thr3ads.net - samba - [Samba] Samba 3.0.2a - Erroneously rejects NTLMv2 but accepts NTLM [Apr 2004]

If this information is useful, please help other people find it:
Share via:

Adrian Newby

2004-Apr-20 23:16 UTC

[Samba] Samba 3.0.2a - Erroneously rejects NTLMv2 but accepts NTLM

Hello experts,

I?ll try and keep this brief but detailed (if that?s possible.).  I?m sure I
don?t understand the technologies sufficiently but I believe I?m seeing
counter-intuitive behavior with my Samba 3 setup.  What I want is nice,
tight Win 2K3 security.  What I?ve got is ADS integration, including domain
user authentication using winbind, but I can?t get the security level right.

Problem summary:
----------------------
Samba 3.0.2a on Solaris 9 is configured with ADS security.
Lanman and NTLM authentication is prohibited.
Clients requesting NTLMv2 authentication result in NT_STATUS_ACCESS_DENIED,
even though the log suggests authentication is successful.
Clients requesting NTLM authentication are accepted and authenticated.
Also, cannot establish initial SMB session when packet signing enforced.
(log not provided)

Any feedback would be appreciated.

Adrian Newby


smb.conf
-----------
# Global parameters
[global]
        workgroup = PRUDENTRX
        realm = PRUDENTRX.COM
        server string = Build server
        security = ADS
        lanman auth = No
        ntlm auth = No
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 10
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /export/home/windows/%D/%U
        template shell = /bin/bash
        winbind separator = #

[mirrors]
        comment = Mirrors of commonly-accessed external sites
        path = /distributions/mirrors

=========The log fragments below show a failed NTLMv2 authentication.  Even
thought
the client is Admit Mac under OS X, identical results are obtained with
Windows XP.
=========
log.smbd (debug level 3)
----------
[2004/04/16 09:31:59, 3] smbd/oplock.c:init_oplocks(1226)
  open_oplock_ipc: opening loopback UDP socket.
[2004/04/16 09:31:59, 3] smbd/oplock.c:init_oplocks(1257)
  open_oplock ipc: pid = 18230, global_oplock_port = 33139
[2004/04/16 09:31:59, 3] smbd/process.c:process_smb(890)
  Transaction 0 of length 72
[2004/04/16 09:31:59, 2] smbd/reply.c:reply_special(105)
  netbios connect: name1=NEUTRINO        name2=SUPERNOVA
[2004/04/16 09:31:59, 2] smbd/reply.c:reply_special(112)
  netbios connect: local=neutrino remote=supernova, name type = 0
[2004/04/16 09:31:59, 3] smbd/process.c:process_smb(890)
  Transaction 1 of length 51
[2004/04/16 09:31:59, 3] smbd/process.c:switch_message(685)
  switch message SMBnegprot (pid 18230)
[2004/04/16 09:31:59, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:31:59, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [NT LM 0.12]
[2004/04/16 09:31:59, 3] smbd/negprot.c:reply_nt1(329)
  using SPNEGO
[2004/04/16 09:31:59, 3] smbd/negprot.c:reply_negprot(532)
  Selected protocol NT LM 0.12
[2004/04/16 09:32:35, 3] smbd/process.c:process_smb(890)
  Transaction 2 of length 174
[2004/04/16 09:32:35, 3] smbd/process.c:switch_message(685)
  switch message SMBsesssetupX (pid 18230)
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:32:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638)
  wct=12 flg2=0xc803
[2004/04/16 09:32:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518)
  Doing spnego session setup
[2004/04/16 09:32:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549)
  NativeOS=[MacOS 10.3.3] NativeLanMan=[ADmitMac] PrimaryDomain=[]
[2004/04/16 09:32:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2004/04/16 09:32:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(430)
  Got secblob of size 32
[2004/04/16 09:32:35, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x20a80281
[2004/04/16 09:32:35, 3] smbd/process.c:process_smb(890)
  Transaction 3 of length 300
[2004/04/16 09:32:35, 3] smbd/process.c:switch_message(685)
  switch message SMBsesssetupX (pid 18230)
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:32:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638)
  wct=12 flg2=0xc803
[2004/04/16 09:32:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518)
  Doing spnego session setup
[2004/04/16 09:32:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549)
  NativeOS=[MacOS 10.3.3] NativeLanMan=[ADmitMac] PrimaryDomain=[]
[2004/04/16 09:32:35, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(616)
  Got user=[anewby] domain=[PRUDENTRX] workstation=[SUPERNOVA] len1=24
len2=44
[2004/04/16 09:32:35, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[PRUDENTRX]\[anewby]@[SUPERNOVA] with the new password interface
[2004/04/16 09:32:35, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [PRUDENTRX]\[anewby]@[SUPERNOVA]
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/04/16 09:32:35, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/04/16 09:32:35, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:32:35, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: winbind authentication for user [anewby] succeeded
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/04/16 09:32:35, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:32:35, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [anewby] -> [anewby] ->
[PRUDENTRX#anewby] succeeded
[2004/04/16 09:32:35, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
  NTLMSSP Sign/Seal - Initialising with flags:
[2004/04/16 09:32:35, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x20080211
[2004/04/16 09:32:35, 3] smbd/password.c:register_vuid(221)
  User name: PRUDENTRX#anewby   Real name:
[2004/04/16 09:32:35, 3] smbd/password.c:register_vuid(240)
  UNIX uid 10004 is UNIX user PRUDENTRX#anewby, and will be vuid 100
[2004/04/16 09:32:35, 3] smbd/password.c:register_vuid(264)
  Adding/updating homes service for user 'PRUDENTRX#anewby' using home
directory: '/export/home/windows/PRUDENTRX/anewby'
[2004/04/16 09:32:35, 3] smbd/process.c:process_smb(890)
  Transaction 4 of length 86
[2004/04/16 09:32:35, 3] smbd/process.c:switch_message(685)
  switch message SMBtconX (pid 18230)
[2004/04/16 09:32:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:32:35, 1] smbd/service.c:make_connection(792)
  make_connection: refusing to connect with no session setup
[2004/04/16 09:32:35, 3] smbd/error.c:error_packet(118)
  error packet at smbd/reply.c(286) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED

