Greetings,
I've set up a Samba 3.0.23a PDC on Fedora Core 5 and joined a
couple XP clients to the domain successfully. However, when I start
using the Samba PDC's "homes" share from the XP client, I
eventually
get errors such as the following:
[2006/08/05 03:28:07, 0] libsmb/smb_signing.c:srv_check_incoming_message(657)
srv_check_incoming_message: BAD SIG: seq 798 wanted SMB signature of
[2006/08/05 03:28:07, 5] lib/util.c:dump_data(2237)
[000] 38 72 55 75 A5 07 5E C3 8rUu..^.
[2006/08/05 03:28:07, 0] libsmb/smb_signing.c:srv_check_incoming_message(661)
srv_check_incoming_message: BAD SIG: seq 798 got SMB signature of
[2006/08/05 03:28:07, 5] lib/util.c:dump_data(2237)
[000] FA B5 F7 8E 38 76 3C EA ....8v<.
[2006/08/05 03:28:07, 10] libsmb/smb_signing.c:simple_packet_signature(262)
simple_packet_signature: sequence number 793
[2006/08/05 03:28:07, 10] libsmb/smb_signing.c:simple_packet_signature(262)
simple_packet_signature: sequence number 794
[2006/08/05 03:28:07, 10] libsmb/smb_signing.c:simple_packet_signature(262)
simple_packet_signature: sequence number 795
[2006/08/05 03:28:07, 10] libsmb/smb_signing.c:simple_packet_signature(262)
simple_packet_signature: sequence number 796
[2006/08/05 03:28:07, 10] libsmb/smb_signing.c:simple_packet_signature(262)
simple_packet_signature: sequence number 797
[2006/08/05 03:28:07, 0] libsmb/smb_signing.c:srv_check_incoming_message(673)
srv_check_incoming_message: out of seq. seq num 797 matches. We were expecting
seq 798
[2006/08/05 03:28:07, 0] libsmb/smb_signing.c:signing_good(232)
signing_good: BAD SIG: seq 798
[2006/08/05 03:28:07, 0] lib/util_sock.c:receive_smb(741)
receive_smb: SMB Signature verification failed on incoming packet!
[2006/08/05 03:28:07, 3] smbd/process.c:timeout_processing(1370)
timeout_processing: receive_smb error bad smb signature. Exiting
Steps to reproduce:
1. Log in as a domain user with XP.
2. Go to Z: in an Explorer window, which is mapped to my home
directory on the Samba server.
3. Browse around in Explorer: enter a few directories, hover over some
files (brings up tool tip with information about the file), etc.
That's all it takes. I've always gotten the above error
within one minute of when I start browsing around the mapped drive.
After I get this error on the Samba server, XP closes the explorer
window and tells me the Samba PDC is on offline files mode. If I
"Synchronize" my files with the PDC (My Documents is in my home
directory), it comes back online, and I can repeat the above procedure
again to trigger the error again.
I've set "server signing = auto" in my configuration. When I
comment it out (i.e., go back to default "server signing = no")
everything seems to work fine: I browsed files for a little while,
opened some files to see that their contents appeared correct, etc.
Further notes:
- I successfully rsync'ed about 420GiB data to the server running
Samba, so I don't think the network is a problem.
- I've been using this XP client with an old Samba 2.2 PDC on
different hardware without any issues for at least a couple of
months. Of course, AFAIK, Samba 2.2 didn't do signing.
- I've never been able to recreate these bad signature errors with
smbclient.
- Samba is as distributed by the Fedora Project; rpm verifies that
files are unchanged from the distributed versions (except for
smb.conf)
- Nothing meaningful in dmesg to indicate a larger system problem.
- Tested with SELinux on and off (I usually run with it in enforcing
mode with the "targeted" policy in FC5).
A couple of things that might make my situation "unique" (i.e.,
weird):
1. I'm migrating from an old server running a Samba 2.2 PDC to a new
server running a Samba 3 PDC. To accomplish this migration I did
manually copy the PDC/domain SID from the old LDAP server to the
new LDAP server. I also copied my old user SID to the new server,
so that my local profile on the XP client wouldn't (shouldn't? It
seems to work) require any changes. When I move the XP client to
the new PDC, I just re-join the (new) domain and my user account
continues to work.
2. My XP client is running in VMware Workstation on a Fedora Core 5
host (not the same FC5 server that's running Samba, but a different
machine). This is the XP client that's been successfully talking
to the Samba 2.2 PDC for quite some time, though, and the XP client
that talks to Samba 3 just fine when server signing is turned off.
I did test from different hardware with a different XP
install, one that had never been on the domain, and got the same
error; note that this second XP install was also XP running inside
VMware Workstation on a FC5 host. Also, on the second XP/VMware
client, I was going through an OpenVPN (TAP-Win32 Ethertap) tunnel;
since I got the same error, I feel like this rules out something like
VMware's network driver corrupting the packets, since they were
encapsulated by OpenVPN when VMware got them.
Can anyone provide insight as to what I'm doing wrong, or is
this a bug? I'm leaning towards bug, as unlikely as it seems that I
should run into a signing bug with such a relatively simple
configuration. One thing that makes me believe this is a bug: it
always seems to happen (on both XP clients) on an identical looking
packet/request, as judged by reading the SMB fields both in the Samba
logs and the tcpdump output; i.e., size=71, SMB command=0xa0 (but
don't depend on that information too much as I wasn't particularly
rigorous about confirming it).
The only thing I can think of is that you're not supposed to
use server signing without Kerberos set up (or perhaps without Active
Directory), based on a few messages I've seen mentioning problems with
MIT krb5 < 1.3.0 and signing. If that's the case, though, why am I
allowed to turn on server signing? And why does it seem to work until
a certain point in the conversation?
Thanks,
Dale
Relevant versions:
Server:
Fedora Core 5
kernel-smp-2.6.17-1.2157_FC5 (dual core Intel system, e1000 NIC)
samba-3.0.23a-1.fc5.1
Fedora Directory Server 1.0.2
Client:
Windows XP SP2, up-to-date with Windows Update
Running on VMware Workstation 5.5.1 19175, bridged networking
VMware host is FC5, kernel-2.6.17-1.2157_FC5, forcedeth NIC
Complete log: http://www.codefu.org/people/darkness/samba/ordeith.log
Packet dumps: look at *.dump.gz in
http://www.codefu.org/people/darkness/samba/
Output of testparm -v:
http://www.codefu.org/people/darkness/samba/ordeith.log
(verin is the server, ordeith is the client, PAD is the domain)
smb.conf (from testparm):
[global]
workgroup = PAD
server string = verin.caliginous.net
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://ldap.caliginous.net
lanman auth = No
log level = 10
log file = /var/log/samba/%m.log
max log size = 50
time server = Yes
server signing = auto
add machine script = /usr/sbin/luseradd -n -g samba-machines -c Machine -M -d
/dev/null -s /sbin/nologin %u
logon path =
logon drive = Z:
domain logons = Yes
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=samba, ou=Special Users, dc=caliginous, dc=net
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=caliginous, dc=net
ldap ssl = start tls
ldap user suffix = ou=People
hosts allow = 127., 10.
use sendfile = Yes
cups options = raw
[homes]
comment = Home Directories
path = /srv/storage/storage1/home/%u
valid users = %S
read only = No
create mask = 0660
directory mask = 0770
browseable = No
[netlogon]
comment = Network Logon Service
path = /srv/smb/netlogon
guest ok = Yes
share modes = No