Hello!
I?m writing to you all on behalf of my working party, a group of students at
Chalmers Lindholmen University. We have been working on a problem for 6 weeks
but we have come to a dead stop. If you could help us in any way we would
remember it with gratitude and make sure it?s not forgotten!
We are wondering if someone can assist us with a dilemma we have regarding
Samba 3.0 alpha23 on Red Hat 8.0 and Windows 2003 Server when using smbclient.
The problem started when we tried to use Kerberos with smbclient to log on to a
Windows 2003 Server. We got Access Denied as you can se below:
[root@alpha23 root]# kinit
Password for administrator@XJSIMPLE.FOO:
[root@alpha23 root]# smbclient //192.168.0.1/public -k
added interface ip=192.168.0.3 bcast=192.168.0.255 nmask=255.255.255.0
Doing spnego session setup (blob length=112)
Doing kerberos session setup
OS=[Windows .NET 3663] Server=[Windows .NET 5.2]
tree connect failed: NT_STATUS_ACCESS_DENIED
So we tried to log on with a username and password instead of Kerberos and this
happened:
[root@alpha23 root]# smbclient //192.168.0.1/public -U administrator
added interface ip=192.168.0.3 bcast=192.168.0.255 nmask=255.255.255.0
Password:
Doing spnego session setup (blob length=112)
NTLMSSP packet check failed due to invalid signiture!
OS=[Windows .NET 3663] Server=[Windows .NET 5.2]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@alpha23 root]# smbclient //192.168.0.1/public -U administrator ?d 10
---------8<----------------
crc32_calc_buffer: 3a4aa1f8
NTLMSSP packet check failed due to invalid signiture!
NTLMSSP signing failed with NT_STATUS_ACCESS_DENIED
got SMB signature of
[000] 22 80 CF FD 58 14 2C C9 "...X.,.
Server did not sign reply correctly
---------8<----------------
We captured the packages with Ethereal and found this:
---------8<----------------
Negotiate Protocol Response (0x72)
Word Count (WCT): 17
Dialect Index: 8, greater than LANMAN2.1
Security Mode: 0x0f
.... ...1 = Mode: USER security mode
.... ..1. = Password: ENCRYPTED password. Use challenge/response
.... .1.. = Signatures: Security signatures ENABLED
.... 1... = Sig Req: Security signatures REQUIRED
---------8<----------------
Windows 2003 Server requires every SMB-packet to have a security signature.
After this we did the same thing but instead of a Windows 2003 server we used a
Windows 2000 Server and we had no problem with smbclient and the server gave us
this:
---------8<----------------
Negotiate Protocol Response (0x72)
Word Count (WCT): 17
Dialect Index: 8, greater than LANMAN2.1
Security Mode: 0x07
.... ...1 = Mode: USER security mode
.... ..1. = Password: ENCRYPTED password. Use challenge/response
.... .1.. = Signatures: Security signatures ENABLED
.... 0... = Sig Req: Security signatures NOT required
---------8<----------------
So, W2K doesn?t need SMB-packets signatures and we have no problems, but we
want it to work with Windows 2003. What?s the difference between Windows 2000
and Windows 2003 when it comes to security signatures of SMB-packets? Can we
disable signatures in Windows 2003 Server or do we have to make some changes in
Red Hat/Samba? Is ther another way to get around this problem?
Is the problem with Microsoft (we believe so) or is there something we can do
with Samba or Red Hat?
If you need more information just ask for it and we will give ASAP.
//Daniel
-----------------------------8<----------------------------------
smb.conf
--------8<----------------
[global]
workgroup = XJSIMPLE
realm = XJSIMPLE.FOO
ads server = 192.168.0.1
security = ads
encrypt passwords = yes
domain master = no
preferred master = yes
wins support = no
dns proxy = yes
---------8<----------------
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = XJSIMPLE.FOO
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[realms]
XJSIMPLE.FOO = {
kdc = 192.168.0.1:88
admin_server = 192.168.0.1:749
default_domain = xjsimple.foo
}
[domain_realm]
.xjsimple.foo = XJSIMPLE.FOO
xjsimple.foo = XJSIMPLE.FOO
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-----------------------------8<------------------------------
Jean-Baptiste Marchand
2003-May-05 11:07 UTC
[Samba] Problem with smbclient to Windows 2003 Server.
* Back Daniel <di0bada@chl.chalmers.se> [01/01/70 - 01:00]: [...]> So, W2K doesn?t need SMB-packets signatures and we have no problems, but we > want it to work with Windows 2003. What?s the difference between Windows 2000 > and Windows 2003 when it comes to security signatures of SMB-packets?By default, a Windows Server 2003 requires signature of SMB packets (at least, a Windows Server 2003 DC).> Can we disable signatures in Windows 2003 Server or do we have to make > some changes in Red Hat/Samba? Is ther another way to get around this > problem?Yes, you can look for the following security option Microsoft network server: Digitally sign commnunications (always) : and set it to Disabled, instead of Enabled. This security option modifies the following registry value: Key: HKLM\SYSTEM\CCS\Service\lanmanserver\parameters\ Value: RequireSecuritySignature Content: 0 to disable, 1 to enable If you don't want to reboot after that change, you can stop the srv.sys driver and services that depend on it using the following command: C:\>net stop srv Then, you can restart it, as well as the services that depend on it (in particular, netlogon) C:\>net start srv Jean-Baptiste Marchand -- Jean-Baptiste.Marchand@hsc.fr Herv? Schauer Consultants http://www.hsc.fr/