log.winbind (debug level 3)
-------------------------------
[2004/04/16 09:32:19, 3] nsswitch/winbindd_ads.c:trusted_domains(852)
  ads: trusted_domains
[2004/04/16 09:32:19, 3] libads/ldap.c:ads_connect(218)
  Connected to LDAP server 192.168.1.11
[2004/04/16 09:32:19, 3] libads/ldap.c:ads_server_info(2030)
  got ldap server name milkyway@PRUDENTRX.COM, using bind path:
dc=PRUDENTRX,dc=COM
[2004/04/16 09:32:19, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(107)
  IPC$ connections done anonymously
[2004/04/16 09:32:19, 3] libsmb/cliconnect.c:cli_start_connection(1337)
  Connecting to host=MILKYWAY
[2004/04/16 09:32:19, 3] lib/util_sock.c:open_socket_out(710)
  Connecting to 192.168.1.11 at port 445
[2004/04/16 09:32:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(676)
  Doing spnego session setup (blob length=111)
[2004/04/16 09:32:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
  got OID=1 2 840 48018 1 2 2
[2004/04/16 09:32:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
  got OID=1 2 840 113554 1 2 2
[2004/04/16 09:32:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
  got OID=1 2 840 113554 1 2 2 3
[2004/04/16 09:32:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
  got OID=1 3 6 1 4 1 311 2 2 10
[2004/04/16 09:32:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
  got principal=milkyway$@PRUDENTRX.COM
[2004/04/16 09:32:19, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(510)
  Doing kerberos session setup
[2004/04/16 09:32:35, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [18230]: request interface version
[2004/04/16 09:32:35, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [18230]: request location of privileged pipe
[2004/04/16 09:32:35, 3] nsswitch/winbindd_misc.c:winbindd_ping(238)
  [18230]: ping
[2004/04/16 09:32:35, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(291)
  [18230]: pam auth crap domain: PRUDENTRX user: anewby
[2004/04/16 09:32:35, 3] nsswitch/winbindd_group.c:winbindd_getgroups(925)
  [18230]: getgroups PRUDENTRX#anewby
[2004/04/16 09:32:35, 3] nsswitch/winbindd_ads.c:sequence_number(812)
  ads: fetch sequence_number for PRUDENTRX
[2004/04/16 09:32:35, 3] nsswitch/winbindd_ads.c:name_to_sid(313)
  ads: name_to_sid
[2004/04/16 09:32:35, 3] libads/ads_ldap.c:ads_name_to_sid(82)
  ads name_to_sid mapped anewby
[2004/04/16 09:32:35, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(385)
  [18230]: gid to sid 10004
[2004/04/16 09:32:35, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(385)
  [18230]: gid to sid 10001
[2004/04/16 09:32:35, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(385)
  [18230]: gid to sid 10005
[2004/04/16 09:32:35, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(385)
  [18230]: gid to sid 10006

