advice for quick hack on _old_ code?
Ben Johnson
ben at blarg.net
Tue Jul 9 13:51:02 GMT 2002
Thanks for your response Kevin . It came just as I was leaving for a
much needed vacation. I hope you are still willing to take a look at
this.
I have done a packet capture. That's how I was able to get as far as I
have. The following is an example of one group-names request and one NT
response that my sources treat as an error.
------------------------------------------------------------------------
sent smb request.
tcp .......................... ff 53 4d 42 25 00
00 00 00 18 03 80 00 00 00 00 00 00 00 00 00 00
41 43 00 08 87 00 00 08 fb 00 10 00 00 d8 00 00
00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 54
00 d8 00 54 00 02 00 26 00 00 08 e9 00 00 5c 00
50 00 49 00 50 00 45 00 5c 00 00 00 00 00 05 00
00 03 10 00 00 00 d8 00 00 00 06 00 00 00 c0 00
00 00 00 00 12 00 00 00 00 00 5a 40 71 c7 7d 85
d6 11 81 62 d2 88 9b 52 df 61 27 00 00 00 e8 03
00 00 00 00 00 00 27 00 00 00 01 02 00 00 ee 03
00 00 ed 03 00 00 fc 03 00 00 f4 03 00 00 f5 03
00 00 f6 03 00 00 f7 03 00 00 f8 03 00 00 f9 03
00 00 fa 03 00 00 fb 03 00 00 fd 03 00 00 fe 03
00 00 ff 03 00 00 00 04 00 00 01 04 00 00 02 04
00 00 03 04 00 00 04 04 00 00 05 04 00 00 24 04
00 00 23 04 00 00 11 04 00 00 12 04 00 00 13 04
00 00 14 04 00 00 15 04 00 00 16 04 00 00 17 04
00 00 18 04 00 00 1b 04 00 00 1c 04 00 00 1d 04
00 00 1e 04 00 00 1f 04 00 00 20 04 00 00 21 04
00 00 22 04 00 00
The help from ethereal and from looking at the code this is my
interpretation of the sent packet.
sent packet as recorded by ethereal
{
uchar msg_type == 0xff;
uchar server_comp[3] == {"SMB"}; //0x534d42
uchar command == 0x25; //smb trans
uchar error_class == 0x00; //success
uchar reserved == 0x00;
ushort error_code == 0x0000; //none
uchar flags == 0x18;
ushort flags2 == 0x8003;
uchar reserved[12] == 0x000000000000000000004143; //AC ?
ushort TID == 0x0008; //2048 (0800)
ushort PID == 0x8700; //135 (0087)
ushort UID == 0x0008; //2048 (0800)
ushort MID == 0xfb00; //251 (00fb)
uchar word_count == 0x10; //16
ushort total_parm_cnt == 0x0000;
ushort total_data_cnt == 0xd800; //216 (00d8)
ushort max_parm_count == 0x0000;
ushort max_data_count == 0x0004; //1024 (0400)
uchar max_setup_cnt == 0x00;
uchar reverved1 == 0x00;
ushare Flags == 0x0000;
uint timeout == 0x00000000;
ushort reverved2 == 0x0000;
ushort parm_count == 0x0000;
ushort parm_offset == 0x5400; //84 (0054)
ushort data_count == 0xd800; //216 (00d8)
ushort data_offset == 0x5400; //84 (0054)
uchar setup_count == 0x02;
uchar reserved3 == 0x00;
ushort setup1 == 0x2600; //38 (0026)
ushort setup2 == 0x0008; //2048 (0800)
ushort byte_count == 0xe900; //233 (00e9)
uchar trans_name[14] == 0x5c0050004900500045005c000000 // {"\.P.I.P.E.\..."}
ushort unnamed == 0x0000; // padding? ethereal ignores this
data
{
generic transaction header
{
??? == 05 00 00 03 10 00 00 00
uDataByte == d8 00 00 00 //216 (000000d8) uDataByte == (0x3C + dwGroups * 4)
uSequence == 06 00 00 00 //6 (00000006) ???
