David Girard
2005-Apr-04 15:23 UTC
[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.
We are having a problem with SAMBA v 3.0.13 on Linux where a windows client (single IP address) makes multiple connections at the same time (different processes) to copy files onto our SAMBA server. As many as 20 simultaneous connections/file transfers may be occurring from the same client IP address. Some of the files succeed, and some fail. The windows client reports that the directory does not exist... All copies are done by the same user id, but are running as separate processes on the windows server (Therefore, I believe, separate authentications for each). I have turned on Log level 2, and see the following message in my log file for the failed attempts: [2005/03/30 14:33:03, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: Authentication for user [det-liv-cd1] -> [det-liv-cd1] FAILED with error NT_STATUS_WRONG_PASSWORD Just prior to, and right after these error messages, there are messages saying that the user ID and password were accepted! det-liv-cd1 is a local user id, and this same user ID is used for all the transfers. We've tried changing the max mux setting 5000, and this seems to reduce, but not eliminate the number of failures. Any Ideas what may be happening?...or what we could look at next to try to resolve this problem? TIA )David Girard
Andrew Bartlett
2005-Apr-10 07:52 UTC
[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.
On Mon, 2005-04-04 at 11:23 -0400, David Girard wrote:> We are having a problem with SAMBA v 3.0.13 on Linux where a windows client > (single IP address) makes multiple connections at the same time > (different processes) to copy files onto our SAMBA server. As many as 20 > simultaneous connections/file transfers may be occurring from the > same client IP address.> Any Ideas what may be happening?...or what we could look at next to > try to resolve this problem?Any idea if all these connections occur on the same TCP/IP socket? I suspect that the issue is the way the NTLMSSP logins occur - we may well have the negotiations overlap. Try 'use spnego = no' on the server, and see if that helps. I'm trying to solve this properly with Samba4, correctly handling the state rather than using various global variables... Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050410/3803109a/attachment.bin
David Girard
2005-Apr-10 09:35 UTC
[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.
Andrew: These connections almost certainly occur on the same TCP/IP socket...I can confirm with a sniffer on Monday if it helps... I will try the spnego=no and see what happens. For more details, my original post was: http://lists.samba.org/archive/samba/2005-April/103115.html Thanks for your help! David>>> Andrew Bartlett <abartlet@samba.org> 04/10/05 3:51 AM >>>On Mon, 2005-04-04 at 11:23 -0400, David Girard wrote:> We are having a problem with SAMBA v 3.0.13 on Linux where a windows client > (single IP address) makes multiple connections at the same time > (different processes) to copy files onto our SAMBA server. As many as 20 > simultaneous connections/file transfers may be occurring from the > same client IP address.> Any Ideas what may be happening?...or what we could look at next to > try to resolve this problem?Any idea if all these connections occur on the same TCP/IP socket? I suspect that the issue is the way the NTLMSSP logins occur - we may well have the negotiations overlap. Try 'use spnego = no' on the server, and see if that helps. I'm trying to solve this properly with Samba4, correctly handling the state rather than using various global variables... Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
Blane Bramble
2005-Apr-11 14:36 UTC
[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.
> > >>> Andrew Bartlett <[EMAIL PROTECTED]> 04/10/05 3:51 AM >>> > On Mon, 2005-04-04 at 11:23 -0400, David Girard wrote: > > We are having a problem with SAMBA v 3.0.13 on Linux where a windows > client > > (single IP address) makes multiple connections at the same time > > (different processes) to copy files onto our SAMBA server. As many > as 20 > > simultaneous connections/file transfers may be occurring from the > > same client IP address. > > > Any Ideas what may be happening?...or what we could look at next to > > try to resolve this problem? > > Any idea if all these connections occur on the same TCP/IP socket? I > suspect that the issue is the way the NTLMSSP logins occur - we may > well > have the negotiations overlap. > > Try 'use spnego = no' on the server, and see if that helps. I'm > trying > to solve this properly with Samba4, correctly handling the state > rather > than using various global variables... > > Andrew Bartlett >Hi, this sounds very much like the problem we are experiencing with W2k web edition connected to a Samba server - each site runs on it's own UNC share with it's own user and password, and periodically fails with the NT_STATUS_WRONG_PASSWORD error. Definitely going to be the same IP, presumably the same socket. Unfortunately "use spnego = no" does not seem to have made much difference, so any other suggestions would be much appreciated. Thanks, Blane.
David Girard
2005-Apr-12 16:56 UTC
[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.