=========The log fragments below show a successful NTLM authentication.  Even
thought
the client is Admit Mac under OS X, identical results are obtained with
Windows XP.
=========
log.smbd
-----------

[2004/04/16 09:55:19, 3] smbd/oplock.c:init_oplocks(1226)
  open_oplock_ipc: opening loopback UDP socket.
[2004/04/16 09:55:19, 3] smbd/oplock.c:init_oplocks(1257)
  open_oplock ipc: pid = 3029, global_oplock_port = 33340
[2004/04/16 09:55:19, 3] smbd/process.c:process_smb(890)
  Transaction 0 of length 72
[2004/04/16 09:55:19, 2] smbd/reply.c:reply_special(105)
  netbios connect: name1=NEUTRINO        name2=SUPERNOVA
[2004/04/16 09:55:19, 2] smbd/reply.c:reply_special(112)
  netbios connect: local=neutrino remote=supernova, name type = 0
[2004/04/16 09:55:19, 3] smbd/process.c:process_smb(890)
  Transaction 1 of length 51
[2004/04/16 09:55:19, 3] smbd/process.c:switch_message(685)
  switch message SMBnegprot (pid 3029)
[2004/04/16 09:55:19, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:19, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [NT LM 0.12]
[2004/04/16 09:55:19, 3] smbd/negprot.c:reply_nt1(323)
  not using SPNEGO
[2004/04/16 09:55:19, 3] smbd/negprot.c:reply_negprot(532)
  Selected protocol NT LM 0.12
[2004/04/16 09:55:24, 3] smbd/process.c:process_smb(890)
  Transaction 2 of length 200
[2004/04/16 09:55:24, 3] smbd/process.c:switch_message(685)
  switch message SMBsesssetupX (pid 3029)
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638)
  wct=13 flg2=0x8003
[2004/04/16 09:55:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(772)
  Domain=[PRUDENTRX]  NativeOS=[MacOS 10.3.3] NativeLanMan=[ADmitMac 1.1]
PrimaryDomain=[]
[2004/04/16 09:55:24, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/04/16 09:55:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(787)
  sesssetupX:name=[PRUDENTRX]\[anewby]@[supernova]
[2004/04/16 09:55:24, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[PRUDENTRX]\[anewby]@[supernova] with the new password interface
[2004/04/16 09:55:24, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [PRUDENTRX]\[anewby]@[supernova]
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/04/16 09:55:24, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/04/16 09:55:24, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:24, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: winbind authentication for user [anewby] succeeded
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/04/16 09:55:24, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:24, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [anewby] -> [anewby] ->
[PRUDENTRX#anewby] succeeded
[2004/04/16 09:55:24, 3] smbd/password.c:register_vuid(221)
  User name: PRUDENTRX#anewby   Real name:
[2004/04/16 09:55:24, 3] smbd/password.c:register_vuid(240)
  UNIX uid 10004 is UNIX user PRUDENTRX#anewby, and will be vuid 100
[2004/04/16 09:55:24, 3] smbd/password.c:register_vuid(264)
  Adding/updating homes service for user 'PRUDENTRX#anewby' using home
directory: '/export/home/windows/PRUDENTRX/anewby'
[2004/04/16 09:55:24, 3] smbd/process.c:process_smb(890)
  Transaction 3 of length 86
[2004/04/16 09:55:24, 3] smbd/process.c:switch_message(685)
  switch message SMBtconX (pid 3029)
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:24, 3] smbd/service.c:make_connection_snum(543)
  Connect path is '/tmp' for service [IPC$]
[2004/04/16 09:55:24, 3] lib/util_seaccess.c:se_access_check(251)
[2004/04/16 09:55:24, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-3142062744-192200541-591914313-1141
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-512
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1662
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1630
[2004/04/16 09:55:24, 3] smbd/vfs.c:vfs_init_default(203)
  Initialising default vfs hooks
[2004/04/16 09:55:24, 3] lib/util_seaccess.c:se_access_check(251)
[2004/04/16 09:55:24, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-3142062744-192200541-591914313-1141
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-512
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1662
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1630
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (10004, 10001) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:24, 3] smbd/service.c:make_connection_snum(705)
  supernova (192.168.1.192) connect to service IPC$ initially as user
PRUDENTRX#anewby (uid=10004, gid=10001) (pid 3029)
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:24, 3] smbd/reply.c:reply_tcon_and_X(326)
  tconX service=IPC$
[2004/04/16 09:55:24, 3] smbd/process.c:process_smb(890)
  Transaction 4 of length 113
[2004/04/16 09:55:24, 3] smbd/process.c:switch_message(685)
  switch message SMBtrans (pid 3029)
[2004/04/16 09:55:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (10004, 10001) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:24, 3] smbd/ipc.c:reply_trans(538)
