samba - Jan 1998 - cifs draft extensions: security negotiation and session setup

hi,

attached is some draft extensions to the smb protocol.  i said if i got
pissed enough i'd write some.  please discuss them amongst yourselves:
i can only comment briefly at the moment.

http://mailhost.cb1.com/~lkcl/cifs-ext.txt

<a href="mailto:lkcl@switchboard.net"  > Luke Kenneth Casson
Leighton  </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba Consultancy and
Support </a>

CIFS Extensions
---------------

Author: Luke Kenneth Casson Leighton
Date  : 16 Jan 98

This document describes cifs extensions for cifs over tcp, and for
parallel negotiation or re-negotiation of security for a SMB session.

Prior reading: - draft-leach-cifs-v1-spec-01.txt
                 sections 4.1.1, 4.1.2.2
	       - cifs6.txt
		 sections 4.1.1, 4.1.2 (NT LM 0.12)

the smb protocol needs to have independent messages for the communication
of related information.  almost every stage should involve negotiation.
such as:

- what is talking to what (machines, transport, ports -> referral or
connection)

- protocols

     - smb level (list of SMB protocols -> protocol to use)
     - client and server capabilities
     - encryption (snego -> kerberos etc)

- who (user context info) is talking to who/what

- what the user wants to access on the server.


these are covered at present by:

- NetBIOS session setup (machines, transport, port -> referral or connection)

- SMBnegprot

	- smb level (list of smb protocols -> index of protocol to use)
	- client capabilities and server capabilities, including
	  SMB_EXTENDED_SECURITY

- SMBsesssetupX (the draft one not the cifs6.txt one)

	- user context info (username/password/domain)
	- encryption (security blobs -> return security blobs, repeat)
	  only possible if SMB_EXTENDED_SECURITY is "SMB-negotiated".

- SMBtconX

	- share name, share password.

- SMBtdis (opposite of SMBtcon)
- SMBulogoff (opposite of SMBsessetup)


however, as has been pointed out, and as can be seen, client/server
capabilities are tied to the smb level negotiation, and encryption
tied in with the user context info.  also, microsoft intend to _drop_
the NetBIOS session setup, leaving no means to identify the client
or server.

the following is proposed, to deal with this:

- SMBsessionreq (machines, transport, ports -> referral or connection)

- SMBnegcaps (client and server capabilities)
- SMBnegprot2 (list of SMB protocols -> protocol to use)
- SMBnegsec (security blob id info.)

- SMBsecuritysetup (security blob client/server sequence)
- SMBsesssetup (user context info - username, password, domain)
  *this is the cifs6.txt SMBsesssetup _not_ the new draft one*

- SMBtconX (share name, share password).

- SMBtdis (opposite of tcon)
- SMBulogoff (opposite of sessetup)


sequence of SMBs, and conditions on their use
---------------------------------------------

SMBnegprot2 and SMBnegcaps must come between SMB session request and
SMB session setup 2.

SMBnegsec is optional, but must come after the SMBnegcaps, and only
if SMB_EXTENDED_SECURITY is a successfully negotiated capability.
a SMBsecuritysetup challenge/response sequence must then follow.

SMBnegcrypto followed by SMBsecuritysetup(s) can be sent more than once.
the negotiated encryption will apply or reapply to the *whole* session.

SMB security negotiation can happen in parallel with SMB sessions.
However, it is advised that clients should wait until the successful
completion of the first security negotiation stages before starting
SMB session setups and SMBtcons, as the server is likely to reject
them with SECURITY_NEGOTIATION_REQUIRED SMB errors (0xC000nnnn, where
nnnn is to be allocated).

The client should be prepared to have to negotiate or re-negotiate
security at *any* time if it supports SMB_EXTENDED_SECURITY
capabilities, and to immediately start using the negotiated or
re-negotiated security on all SMBs in the session.

The server should be capable of indicating to the client that 
the security level is insufficient or has expired, with a
SECURITY_NEGOTIATION_REQUIRED SMB error on all SMB requests
except SMBsecneg, *without* closing any files, disconnecting
any shares or closing the session.


SMB_SESSION_REQUEST
-------------------

Client Request                 Description
============================== ====================================
   UCHAR WordCount;            Count of parameter words = 12
UCHAR AndXCommand;             Secondary (X) command;  0xFF = none
UCHAR AndXReserved;            Reserved (must be 0)
USHORT AndXOffset;             Offset to next command WordCount

CLIENT_UNC_NAME_LEN
CLIENT_UNC_VERSION_LEN
SERVER_UNC_NAME_LEN
REFERRING_SERVER_UNC_NAME_LEN
CLIENT_UNC_NAME[]
CLIENT_VERSION[]
SERVER_UNC_NAME[]
REFERRING_SERVER_UNC_NAME[]

if a name length is zero, the string it refers to is skipped
altogether.  client name and server name in the request are not
optional.  referring server name is not optional if a server
has referred the client from another server in a previous SMB
session request.

the client unc version string contains context-sensitive or OEM
information ("Client for Microsoft Networks - Windows NT 4.0 Build
1381"
or "smbclient-1.9.18p1" or "Thursby's DAVE 1.0.1 Macintosh
Client").

the client and server unc names can be "nbt://callingname#00:139" and
"nbt://calledname#20:139" to support backwards compatibility with the
old netbios format, for applications that require netbios names.

the referring server unc name is the name of the server that referred
the client to this new server, causing the client to make this second
SMB session request.

a referred SMB session request cannot be re-referred to yet another
SMB server.