OK, I have applied the "use spnego=no" and it seems to have resolved the problem... Could you describe what this setting is doing?...I haven't been able to find any reference to this setting other than your previous posts telling people to use it... I need to understand if there are security or performance implications to this setting. Thanks very much for the assistance with this!...We've been beating our heads on this problem for weeks...Can I paypal you a few $$'s for a frosty beverage of your choice in thanks? -David>>> "David Girard" <dgirard@lason.com> 4/10/2005 5:34 AM >>>Andrew: These connections almost certainly occur on the same TCP/IP socket...I can confirm with a sniffer on Monday if it helps... I will try the spnego=no and see what happens. For more details, my original post was: http://lists.samba.org/archive/samba/2005-April/103115.html Thanks for your help! David>>> Andrew Bartlett <abartlet@samba.org> 04/10/05 3:51 AM >>>On Mon, 2005-04-04 at 11:23 -0400, David Girard wrote:> We are having a problem with SAMBA v 3.0.13 on Linux where a windows client > (single IP address) makes multiple connections at the same time > (different processes) to copy files onto our SAMBA server. As many as 20 > simultaneous connections/file transfers may be occurring from the > same client IP address.> Any Ideas what may be happening?...or what we could look at next to > try to resolve this problem?Any idea if all these connections occur on the same TCP/IP socket? I suspect that the issue is the way the NTLMSSP logins occur - we may well have the negotiations overlap. Try 'use spnego = no' on the server, and see if that helps. I'm trying to solve this properly with Samba4, correctly handling the state rather than using various global variables... Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Andrew Bartlett
2005-Apr-12 22:14 UTC
[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.
On Tue, 2005-04-12 at 12:56 -0400, David Girard wrote:> OK, I have applied the "use spnego=no" and it seems to have resolved the problem... > > Could you describe what this setting is doing?...I haven't been able > to find any reference to this setting other than your previous posts > telling people to use it...Samba 3.0 introduced the ability to support 'extended security', where instead of the traditional NTLM challenge/response system being based on a challenge in the NegProt packet, we would install break out to a generalised authentications system, based on multiple round trips. Session setup and authentication are fairly well described in CRH's book: http://www.ubiqx.org/cifs/SMB.html#SMB.8 When we are using extended security, there are multiple legs to the session setup part of this problem. As the client sends the first of the 4 packets in this system ('negotiate'), we should enclose a vuid 'cookie' with the 'challenge'. When the client returns with the 'auth' packet, we can line up the challenge we sent, and correctly finish the state machine. If as in Samba3, we do not include a vuid (we send 0) to connect to the correct state machine, we would logically link a 'challenge' with an 'auth' to which there is no relation. This then results in WRONG_PASSWORD, as the cryptography is wrong. The RAW-CONTEXT test from Samba4 should demonstrate this nicely.> I need to understand if there are security or performance implications > to this setting.In particular, it will not be possible to use kerberos in any form to this server and NTLM2 will not be negotiated so clients will send the LM password on the wire.. Performance and reliability with the not- recommended security=server will also suffer. The reason we have not fixed this in the past is that session setups are usually a 'rare' event (compared with others), and we just have not seen (or considered) this race in the past. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050413/6efd214f/attachment.bin
David Girard
2005-Apr-13 01:55 UTC
[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.
Thanks guys! Thanks Andrew for the detailed explanation... Jeremy: Does this mean that you might consider a fix in the code for this? I'm guessing that this is the same problem that creaps up with Terminal Services/Citrix occasionally as well? I currently have a test environment where I can easily duplicate the problem...so if there's anything that needs to be tested, please let me know! I don't think I'll be making it to SambaXP, but if I can find a way to send you guys a frosty beverage, I'll do so! -David>>> Jeremy Allison <jra@samba.org> 04/12/05 8:20 PM >>>On Wed, Apr 13, 2005 at 10:18:19AM +1000, Andrew Bartlett wrote:> > We should not need that - the NTLMSSP and SPNEGO code does not use piles > of static variables, it's just the one context that is the problem. > All you need to do is change 'global_ntlmssp_state' into something keyed > off that VUID. See it's use in reply_spnego_negotiate() and > reply_spnego_auth().Ok, thanks for the hints.> Just make sure you don't treat this new vuid as 'real' - I added a > 'finished_sesssetup' flag on the VUID in Samba4, and use two different > lookup functions, one for the rest of samba, and one for just the > session setup.Don't worry, I *write* the original VUID code in Samba :-). I do know how it's used :-) :-).> The next issue I need to tackle in Samba4 is that of resource > consumption - too many half-completed NTLMSSP logins. But as we allow > guest logins anyway, it's not much worse than can already be done.Yeah, I was thinking about DOS attacks there, but the worst that can happen in 65534 half-open connections. Not too bad. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Apparently Analagous Threads
- NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.
- Bug? Authentication failure with multiple logins from same client IP addy
- can join a domain, but users are not able to log in
- Samba_dlz, dhcp y zona inversa no actualiza
- guest not permitted to access share