Security hole?
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Tue May 5 13:19:36 GMT 1998
On Tue, 5 May 1998, Andrew Tridgell wrote:
> They *could* use the trust account, but I don't think they do (not for
> browse synchronisation anyway).
>
> > if your NT DC is contacting a non-NT-like machine, then it can use null
> > sessions.
>
> again, what could be done and what is actually done by MS OSes are two
> different things. I believe 95 and NT use null sessions for browse sync.
>
> > there is. the first (interactive) connection [by an nt or 95 client] is
> > subverted by a null session.
>
> nope. Send me a sniff of a win95 box doing a null session connect for
> a user initiated browse and then maybe I'll believe you.
i don't use win95: i can do an nt wksta one, though.
> win95 and NT always try a null password first, but that is not a null
> session. As long as you haven't stuffed around with the
> GUEST_SESSSETUP option at compile time in Samba
i haven't.
> then the null password
> will fail when the server is in user level security. The client then
> sends a proper session setup.
no it doesn't :-) it converts the user to the guest account (extract from
reply.c):
/* If no username is sent use the guest account */
if (!*user)
{
strcpy(user,lp_guestaccount(-1));
/* If no user and no password then set guest flag. */
if( *smb_apasswd == 0)
guest = True;
}
strlower(user);
strcpy(sesssetup_user,user);
reload_services(True);
add_session_user(user);
/* Check if the given username was the guest user with no password.
We need to do this check after add_session_user() as that
call can potentially change the username (via map_user).
*/
> John tried to convince me that NT and 95 could do a null session
> connect a few weeks back. We ran a sniff and found it didn't.
>
> > multiple tconXs are sent. if the first is to IPC$, then a null
> > SMBsessetupX is sent. subsequent tconXs do not have a username in
> > them
>
> tconXs never have usernames in them (unless you count the % hack).
exactly: therein lies the problem.
> I could believe that this could be a problem with NT domain logins. It
> is just possible that a NT domain workstation will cache a null
> session used for browse synchronsation and carry that over to a
> attempted login. If you show me that this happens then I'm sure we can
> find a workaround.
it does, and so does win95. i don't use win95 any more, but i can get you
an NT trace.
> >, so samba does not have a substitution for its [homes]
> > connection, and hence the username share that is created by [homes] does
> > not appear: you get a share named after the guest account, instead.
>
> what worries me here is that this is exactly the symptoms you will get
> if you muck with the GUEST_SESSSETUP option (among other nasty side
> effects). Are you _sure_ you didn't have GUEST_SESSSETUP set when you
> saw this?
i am sure: it was at the default. i've never recompiled with
GUEST_SESSETUP at anything other than the default: i don't like it.
> Also, are you sure it was a null session (ie. username was null in
> sessionsetupX) and not just a null password? I'm very skeptical :-)
username was NULL: password was "length 1". i wouldn't have had a share
named after "nobody" come up if it wasn't.
> > the difference is between a share level connection and a user level
> > connection, and we currently still do not make the distinction correctly.
> > yes it does.
> >
> > > A
> > > Win95 or NT client cannot be made to do a null session connect when
> > > using network neighborhood or any other user initiated
> > > browse.
> >
>
> I believe we do, but a sniff will convince me otherwise :-)
>
> > i see this occur all the time. you have to deliberately disconnect the
> > win95 or nt client session (use SRVMGR.EXE) and then do view | refresh on
> > the "shares" window.
>
> I just tried it and didn't see a null session in a sniffer. Everything
> worked fine. This was with a NT4wks client doing a domain logon to a
> Samba server (current CVS tree).
>
> > this may be the case when talking to non-NT-like systems, which samba can
> > currently be considered to be one such system in the browse sync respect.
> > to solve this problem fully, we will need to investigate browsing between
> > NT Trusted Domain Controllers.
>
> as far as I know browse synchronisation works the same between NT as
> between 95 and NT (as far as authentication goes at least). Browse
> listing (ie. obtaining a list of shares) works differently, but thats
> a different kettle of fish!
>
> Cheers, Andrew
>
More information about the samba-ntdom
mailing list