??? == c0 00 00 00 //192 (000000c0) ??? == (uDataByte - 0x18)
??? == 00 00
byCommand == 12 //18 #define GET_GROUP_NAMES 0x12
};
??? == 00 00 00 00 00
uchar UID[16] == 5a 40 71 c7 7d 85 d6 11 81 62 d2 88 9b 52 df 61 // I don't understand this.
dwGroups == 27 00 00 00 //39 (00000027) number of group id's
command == e8 03 00 00 00 00 00 00 //"GetGroupNames" command.
dwGroups == 27 00 00 00 // why do this again?
gids[dwGroups] ==
{
01 02 00 00
ee 03 00 00
ed 03 00 00
fc 03 00 00
f4 03 00 00
f5 03 00 00
f6 03 00 00
f7 03 00 00
f8 03 00 00
f9 03 00 00
fa 03 00 00
fb 03 00 00
fd 03 00 00
fe 03 00 00
ff 03 00 00
00 04 00 00
01 04 00 00
02 04 00 00
03 04 00 00
04 04 00 00
05 04 00 00
24 04 00 00
23 04 00 00
11 04 00 00
12 04 00 00
13 04 00 00
14 04 00 00
15 04 00 00
16 04 00 00
17 04 00 00
18 04 00 00
1b 04 00 00
1c 04 00 00
1d 04 00 00
1e 04 00 00
1f 04 00 00
20 04 00 00
21 04 00 00
22 04 00 00
};
};
};
And this is the packet that is returned that the library I'm working
with can't handle.
ff 53 4d 42 25 05 ÿSMB%.
00 00 80 98 03 c0 00 00 00 00 00 00 00 00 00 00 .....À.. ........
41 43 00 08 87 00 00 08 fb 00 0a 00 00 00 04 00 AC...... û.......
00 00 00 38 00 00 00 00 04 38 00 00 00 00 00 01 ...8.... .8......
04 d8 05 00 02 03 10 00 00 00 c4 08 00 00 06 00 .Ø...... ..Ä.....
00 00 ac 08 00 00 00 00 00 00 27 00 00 00 18 48 ..¬..... ..'....H
17 00 27 00 00 00 18 00 18 00 18 37 16 00 16 00 ..'..... ...7....
16 00 10 be 16 00 1e 00 1e 00 58 bc 16 00 24 00 ...¾.... ..X¼..$.
24 00 60 ce 16 00 24 00 24 00 88 3b 17 00 24 00 $.`Î..$. $..;..$.
24 00 b8 3b 17 00 24 00 24 00 90 bf 16 00 24 00 $.¸;..$. $..¿..$.
24 00 d8 b4 16 00 24 00 24 00 b0 4d 17 00 24 00 $.Ø´..$. $.°M..$.
24 00 f0 4d 17 00 24 00 24 00 30 4e 17 00 24 00 $.ðM..$. $.0N..$.
24 00 70 36 17 00 26 00 26 00 a0 36 17 00 26 00 $.p6..&. &. 6..&.
26 00 58 49 17 00 26 00 26 00 88 49 17 00 26 00 &.XI..&. &..I..&.
26 00 c8 31 17 00 26 00 26 00 f8 31 17 00 26 00 &.È1..&. &.ø1..&.
26 00 38 32 17 00 26 00 26 00 78 32 17 00 26 00 &.82..&. &.x2..&.
26 00 b8 32 17 00 26 00 26 00 f8 32 17 00 1e 00 &.¸2..&. &.ø2....
1e 00 e8 c8 16 00 24 00 24 00 48 33 17 00 10 00 ..èÈ..$. $.H3....
10 00 e8 9d 15 00 1e 00 1e 00 08 b5 16 00 1e 00 ..è..... ...µ....
1e 00 18 4c 17 00 0e 00 0e 00 d0 59 15 00 1c 00 ...L.... ..ÐY....
1c 00 68 9a 15 00 16 00 16 00 e8 b1 16 00 10 00 ..h..... ..è±....
10 00 b0 82 16 00 1a 00 1a 00 90 4c 17 00 18 00 ..°..... ...L....
18 00 40 d0 16 00 1a 00 1a 00 80 bc 16 00 20 00 ..@Ð.... ...¼.. .
20 00 b8 4c 17 00 26 00 26 00 78 34 17 00 16 00 .¸L..&. &.x4....
16 00 e8 33 17 00 18 00 18 00 38 34 17 00 28 00 ..è3.... ..84..(.
28 00 18 35 17 00 12 00 12 00 c8 34 17 00 0c 00 (..5.... ..È4....
00 00 00 00 00 00 0c 00 00 00 44 00 6f 00 6d 00 ........ ..D.o.m.
61 00 69 00 6e 00 20 00 55 00 73 00 65 00 72 00 a.i.n. . U.s.e.r.
73 00 0b 00 00 00 00 00 00 00 0b 00 00 00 44 00 s....... ......D.
65 00 76 00 65 00 6c 00 6f 00 70 00 6d 00 65 00 e.v.e.l. o.p.m.e.
6e 00 74 00 00 00 0f 00 00 00 00 00 00 00 0f 00 n.t..... ........
00 00 49 00 6e 00 74 00 65 00 72 00 6e 00 65 00 ..I.n.t. e.r.n.e.
74 00 5f 00 41 00 63 00 63 00 65 00 73 00 73 00 t._.A.c. c.e.s.s.
