrypted shares to work with the KB fix.  We successfully tested this with 3.0.37 and are using this as a workaround until we can roll out encrypted passwords...

From groups:

This problem occurs if the following condition is true:
"bytecount <8" & & encryptkeylength=0
"Bytecount" is the length of the computer's workgroup or domain name. This problem occurs if the workgroup or domain name is less than 8 bytes, including the null terminator. Therefore, the problem occurs if the workgroup or domain name uses fewer than 3 Unicode characters. All Samba versions that support plain text passwords are affected by this problem.          

To fix:

Change the domain name on SMB config file to greater than 7 characters. Doesn't even need to be a legitimate domain name just anything then restart the SMB share, doesn't appear to be anything to do with encryption for us.
Comment 51 Volker Lendecke 2011-07-08 08:24:18 UTC
Just FYI: Microsoft has updated http://support.microsoft.com/kb/2536276, now mentioning instructions for Samba config changes.

Marking this bug as fixed, as the <3char workgroup name problem won't be fixed by Microsoft.

Volker