  trans <\PIPE\LANMAN> data=0 params=19 setup=0
[2004/04/16 09:55:24, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <LANMAN> name
[2004/04/16 09:55:24, 3] smbd/lanman.c:api_reply(3547)
  Got API command 0 of form <WrLeh> <B13BWz>
(tdscnt=0,tpscnt=19,mdrcnt=65472,mprcnt=8)
[2004/04/16 09:55:24, 3] smbd/lanman.c:api_reply(3551)
  Doing RNetShareEnum
[2004/04/16 09:55:24, 3] smbd/lanman.c:api_RNetShareEnum(1528)
  RNetShareEnum gave 3 entries of 3 (1 65472 158 65472)
[2004/04/16 09:55:25, 3] smbd/process.c:process_smb(890)
  Transaction 5 of length 86
[2004/04/16 09:55:25, 3] smbd/process.c:switch_message(685)
  switch message SMBtconX (pid 3029)
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 3] smbd/service.c:make_connection_snum(543)
  Connect path is '/tmp' for service [IPC$]
[2004/04/16 09:55:25, 3] lib/util_seaccess.c:se_access_check(251)
[2004/04/16 09:55:25, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-3142062744-192200541-591914313-1141
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-512
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1662
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1630
[2004/04/16 09:55:25, 3] smbd/vfs.c:vfs_init_default(203)
  Initialising default vfs hooks
[2004/04/16 09:55:25, 3] lib/util_seaccess.c:se_access_check(251)
[2004/04/16 09:55:25, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-3142062744-192200541-591914313-1141
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-512
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1662
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1630
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (10004, 10001) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 3] smbd/service.c:make_connection_snum(705)
  supernova (192.168.1.192) connect to service IPC$ initially as user
PRUDENTRX#anewby (uid=10004, gid=10001) (pid 3029)
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 3] smbd/reply.c:reply_tcon_and_X(326)
  tconX service=IPC$
[2004/04/16 09:55:25, 3] smbd/process.c:process_smb(890)
  Transaction 6 of length 39
[2004/04/16 09:55:25, 3] smbd/process.c:switch_message(685)
  switch message SMBtdis (pid 3029)
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 3] smbd/service.c:close_cnum(887)
  supernova (192.168.1.192) closed connection to service IPC$
[2004/04/16 09:55:25, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to IPC$
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 3] smbd/process.c:process_smb(890)
  Transaction 7 of length 92
[2004/04/16 09:55:25, 3] smbd/process.c:switch_message(685)
  switch message SMBtconX (pid 3029)
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 3] smbd/service.c:make_connection_snum(543)
  Connect path is '/distributions/mirrors' for service [mirrors]
[2004/04/16 09:55:25, 3] lib/util_seaccess.c:se_access_check(251)
[2004/04/16 09:55:25, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-3142062744-192200541-591914313-1141
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-512
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1662
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1630
[2004/04/16 09:55:25, 3] smbd/vfs.c:vfs_init_default(203)
  Initialising default vfs hooks
[2004/04/16 09:55:25, 3] lib/util_seaccess.c:se_access_check(251)
[2004/04/16 09:55:25, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-3142062744-192200541-591914313-1141
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-512
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1662
  se_access_check: also S-1-5-21-3142062744-192200541-591914313-1630
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (10004, 10001) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 1] smbd/service.c:make_connection_snum(705)
  supernova (192.168.1.192) connect to service mirrors initially as user
PRUDENTRX#anewby (uid=10004, gid=10001) (pid 3029)
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 3] smbd/reply.c:reply_tcon_and_X(326)
  tconX service=MIRRORS
[2004/04/16 09:55:25, 3] smbd/process.c:process_smb(890)
  Transaction 8 of length 72
[2004/04/16 09:55:25, 3] smbd/process.c:switch_message(685)
  switch message SMBtrans2 (pid 3029)
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (10004, 10001) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 3] smbd/trans2.c:call_trans2qfsinfo(1393)
  call_trans2qfsinfo: level = 260
[2004/04/16 09:55:25, 3] smbd/process.c:process_smb(890)
  Transaction 9 of length 72
[2004/04/16 09:55:25, 3] smbd/process.c:switch_message(685)
  switch message SMBtrans2 (pid 3029)
[2004/04/16 09:55:25, 3] smbd/trans2.c:call_trans2qfsinfo(1393)
  call_trans2qfsinfo: level = 261
[2004/04/16 09:55:25, 3] smbd/process.c:process_smb(890)
  Transaction 10 of length 72
[2004/04/16 09:55:25, 3] smbd/process.c:switch_message(685)
  switch message SMBtrans2 (pid 3029)
[2004/04/16 09:55:25, 3] smbd/trans2.c:call_trans2qfsinfo(1393)
