DEBUGGING INFO: Samba 2.1.0-prealpha, Redirector error, and AIX 4.2

Scott Parish ssparish at pittstate.edu
Fri Aug 13 17:30:07 GMT 1999


I know this is a little long, but bare with me please.  If you're impatient the
really important piece is at the bottom.

What I've got going after fixing some compliation errors and warnings that
mainly deal with type casting, is a semi-working Samba PDC.  I've got
everything configured properly as far as I can tell.  I took the same
samba.conf and other configuration information to a Linux box and the PDC stuff
works as expected and the workstation can join the samba domain under the Linux
install.

What doesn't work is joining an NT workstation SP5 to the samba domain under
AIX v4.2.  When I select the domain option in the network control panel of the
NT wks and try to join the samba domain, I get 9 entries in the NT's event log
that say there was a redirector error.  Specifically the message says: The
redirector received an SMB that was too short.

I used NT's netmon to capture the traffic and it looks like there are 6 error
entries created by wkssvc and another 3 by lsarpc.

The transactions in the netmon capture have the following descriptions:

Wks-->PDC  C NT create & X, File = [This is either wkssvc or lsarpc]
Wks<--PDC  R NT create & X, Fid = 0x0
Wks-->PDC  c/o RPC Bind:  UUID {some uuid and some more info}
Wks<--PDC  R transact
Wks-->PDC  C close file, FID = 0x0
Wks<--PDC  R close file - DOS Error, (6) INVALID_HANDLE

There are 6 entries for wkssvc, and 3 entries for lsarpc in the netmon capture
with the Fid incrementing by one each time.

The samba workstation log file (wks.log) contains entries like the following:

[1999/08/13 11:36:51, 4] smbd/nttrans.c:nt_open_pipe(482)
  nt_open_pipe: Opening pipe \wkssvc.
[1999/08/13 11:36:51, 3] smbd/nttrans.c:nt_open_pipe(515)
  nt_open_pipe: Known pipe wkssvc opening.
[1999/08/13 11:36:51, 4] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(88)
  Open pipe requested wkssvc (pipes_open=0)
[1999/08/13 11:36:51, 4] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(146)
  Opened pipe wkssvc with handle 80000000 (pipes_open=1)
[1999/08/13 11:36:51, 5] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(153)
  open pipes: name wkssvc pnum=80000000
[1999/08/13 11:36:51, 5] smbd/nttrans.c:reply_ntcreate_and_X(646)
  reply_ntcreate_and_X: open pipe = \wkssvc
[1999/08/13 11:36:51, 5] lib/util.c:show_msg(496)

Several lines of output deleted...and then we come to this...

[1999/08/13 11:36:51, 10] lib/util.c:dump_data(3025)
  [000] 5C 50 49 50 45 5C 00 00  00 05 00 0B 00 10 00 00  \PIPE\.. ........
  [010] 00 48 00 00 00 00 00 08  00 30 16 30 16 00 00 00  .H...... .0.0....
  [020] 00 01 00 00 00 00 00 01  00 98 D0 FF 6B 12 A1 10  ........ ....k...
  [030] 36 98 33 46 C3 F8 7E 34  5A 01 00 00 00 04 5D 88  6.3F..~4 Z.....].
  [040] 8A EB 1C C9 11 9F E8 08  00 2B 10 48 60 02 00 00  ........ .+.H`...
  [050] 00                                                .
[1999/08/13 11:36:51, 3] smbd/process.c:switch_message(402)
  switch message SMBtrans (pid 43170)
[1999/08/13 11:36:51, 4] smbd/uid.c:become_user(237)
  Skipping become_user - already user
[1999/08/13 11:36:51, 3] smbd/ipc.c:reply_trans(3602)
  trans <\PIPE\> data=72 params=0 setup=2
[1999/08/13 11:36:51, 5] smbd/ipc.c:reply_trans(3614)
  calling named_pipe
[1999/08/13 11:36:51, 3] smbd/ipc.c:named_pipe(3457)
  named pipe command on <> name
[1999/08/13 11:36:51, 5] smbd/ipc.c:api_fd_reply(3222)
  api_fd_reply
[1999/08/13 11:36:51, 5] smbd/ipc.c:api_fd_reply(3237)
  HELLO: unsigned=0, signed=0, setup0=38 setup1=0
[1999/08/13 11:36:51, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(388)
  search for pipe pnum=0
[1999/08/13 11:36:51, 5] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(393)
  pipe name wkssvc pnum=80000000 (pipes_open=1) pfile_offset 0
[1999/08/13 11:36:51, 1] smbd/ipc.c:api_fd_reply(3281)
  api_fd_reply: INVALID PIPE HANDLE: 0
[1999/08/13 11:36:51, 3] smbd/ipc.c:api_no_reply(3198)
  Unsupported API fd command
[1999/08/13 11:36:51, 5] smbd/ipc.c:copy_trans_params_and_data(151)
  copy_trans_params_and_data: params[0..4] data[0..0]
[1999/08/13 11:36:51, 5] lib/util.c:show_msg(496)

The 0x80000000 gets incremented by one each time a new connection is attempted,
corresponding with the NT workstation netmon data and what I've seen in the
samba source this is to aid in debugging.

The 0x80000000 number is interesting as it's a high order bit or sign bit set
of a 32-bit number.  But it is also apparently (under my AIX install) the
pipe_handle_offset that gets set in
rpc_server/srv_pipe_hnd.c:set_pipe_handle_offset().

What I think is not occuring is this offset is not being taken into account in
smbd/ipc.c:api_fd_reply().  Thus when the following line (~3239) executes it is
looking literally for pnum, not pnum+offset:

        p = get_rpc_pipe(pnum);

If I hack the offset into this call like such:

        p = get_rpc_pipe(pnum + 0x80000000);

the redirector error goes away and I can join the domain.

I don't know enough about Samba to really fix this problem, but this should
give somebody on the Samba Team something to go on to create a real patch
(instead of a poor hack).  Which I would be happy to apply and test.  ;)

-- 
Scott Parish           | "I really can't live without Christ.  It's like 
ssparish at pittstate.edu | impossible to really have a true life without Him."
                       | -- Cassie Bernall, martyr at Columbine High School.


More information about the samba-ntdom mailing list