[Samba] SMB signing broken? 3.0.7 -> 3.0.8

Tim sambalist at darkgate.net
Wed Mar 16 11:46:44 GMT 2005 

Hi Jeremy,

Yep, that reversion patch you did fixed it.  I'm a little surprised
nobody else has mentioned this before me though.  I assume it would
affect everybody who's DCs require smb signing?

Thanks for your help, I'll be rolling out 3.0.11 today.

Regards,

Tim.

Quoting Jeremy Allison <jra at samba.org>:

> On Tue, Mar 15, 2005 at 03:00:17PM +0000, Tim wrote:
> > Hi all.
> > 
> > I originally suspected this problem was with netbios (which I have
> > disabled by default) and Jerry has helped me out a bit with but I've
> > been doing some more digging and I think the problem lies back further
> > than I expected.
> > 
> > I was trying to upgrade from 3.0.7 to 3.0.11 so I've recompiled all
> > versions back from 3.0.11 and the problem first occured in 3.0.8.  The
> > issue is with winbind, and the error I'm getting is
> > "failed tcon_X with NT_STATUS_ACCESS_DENIED":
> > 
> > === 3.0.8:  /usr/bin/winbind -i -d10 ===
> > ...
> > Got KRB5 session key of length 8
> > SMB signing enabled!
> > cli_simple_set_signing: user_session_key
> > [000] C8 5E D6 1A A1 46 10 BA                           .^...F..
> > cli_simple_set_signing: NULL response_data
> > simple_packet_signature: sequence number 0
> > client_sign_outgoing_message: sent SMB signature of
> > [000] 84 84 78 B3 60 4A 05 5B                           ..x.`J.[
> > store_sequence_for_reply: stored seq = 1 mid = 2
> > ...
> > client_check_incoming_message: BAD SIG: wanted SMB signature of
> > [000] D7 08 07 13 97 AC E9 8B                           ........
> > client_check_incoming_message: BAD SIG: got SMB signature of
> > [000] EF 85 1C D4 6A 1D AC 9D                           ....j...
> > 
> > 
> > 
> > So... and please correct me if I'm wrong, but something changed
> > between 3.0.7 and 3.0.8 to do with SMB signing.  The signature
> > size seems to have changed, but I don't know enough about the
> > SMB protocol to work out what this would mean.
> > 
> > I also notice this in the Changelog:
> > 
> >   o Fixes for kerberos interoperability with Windows 200x
> >     domains when using DES keys.
> 
> Can you try this patch. It reverts that change.
> 
> Jeremy.
>

More information about the samba mailing list