  call_trans2qfsinfo: level = 769
[2004/04/16 09:55:25, 3] smbd/process.c:process_smb(890)
  Transaction 11 of length 80
[2004/04/16 09:55:25, 3] smbd/process.c:switch_message(685)
  switch message SMBtrans2 (pid 3029)
[2004/04/16 09:55:25, 3] smbd/trans2.c:call_trans2qfilepathinfo(1915)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 257
[2004/04/16 09:55:25, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [/]
[2004/04/16 09:55:25, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [.]
[2004/04/16 09:55:25, 3] smbd/trans2.c:call_trans2qfilepathinfo(1943)
  call_trans2qfilepathinfo . (fnum = -1) level=257 call=5 total_data=0
[2004/04/16 09:55:25, 3] smbd/process.c:process_smb(890)
  Transaction 12 of length 86
[2004/04/16 09:55:25, 3] smbd/process.c:switch_message(685)
  switch message SMBtrans2 (pid 3029)
[2004/04/16 09:55:25, 3] smbd/trans2.c:call_trans2findfirst(951)
  call_trans2findfirst: dirtype = 22, maxentries = 1, close_after_first=1,
close_if_end = 0 requires_resume_key = 0 level = 260, max_data_bytes = 16384
[2004/04/16 09:55:25, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [/]
[2004/04/16 09:55:25, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [.]
[2004/04/16 09:55:25, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [./]
[2004/04/16 09:55:25, 3] smbd/dir.c:dptr_create(491)
  creating new dirptr 256 for path ./, expect_close = 1
[2004/04/16 09:55:25, 3] smbd/process.c:process_smb(890)
  Transaction 13 of length 183
[2004/04/16 09:55:25, 3] smbd/process.c:switch_message(685)
  switch message SMBntcreateX (pid 3029)
[2004/04/16 09:55:25, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [/resource.frk/DAVE_VOLUMEFINDERINFO]
[2004/04/16 09:55:25, 3] smbd/dosmode.c:unix_mode(110)
  unix_mode(resource.frk/DAVE_VOLUMEFINDERINFO) returning 0744
[2004/04/16 09:55:25, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [resource.frk/DAVE_VOLUMEFINDERINFO]
[2004/04/16 09:55:25, 3] smbd/open.c:open_file(173)
  Error opening file resource.frk/DAVE_VOLUMEFINDERINFO (No such file or
directory) (local_flags=0) (flags=0)
[2004/04/16 09:55:25, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2004/04/16 09:55:25, 3] smbd/error.c:error_packet(118)
  error packet at smbd/trans2.c(1806) cmd=162 (SMBntcreateX)
NT_STATUS_OBJECT_PATH_NOT_FOUND
[2004/04/16 09:55:25, 3] smbd/process.c:process_smb(890)
  Transaction 14 of length 72
[2004/04/16 09:55:25, 3] smbd/process.c:switch_message(685)
  switch message SMBtrans2 (pid 3029)
[2004/04/16 09:55:25, 3] smbd/trans2.c:call_trans2qfsinfo(1393)
  call_trans2qfsinfo: level = 1
[2004/04/16 09:55:25, 3] smbd/process.c:process_smb(890)
  Transaction 15 of length 39
[2004/04/16 09:55:25, 3] smbd/process.c:switch_message(685)
  switch message SMBtdis (pid 3029)
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:25, 3] smbd/service.c:close_cnum(887)
  supernova (192.168.1.192) closed connection to service IPC$
[2004/04/16 09:55:25, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to IPC$
[2004/04/16 09:55:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:27, 3] smbd/process.c:process_smb(890)
  Transaction 16 of length 94
[2004/04/16 09:55:27, 3] smbd/process.c:switch_message(685)
  switch message SMBtrans2 (pid 3029)
[2004/04/16 09:55:27, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (10004, 10001) - sec_ctx_stack_ndx = 0
[2004/04/16 09:55:27, 3] smbd/trans2.c:call_trans2qfilepathinfo(1915)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 257
[2004/04/16 09:55:27, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [/.hidden]
[2004/04/16 09:55:27, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [.hidden]
[2004/04/16 09:55:27, 3] smbd/trans2.c:call_trans2qfilepathinfo(1934)
  call_trans2qfilepathinfo: SMB_VFS_STAT of .hidden failed (No such file or
directory)
[2004/04/16 09:55:27, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2004/04/16 09:55:27, 3] smbd/error.c:error_packet(118)
  error packet at smbd/trans2.c(1808) cmd=50 (SMBtrans2)
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2004/04/16 09:55:27, 3] smbd/process.c:process_smb(890)
  Transaction 17 of length 94
[2004/04/16 09:55:27, 3] smbd/process.c:switch_message(685)
  switch message SMBtrans2 (pid 3029)
[2004/04/16 09:55:27, 3] smbd/trans2.c:call_trans2qfilepathinfo(1915)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 257
[2004/04/16 09:55:27, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [/.hidden]
[2004/04/16 09:55:27, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [.hidden]
[2004/04/16 09:55:27, 3] smbd/trans2.c:call_trans2qfilepathinfo(1934)
  call_trans2qfilepathinfo: SMB_VFS_STAT of .hidden failed (No such file or
directory)
[2004/04/16 09:55:27, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2004/04/16 09:55:27, 3] smbd/error.c:error_packet(118)
  error packet at smbd/trans2.c(1808) cmd=50 (SMBtrans2)
NT_STATUS_OBJECT_NAME_NOT_FOUND

