Security hole?

Luke Kenneth Casson Leighton lkcl at switchboard.net
Tue May 5 12:11:09 GMT 1998 

On Tue, 5 May 1998, Andrew Tridgell wrote:

> > > hmmm, if you set this option in NT then how does browse list
> > > propogation work? There is no way you could do inter-subnet browsing
> > > without null sessions.
> > 
> > the win95 and nt clients, if you reject null sessions on IPC$, reconnect
> > with the currently logged-in username and password.  i have been
> > mentioning this since january.
> 
> nope, that doesn't make sense.

why not?

> browse lists are maintained when there isn't anyone logged in.

ah, good point.  information interchanged between... ah, but if you have
two NT Domain Controllers, then they can interchange information using the
"trust" account system (not that i've fully investigated this...)

if your NT DC is contacting a non-NT-like machine, then it can use null
sessions.

> > it also solves the [homes] problem.
> 
> nope, this is quite separate from the [homes] problem (if there is a
> [homes] problem!)

there is.  the first (interactive) connection [by an nt or 95 client] is
subverted by a null session.  multiple tconXs are sent.  if the first is
to IPC$, then a null SMBsessetupX is sent.  subsequent tconXs do not have
a username in them, so samba does not have a substitution for its [homes]
connection, and hence the username share that is created by [homes] does
not appear: you get a share named after the guest account, instead.

the difference is between a share level connection and a user level
connection, and we currently still do not make the distinction correctly.

if the first connection [by an nt or 95 client] is to a share name, then
the SMBsessetupX _does_ contain a username.
 
> Win95 and NT clients *only* generate null sessions when doing a browse
> sync of machines names, not when "browsing" for a list of shares.

yes it does.

> A
> Win95 or NT client cannot be made to do a null session connect when
> using network neighborhood or any other user initiated
> browse.

i see this occur all the time.  you have to deliberately disconnect the
win95 or nt client session (use SRVMGR.EXE) and then do view | refresh on
the "shares" window.

> browse synchronisation is a special case because there is no username
> that can possibly be sent as it is a function of the underlying browse
> protocol maintainence not of user actions.

this may be the case when talking to non-NT-like systems, which samba can
currently be considered to be one such system in the browse sync respect.
to solve this problem fully, we will need to investigate browsing between
NT Trusted Domain Controllers.

luke

More information about the samba-ntdom mailing list