00 00 12 00 00 00 00 00 00 00 12 00 00 00 74 00 ........ ......t.
65 00 73 00 74 00 39 00 20 00 67 00 6c 00 6f 00 e.s.t.9. .g.l.o.
62 00 61 00 6c 00 20 00 67 00 72 00 6f 00 75 00 b.a.l. . g.r.o.u.
70 00 12 00 00 00 00 00 00 00 12 00 00 00 74 00 p....... ......t.
65 00 73 00 74 00 31 00 20 00 67 00 6c 00 6f 00 e.s.t.1. .g.l.o.
62 00 61 00 6c 00 20 00 67 00 72 00 6f 00 75 00 b.a.l. . g.r.o.u.
70 00 12 00 00 00 00 00 00 00 12 00 00 00 74 00 p....... ......t.
65 00 73 00 74 00 32 00 20 00 67 00 6c 00 6f 00 e.s.t.2. .g.l.o.
62 00 61 00 6c 00 20 00 67 00 72 00 6f 00 75 00 b.a.l. . g.r.o.u.
70 00 12 00 00 00 00 00 00 00 12 00 00 00 74 00 p....... ......t.
65 00 73 00 74 00 33 00 20 00 67 00 6c 00 6f 00 e.s.t.3. .g.l.o.
62 00 61 00 6c 00 20 00 67 00 72 00 6f 00 75 00 b.a.l. . g.r.o.u.
70 00 12 00 00 00 00 00 00 00 12 00 00 00 74 00 p....... ......t.
65 00 73 00 74 00 34 00 20 00 67 00 6c 00 6f 00 e.s.t.4. .g.l.o.
62 00 61 00 6c 00 20 00 67 00 72 00 6f 00 75 00 b.a.l. . g.r.o.u.
70 00 12 00 00 00 00 00 00 00 12 00 00 00 74 00 p....... ......t.
65 00 73 00 74 00 35 00 20 00 67 00 6c 00 6f 00 e.s.t.5. .g.l.o.
62 00 61 00 6c 00 20 00 67 00 72 00 6f 00 75 00 b.a.l. . g.r.o.u.
70 00 12 00 00 00 00 00 00 00 12 00 00 00 74 00 p....... ......t.
65 00 73 00 74 00 36 00 20 00 67 00 6c 00 6f 00 e.s.t.6. .g.l.o.
62 00 61 00 6c 00 20 00 67 00 72 00 6f 00 75 00 b.a.l. . g.r.o.u.
70 00 12 00 00 00 00 00 00 00 12 00 00 00 74 00 p....... ......t.
65 00 73 00 74 00 37 00 20 00 67 00 6c 00 6f 00 e.s.t.7. .g.l.o.
62 00 61 00 6c 00 20 00 67 00 72 00 6f 00 75 00 b.a.l. . g.r.o.u.
70 00 12 00 00 00 00 00 00 00 12 00 00 00 74 00 p....... ......t.
65 00 73 00 74 00 38 00 20 00 67 00 6c 00 6f 00 e.s.t.8. .g.l.o.
62 00 61 00 6c 00 20 00 67 00 72 00 6f 00 75 00 b.a.l. . g.r.o.u.
70 00 13 00 00 00 00 00 00 00 13 00 00 00 74 00 p....... ......t.
65 00 73 00 74 00 31 00 30 00 20 00 67 00 6c 00 e.s.t.1. 0. .g.l.
6f 00 62 00 61 00 6c 00 20 00 67 00 72 00 6f 00 o.b.a.l. .g.r.o.
75 00 70 00 72 00 13 00 00 00 00 00 00 00 13 00 u.p.r... ........
00 00 74 00 65 00 73 00 74 00 31 00 31 00 20 00 ..t.e.s. t.1.1. .
67 00 6c 00 6f 00 62 00 61 00 6c 00 20 00 67 00 g.l.o.b. a.l. .g.
72 00 6f 00 75 00 70 00 70 00 13 00 00 00 00 00 r.o.u.p. p.......
00 00 13 00 00 00 74 00 65 00 73 00 74 00 31 00 ......t. e.s.t.1.
32 00 2.