log.winbind
-------------

[2004/04/16 09:55:24, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [ 3029]: request interface version
[2004/04/16 09:55:24, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [ 3029]: request location of privileged pipe
[2004/04/16 09:55:24, 3] nsswitch/winbindd_misc.c:winbindd_ping(238)
  [ 3029]: ping
[2004/04/16 09:55:24, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(291)
  [ 3029]: pam auth crap domain: PRUDENTRX user: anewby
[2004/04/16 09:55:24, 3] nsswitch/winbindd_group.c:winbindd_getgroups(925)
  [ 3029]: getgroups PRUDENTRX#anewby
[2004/04/16 09:55:24, 3] nsswitch/winbindd_ads.c:sequence_number(812)
  ads: fetch sequence_number for PRUDENTRX
[2004/04/16 09:55:24, 3] nsswitch/winbindd_ads.c:name_to_sid(313)
  ads: name_to_sid
[2004/04/16 09:55:24, 3] libads/ads_ldap.c:ads_name_to_sid(82)
  ads name_to_sid mapped anewby
[2004/04/16 09:55:24, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(385)
  [ 3029]: gid to sid 10004
[2004/04/16 09:55:24, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(385)
  [ 3029]: gid to sid 10001
[2004/04/16 09:55:24, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(385)
  [ 3029]: gid to sid 10005
[2004/04/16 09:55:24, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(385)
  [ 3029]: gid to sid 10006