The response is:

Server Response                    Description
================================== ================================
UCHAR WordCount;                   Count of parameter words = 3
UCHAR AndXCommand;                 Secondary (X) command;  0xFF                 
none
UCHAR AndXReserved;                Reserved (must be 0)
USHORT AndXOffset;                 Offset to next command WordCount

SERVER_UNC_NAME_LEN
SERVER_VERSION_LEN
ERROR_CODE_STRING_LEN
SERVER_UNC_REFERRAL_NAME_LEN
SERVER_UNC_NAME[]
SERVER_VERSION[]
ERROR_CODE_STRING[]
SERVER_UNC_REFERRAL_NAME[]

if a name length is zero, the string it refers to is skipped
altogether.  server name in the response is not optional.  

the server version info may contain context-sensitive or OEM information,
e.g "Microsoft Windows NT 4.0 Build 1381 CIFS Server" or
"samba-1.9.18p1 root-config-file:/usr/local/samba/lib/smb.conf.%U.%m"
or "Thursby's Macintosh SMB Server DAVE 2.0"

the server unc referral name is optional, and should be accompanied by
a SMB_SESSION_REFERRAL warning (0x8000nnnn - nnnn to be arranged) and
an optional verbose error string (for debugging / user informational
purposes) of "SMB session is being referred to another server / protocol /
port number".

the client should then issue a new SMB session request using the protocol
specified in the unc, to the server specified in the unc, on the port
number specified in the unc.  regardless of whether the client is
capable of doing this, it must drop the TCP connection (and so will the
server).

the server cannot issue an SMB session referral to a client that has
already been referred: it must reject the session.  a mechanism for
the server to then complain to the referrer is yet to be decided.



SMB_NEGOTIATE_SECURITY
----------------------

Client Request                 Description
============================== ====================================
   UCHAR WordCount;            Count of parameter words = 12
UCHAR AndXCommand;             Secondary (X) command;  0xFF = none
UCHAR AndXReserved;            Reserved (must be 0)
USHORT AndXOffset;             Offset to next command WordCount

UCHAR SecurityBlobLength;      Length of SecurityBlob
USHORT ByteCount;              Count of data bytes
UCHAR GUID[16]                 A globally unique identifier assigned with the
                               client.
UCHAR SecurityBlob[]           Opaque Security Blob associated with the
                               security package.


The response is:

Server Response                    Description
================================== ================================
UCHAR WordCount;                   Count of parameter words = 3
UCHAR AndXCommand;                 Secondary (X) command;  0xFF                 
none
UCHAR AndXReserved;                Reserved (must be 0)
USHORT AndXOffset;                 Offset to next command WordCount

UCHAR SecurityBlobLength;          Length of SecurityBlob
USHORT ByteCount;                  Count of data bytes
UCHAR GUID[16]                     A globally unique identifier assigned
                                   to the server.
UCHAR SecurityBlob[]               Opaque Security Blob associated with the
                                   security package.



SMB_SECURITY_SETUP_ANDX
-----------------------

Client Request                 Description
============================== ====================================
   UCHAR WordCount;            Count of parameter words = 12
UCHAR AndXCommand;             Secondary (X) command;  0xFF = none
UCHAR AndXReserved;            Reserved (must be 0)
USHORT AndXOffset;             Offset to next command WordCount
USHORT SecurityBlobLength;     Length of opaque security blob
ULONG Reserved;                must be 0
USHORT ByteCount;              Count of data bytes;    min = 0
UCHAR SecurityBlob[]           The opaque security blob



The response is:

Server Response                    Description
================================== ================================
UCHAR WordCount;                   Count of parameter words = 3
UCHAR AndXCommand;                 Secondary (X) command;  0xFF                 
none
UCHAR AndXReserved;                Reserved (must be 0)
USHORT AndXOffset;                 Offset to next command WordCount

USHORT SecurityBlobLength          length of Security Blob that
                                    follows in a later field
USHORT ByteCount;                  Count of data bytes
UCHAR SecurityBlob[]               SecurityBlob of length specified
                                    in field SecurityBlobLength

There may be multiple round trips involved in the security blob
exchange. In that case, the server may return an error
STATUS_MORE_PROCESSING_REQUIRED (a value of  0xC0000016) in the SMB
status. The client can then repeat the SecuritySetupAndX SMB with the
next the security blob.

> > wins_write_database: Can't open /var/lock/samba/wins.dat.. Error
was File table overflow
> 
> Looks to me like your kernel is running out of open
> file descriptors. Are you running on HPUX 9.x by
> any chance ?
nope linux 2.0.33
it's on a dell poweredge 2200 with 128m of ram.
> Samba & nmbd will die horribly if file descriptors
> run out - 1.9.18 does use a few more than 1.9.17
> (I have to open several in nmbd to bind to all
> possible interfaces).
> 
> Can you give some more details about what system
> you are running on etc. ?
Additionally I never got the File table overrun errors but I did end up with
locked smbd processes when I ran 1.9.18p1.
It's very odd.
As well I experienced an error on win3.11 domain logons. When the domain
logon tried to occur the attempt was made to pull the bat file from the C:
rather than UNC path. Very odd. I think that one may be nothing more than a
typo.
nevertheless the error is strange.
It seems to only occur on DHCP'd win3.11 clients.

hope this helps

Seth Vidal
Emory & Henry College

Hi,

It's ok using smbstatus to find out who's logged in using smbstatus.
However, is there a way to use syslog to log in domain logins so that the
'last' command can be used?

Thanks.
Santosh

*************************************************
* LINUX System Admin    | Phone: (817)272-2815  *
*-----------------------------------------------*
* Center for High Energy Physics and Technology *
* The University of Texas at Arlington          *
* Arlington, Texas 76019                        *
*-----------------------------------------------*
* Fax: (817)272-2824                            *
* supervisor@heplinux1.uta.edu                  *
*************************************************