[jcifs] Re: DFS and signing
Michael B Allen
mba2000 at ioplex.com
Fri Dec 15 16:17:34 GMT 2006
Hi Thomas,
The DFS fix in 1.2.12b was specifically for a problem with getSecurity()
not working at all over DFS. But based on your feedback it sounds like
it has also improved DFS support overall which is good.
The remaining long-standing issues in DFS will need to be examined
further at a later time as I am currently busy with projects and I need
to resolve some resource issues as I do not have enough machines to create
an adeqate DFS environment. I have saved all of your valuable feedback.
The short analysis of what appears to be two separate issues is
that I need to look closely at HOW the dfsReferral.path.length()
can be greater than the unc.length() which is the source of the
StringIndexOutOfBoundsException. That challenges my already shakey
understanding of DFS. The signing problem sounds like a logic issue
as samba is getting the wrong sequence number as shown below by your
informative Samba log. Additionally, if you use credentials negotiated
over NTLM bare in mind that they will need to be renegotiated when a
DFS referral is encountered (I believe NetworkExplorer handled this
correctly at one time).
Mike
On Fri, 15 Dec 2006 13:33:37 +0100
Thomas Bley <thomas.bley at simple-groupware.de> wrote:
> Hello,
>
> I tried to enable signing on a samba 3.0.12 server (server signing =
> mandatory):
> samba logfile: (maybe this helps to find the problem)
>
> [2006/12/15 15:20:06, 1] smbd/service.c:make_connection_snum(642)
> 192.168.0.4 (192.168.0.4) signed connect to service dfs initially as
> user administrator (uid=1000, gid=100) (pid 3316)
> [2006/12/15 15:20:06, 0]
> libsmb/smb_signing.c:srv_check_incoming_message(779)
> srv_check_incoming_message: BAD SIG: seq 8 wanted SMB signature of
> [2006/12/15 15:20:06, 0]
> libsmb/smb_signing.c:srv_check_incoming_message(783)
> srv_check_incoming_message: BAD SIG: seq 8 got SMB signature of
> [2006/12/15 15:20:06, 0]
> libsmb/smb_signing.c:srv_check_incoming_message(795)
> srv_check_incoming_message: out of seq. seq num 10 matches. We were
> expecting seq 8
> [2006/12/15 15:20:06, 0] libsmb/smb_signing.c:signing_good(240)
> signing_good: BAD SIG: seq 8
> [2006/12/15 15:20:06, 0] lib/util_sock.c:receive_smb(619)
> receive_smb: SMB Signature verification failed on incoming packet!
> [2006/12/15 15:20:06, 1] smbd/service.c:close_cnum(830)
> 192.168.0.4 (192.168.0.4) closed connection to service dfs
> [2006/12/15 15:20:50, 1] smbd/service.c:make_connection_snum(642)
> tomxp (192.168.0.4) signed connect to service test1 initially as user
> administrator (uid=1000, gid=100) (pid 3329)
>
>
> code is:
>
> public static NtlmPasswordAuthentication ntlm = new
> NtlmPasswordAuthentication("","administrator","admin");
>
> public static void queryPath(String path) throws Exception {
> System.out.println("Query url "+path);
> SmbFile file0 = new SmbFile( path, ntlm );
> SmbFile[] files0 = file0.listFiles();
> for( int i = 0; i < files0.length; i++ ) {
> System.out.print( " " + files0[i].getName()+"#\n" );
> }
> System.out.println("__end__");
> }
>
> public static void main( String[] argv ) throws Exception {
> queryPath("smb://192.168.0.2/dfs/share1/");
> queryPath("smb://192.168.0.2/dfs/vdir4/");
> }
>
> \\192.168.0.2\share1 points to msdfs:192.168.0.4\temp
> \\192.168.0.2\vdir4 points to msdfs:192.168.0.2\dfs
> 192.168.0.2 is the Samba machine, 192.168.0.4 is WinXP sp2
>
> jcifs output: see attachment
>
> bye
> Thomas
>
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
More information about the jcifs
mailing list