[Samba] SMB signing broken? 3.0.7 -> 3.0.8

Tim sambalist at darkgate.net
Tue Mar 15 15:00:17 GMT 2005 

Hi all.

I originally suspected this problem was with netbios (which I have
disabled by default) and Jerry has helped me out a bit with but I've
been doing some more digging and I think the problem lies back further
than I expected.

I was trying to upgrade from 3.0.7 to 3.0.11 so I've recompiled all
versions back from 3.0.11 and the problem first occured in 3.0.8.  The
issue is with winbind, and the error I'm getting is
"failed tcon_X with NT_STATUS_ACCESS_DENIED":

=== 3.0.7:  /usr/bin/winbind -i -d3 ===
...
Ticket in ccache[MEMORY:winbind_ccache] expiration Wed, 16 Mar 2005 00:41:08 GMT
ads: trusted_domains
Connected to LDAP server 10.140.72.17
got ldap server name loneswdbp4 at DBG.ADS.DB.COM, using bind path:
dc=DBG,dc=ADS,dc=DB,dc=COM
IPC$ connections done anonymously
Connecting to host=LONESWDBP4
Connecting to 10.140.72.17 at port 445
Doing spnego session setup (blob length=114)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=loneswdbp4$@DBG.ADS.DB.COM
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Wed, 16 Mar 2005 00:41:18 GMT
add_trusted_domain: TRAN is an NT4  domain
Added domain TRAN tran.stt S-1-5-21-343818398-606747145-725345543
add_trusted_domain: ADS is an NT4  domain
Added domain ADS ADS.DB.COM S-1-5-21-1960408961-1935655697-1801674531
....etc

=== 3.0.8:  /usr/bin/winbind -i -d3 ===
...
Ticket in ccache[MEMORY:winbind_ccache] expiration Wed, 16 Mar 2005 00:43:41 GMT
ads: trusted_domains
Connected to LDAP server 10.140.72.17
got ldap server name loneswdbp4 at DBG.ADS.DB.COM, using bind path:
dc=DBG,dc=ADS,dc=DB,dc=COM
IPC$ connections done anonymously
Connecting to host=LONESWDBP4
Connecting to 10.140.72.17 at port 445
Doing spnego session setup (blob length=114)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=loneswdbp4$@DBG.ADS.DB.COM
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Wed, 16 Mar 2005 00:43:51 GMT
failed tcon_X with NT_STATUS_ACCESS_DENIED
...


Now, if I turn on more debugging, you see this:

=== 3.0.7:  /usr/bin/winbind -i -d10 ===
...
Got KRB5 session key of length 16
SMB signing enabled!
cli_simple_set_signing: user_session_key
[000] C1 6D 83 5F 6A 94 6B 73  57 46 0B CB 16 03 CB B1  .m._j.ks WF......
cli_simple_set_signing: NULL response_data
simple_packet_signature: sequence number 0
client_sign_outgoing_message: sent SMB signature of
[000] CD 85 93 7F A1 A8 34 22                           ......4"
store_sequence_for_reply: stored seq = 1 mid = 2
...
client_check_incoming_message: seq 1: got good SMB signature of
[000] 9D E9 1B CC 6F 48 42 92                           ....oHB.
...

=== 3.0.8:  /usr/bin/winbind -i -d10 ===
...
Got KRB5 session key of length 8
SMB signing enabled!
cli_simple_set_signing: user_session_key
[000] C8 5E D6 1A A1 46 10 BA                           .^...F..
cli_simple_set_signing: NULL response_data
simple_packet_signature: sequence number 0
client_sign_outgoing_message: sent SMB signature of
[000] 84 84 78 B3 60 4A 05 5B                           ..x.`J.[
store_sequence_for_reply: stored seq = 1 mid = 2
...
client_check_incoming_message: BAD SIG: wanted SMB signature of
[000] D7 08 07 13 97 AC E9 8B                           ........
client_check_incoming_message: BAD SIG: got SMB signature of
[000] EF 85 1C D4 6A 1D AC 9D                           ....j...



So... and please correct me if I'm wrong, but something changed
between 3.0.7 and 3.0.8 to do with SMB signing.  The signature
size seems to have changed, but I don't know enough about the
SMB protocol to work out what this would mean.

I also notice this in the Changelog:

  o Fixes for kerberos interoperability with Windows 200x
    domains when using DES keys.

...and a few other people have encountered this issue:

http://marc.theaimsgroup.com/?l=samba&m=110217288924619&w=2
http://marc.theaimsgroup.com/?l=samba&m=110128503324928&w=2
http://marc.theaimsgroup.com/?l=samba&m=109171118423701&w=2

but I don't see any resolutions in the mailing list.  Any
help would be appreciated, I'd really like to upgrade because of
the security vulnerabilities.

Thanks,

Tim.

More information about the samba mailing list