David Girard
2005-Jun-03 17:06 UTC
[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.
Andrew: RE: SPNEGO=NO to solve Multiple simultaneous connects from the same client system.. We're finally getting around to implementing this parameter...we've discovered that it breaks connectivity with some of our Windows Xp clients...for some reason certain users are unable to authenticate from some of the Xp systems (the logs report NT_STATUS_NO_SUCH_USER). Strangely enough, other user ID's work fine from these systems.. I also see that SPNEGO = yes is noted in one of the documents as being required to join a Windows 2003 AD structure...is this true?...we're moving to Active directory within the next 30 -60 days... I'm not sure where to go from here...and hoping that you might be able to point me in the right direction. PS: I still owe you a frosty beverage...;-} Thanks _David...>>> Andrew Bartlett <abartlet@samba.org> 04/12/05 6:13 PM >>>On Tue, 2005-04-12 at 12:56 -0400, David Girard wrote:> OK, I have applied the "use spnego=no" and it seems to have resolved the problem... > > Could you describe what this setting is doing?...I haven't been able > to find any reference to this setting other than your previous posts > telling people to use it...Samba 3.0 introduced the ability to support 'extended security', where instead of the traditional NTLM challenge/response system being based on a challenge in the NegProt packet, we would install break out to a generalised authentications system, based on multiple round trips. Session setup and authentication are fairly well described in CRH's book: http://www.ubiqx.org/cifs/SMB.html#SMB.8 When we are using extended security, there are multiple legs to the session setup part of this problem. As the client sends the first of the 4 packets in this system ('negotiate'), we should enclose a vuid 'cookie' with the 'challenge'. When the client returns with the 'auth' packet, we can line up the challenge we sent, and correctly finish the state machine. If as in Samba3, we do not include a vuid (we send 0) to connect to the correct state machine, we would logically link a 'challenge' with an 'auth' to which there is no relation. This then results in WRONG_PASSWORD, as the cryptography is wrong. The RAW-CONTEXT test from Samba4 should demonstrate this nicely.> I need to understand if there are security or performance implications > to this setting.In particular, it will not be possible to use kerberos in any form to this server and NTLM2 will not be negotiated so clients will send the LM password on the wire.. Performance and reliability with the not- recommended security=server will also suffer. The reason we have not fixed this in the past is that session setups are usually a 'rare' event (compared with others), and we just have not seen (or considered) this race in the past. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
Andrew Bartlett
2005-Jun-03 23:28 UTC
[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.
On Fri, 2005-06-03 at 13:07 -0400, David Girard wrote:> Andrew: > > RE: SPNEGO=NO to solve Multiple simultaneous connects from the same client system.. > > We're finally getting around to implementing this parameter... > we've discovered that it breaks connectivity with some of our > Windows Xp clients...for some reason certain users are unable > to authenticate from some of the Xp systems (the logs report > NT_STATUS_NO_SUCH_USER). Strangely enough, other user ID's > work fine from these systems.. > > I also see that SPNEGO = yes is noted in one of the documents > as being required to join a Windows 2003 AD structure...is > this true?...we're moving to Active directory within the next > 30 -60 days...It is required for kerberos logins.> I'm not sure where to go from here...and hoping that you might > be able to point me in the right direction.I've had this problem crop up at my site recently, so I'm going to work on a Samba3 patch to fix it. -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050604/8e2c0011/attachment.bin