===========Example of session setup failure when forcing signing
===========
log.smbd
-----------
[2004/04/16 09:59:56, 3] smbd/oplock.c:init_oplocks(1226)
  open_oplock_ipc: opening loopback UDP socket.
[2004/04/16 09:59:56, 3] smbd/oplock.c:init_oplocks(1257)
  open_oplock ipc: pid = 6250, global_oplock_port = 33403
[2004/04/16 09:59:56, 3] smbd/process.c:process_smb(890)
  Transaction 0 of length 72
[2004/04/16 09:59:56, 2] smbd/reply.c:reply_special(105)
  netbios connect: name1=NEUTRINO        name2=SUPERNOVA
[2004/04/16 09:59:56, 2] smbd/reply.c:reply_special(112)
  netbios connect: local=neutrino remote=supernova, name type = 0
[2004/04/16 09:59:56, 3] smbd/process.c:process_smb(890)
  Transaction 1 of length 51
[2004/04/16 09:59:56, 3] smbd/process.c:switch_message(685)
  switch message SMBnegprot (pid 6250)
[2004/04/16 09:59:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:59:56, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [NT LM 0.12]
[2004/04/16 09:59:56, 3] smbd/negprot.c:reply_nt1(323)
  not using SPNEGO
[2004/04/16 09:59:56, 3] smbd/negprot.c:reply_negprot(532)
  Selected protocol NT LM 0.12
[2004/04/16 09:59:56, 3] smbd/process.c:timeout_processing(1104)
  timeout_processing: End of file from client (client has disconnected).
[2004/04/16 09:59:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/16 09:59:56, 2] smbd/server.c:exit_server(558)
  Closing connections
[2004/04/16 09:59:56, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2004/04/16 09:59:56, 3] smbd/server.c:exit_server(601)
  Server exit (normal exit)

Andrew Bartlett

2004-Apr-22 08:51 UTC

head link

[Samba] Samba 3.0.2a - Erroneously rejects NTLMv2 but accepts NTLM

On Sat, 2004-04-17 at 03:31, Adrian Newby wrote:> Hello experts,
> 
> I?ll try and keep this brief but detailed (if that?s possible.).  I?m sure
I
> don?t understand the technologies sufficiently but I believe I?m seeing
> counter-intuitive behavior with my Samba 3 setup.  What I want is nice,
> tight Win 2K3 security.  What I?ve got is ADS integration, including domain
> user authentication using winbind, but I can?t get the security level
right.
> 
> Problem summary:
> ----------------------
> Samba 3.0.2a on Solaris 9 is configured with ADS security.
> Lanman and NTLM authentication is prohibited.
> Clients requesting NTLMv2 authentication result in NT_STATUS_ACCESS_DENIED,
> even though the log suggests authentication is successful.
> Clients requesting NTLM authentication are accepted and authenticated.
> Also, cannot establish initial SMB session when packet signing enforced.
> (log not provided)
Try all this with a current subversion checkout, or 3.0.3rc1.

The ACCESS_DENIED is because the tree connect appears not to have a
valid vuid (the token returned by a session setup), which is most odd..

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040422/31c66233/attachment.bin

Possibly Parallel Threads

Search for more apparently analagous threads

samba - Apr 2004 - Samba 3.0.2a - Erroneously rejects NTLMv2 but accepts NTLM

[Samba] Samba 3.0.2a - Erroneously rejects NTLMv2 but accepts NTLM

[Samba] Samba 3.0.2a - Erroneously rejects NTLMv2 but accepts NTLM

Possibly Parallel Threads