[Samba] Problem with smbclient to Windows 2003 Server.

Back Daniel di0bada at chl.chalmers.se
Fri May 2 14:35:18 GMT 2003 

Hello! 

I’m writing to you all on behalf of my working party, a group of students at 
Chalmers Lindholmen University. We have been working on a problem for 6 weeks 
but we have come to a dead stop. If you could help us in any way we would 
remember it with gratitude and make sure it’s not forgotten! 

We are wondering if someone can assist us with a dilemma we have regarding
Samba 3.0 alpha23 on Red Hat 8.0 and Windows 2003 Server when using smbclient.

The problem started when we tried to use Kerberos with smbclient to log on to a 
Windows 2003 Server. We got Access Denied as you can se below:

[root at alpha23 root]# kinit
Password for administrator at XJSIMPLE.FOO:

[root at alpha23 root]# smbclient //192.168.0.1/public -k
added interface ip=192.168.0.3 bcast=192.168.0.255 nmask=255.255.255.0
Doing spnego session setup (blob length=112)
Doing kerberos session setup
OS=[Windows .NET 3663] Server=[Windows .NET 5.2]
tree connect failed: NT_STATUS_ACCESS_DENIED


So we tried to log on with a username and password instead of Kerberos and this 
happened:

[root at alpha23 root]# smbclient //192.168.0.1/public -U administrator
added interface ip=192.168.0.3 bcast=192.168.0.255 nmask=255.255.255.0
Password:
Doing spnego session setup (blob length=112)
NTLMSSP packet check failed due to invalid signiture!
OS=[Windows .NET 3663] Server=[Windows .NET 5.2]
tree connect failed: NT_STATUS_ACCESS_DENIED

[root at alpha23 root]# smbclient //192.168.0.1/public -U administrator –d 10
---------8<----------------
crc32_calc_buffer: 3a4aa1f8
NTLMSSP packet check failed due to invalid signiture!
NTLMSSP signing failed with NT_STATUS_ACCESS_DENIED
got SMB signature of
[000] 22 80 CF FD 58 14 2C C9                           "...X.,.
Server did not sign reply correctly
---------8<----------------

We captured the packages with Ethereal and found this:

---------8<----------------
Negotiate Protocol Response (0x72)
    Word Count (WCT): 17
    Dialect Index: 8, greater than LANMAN2.1
    Security Mode: 0x0f
        .... ...1 = Mode: USER security mode
        .... ..1. = Password: ENCRYPTED password. Use challenge/response
        .... .1.. = Signatures: Security signatures ENABLED
        .... 1... = Sig Req: Security signatures REQUIRED
---------8<----------------

Windows 2003 Server requires every SMB-packet to have a security signature. 
After this we did the same thing but instead of a Windows 2003 server we used a 
Windows 2000 Server and we had no problem with smbclient and the server gave us 
this:

---------8<----------------
Negotiate Protocol Response (0x72)
    Word Count (WCT): 17
    Dialect Index: 8, greater than LANMAN2.1
    Security Mode: 0x07
        .... ...1 = Mode: USER security mode
        .... ..1. = Password: ENCRYPTED password. Use challenge/response
        .... .1.. = Signatures: Security signatures ENABLED
        .... 0... = Sig Req: Security signatures NOT required
---------8<----------------


So, W2K doesn’t need SMB-packets signatures and we have no problems, but we 
want it to work with Windows 2003. What’s the difference between Windows 2000 
and Windows 2003 when it comes to security signatures of SMB-packets? Can we 
disable signatures in Windows 2003 Server or do we have to make some changes in 
Red Hat/Samba? Is ther another way to get around this problem?

Is the problem with Microsoft (we believe so) or is there something we can do 
with Samba or Red Hat?


If you need more information just ask for it and we will give ASAP.


//Daniel

-----------------------------8<----------------------------------

smb.conf
--------8<----------------
[global]
  workgroup = XJSIMPLE
  realm = XJSIMPLE.FOO
  ads server = 192.168.0.1
  security = ads
  encrypt passwords = yes
   domain master = no
   preferred master = yes
   wins support = no
   dns proxy = yes 
---------8<----------------


krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = XJSIMPLE.FOO
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tkt_enctypes = des-cbc-md5
 default_tgs_enctypes = des-cbc-md5

[realms]
 XJSIMPLE.FOO = {
  kdc = 192.168.0.1:88
  admin_server = 192.168.0.1:749
  default_domain = xjsimple.foo
 }

[domain_realm]
 .xjsimple.foo = XJSIMPLE.FOO
 xjsimple.foo = XJSIMPLE.FOO

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
-----------------------------8<------------------------------

More information about the samba mailing list