And, from what I can using ethereal and the code, this is my
interpretation of it.
received packet as recorded by ethereal
{
uchar msg_type == 0xff;
uchar server_comp[3] == {"SMB"}; //0x534d42
uchar command == 0x25; //smb trans
ulong status == 0x05000080; // (80000005) this means group list is incomplete
uchar flags == 0x98;
ushort flags2 == 0x03c0; //(c003)
uchar reserved[12] == 0x000000000000000000004143; //AC ?
ushort TID == 0x0008; //2048 (0800)
ushort PID == 0x8700; //135 (0087)
ushort UID == 0x0008; //2048 (0800)
ushort MID == 0xfb00; //251 (00fb)
uchar word_count == 0x0a; //16
ushort total_parm_cnt == 0x0000;
ushort total_data_cnt == 0x0004; //1024 (0400)
ushort reverved2 == 0x0000;
ushort parm_count == 0x0000;
ushort parm_offset == 0x3800; //56 (0038)
ushort parm_displacem == 0x0000;
ushort data_count == 0x0004; //1024 (0400)
ushort data_offset == 0x3800; //56 (0038)
ushort data_displacem == 0x0000;
uchar setup_count == 0x0000;
uchar reverved3 == 0x0000;
ushort byte_count == 0x0104; //1025 (0401)
uchar pad1 == 0xd8; //216
data
{
//what I'm working with ignores this
ignored = { 05 00 02 03 10 00 00 00 c4 08 00 00 06 00 00 00
ac 08 00 00 00 00 00 00 27 00 00 00 18 48 17 00 };
group_cnt = 0x27000000; //39 (00000027)
//what I'm working with ignores this
ignored ={ 18 00 18 00 18 37 16 00 16 00
16 00 10 be 16 00 1e 00 1e 00 58 bc 16 00 24 00
24 00 60 ce 16 00 24 00 24 00 88 3b 17 00 24 00
24 00 b8 3b 17 00 24 00 24 00 90 bf 16 00 24 00
24 00 d8 b4 16 00 24 00 24 00 b0 4d 17 00 24 00
24 00 f0 4d 17 00 24 00 24 00 30 4e 17 00 24 00
24 00 70 36 17 00 26 00 26 00 a0 36 17 00 26 00
26 00 58 49 17 00 26 00 26 00 88 49 17 00 26 00
26 00 c8 31 17 00 26 00 26 00 f8 31 17 00 26 00
26 00 38 32 17 00 26 00 26 00 78 32 17 00 26 00
26 00 b8 32 17 00 26 00 26 00 f8 32 17 00 1e 00
1e 00 e8 c8 16 00 24 00 24 00 48 33 17 00 10 00
10 00 e8 9d 15 00 1e 00 1e 00 08 b5 16 00 1e 00
1e 00 18 4c 17 00 0e 00 0e 00 d0 59 15 00 1c 00
1c 00 68 9a 15 00 16 00 16 00 e8 b1 16 00 10 00
10 00 b0 82 16 00 1a 00 1a 00 90 4c 17 00 18 00
18 00 40 d0 16 00 1a 00 1a 00 80 bc 16 00 20 00
20 00 b8 4c 17 00 26 00 26 00 78 34 17 00 16 00
16 00 e8 33 17 00 18 00 18 00 38 34 17 00 28 00
28 00 18 35 17 00 12 00 12 00 c8 34 17 00
}
// length of ignored == 0x20 + (group_cnt * 8 + 4)
struct {
char padding[0]; // often not present
ulong chars;
ulong check;
ulong ignored;
}
groups[] =
{
{ {0c000000}, {00000000}, {0c000000}, "D.o.m.a.i.n. .U.s.e.r.s." }
{ 00 {0b000000}, {00000000}, {0b000000}, "D.e.v.e.l.o.p.m.e.n.t." }
{0000 {0f000000}, {00000000}, {0f000000}, "I.n.t.e.r.n.e.t._.A.c.c.e.s.s."}
{0000 {12000000}, {00000000}, {12000000}, "t.e.s.t.9. .g.l.o.b.a.l. .g.r.o.u.p."}
{ {12000000}, {00000000}, {12000000}, "t.e.s.t.1. .g.l.o.b.a.l. .g.r.o.u.p."}
{ {12000000}, {00000000}, {12000000}, "t.e.s.t.2. .g.l.o.b.a.l. .g.r.o.u.p."}
{ {12000000}, {00000000}, {12000000}, "t.e.s.t.3. .g.l.o.b.a.l. .g.r.o.u.p."}
{ {12000000}, {00000000}, {12000000}, "t.e.s.t.4. .g.l.o.b.a.l. .g.r.o.u.p."}
{ {12000000}, {00000000}, {12000000}, "t.e.s.t.5. .g.l.o.b.a.l. .g.r.o.u.p."}
{ {12000000}, {00000000}, {12000000}, "t.e.s.t.6. .g.l.o.b.a.l. .g.r.o.u.p."}
{ {12000000}, {00000000}, {12000000}, "t.e.s.t.7. .g.l.o.b.a.l. .g.r.o.u.p."}
{ {12000000}, {00000000}, {12000000}, "t.e.s.t.8. .g.l.o.b.a.l. .g.r.o.u.p."}
{ {13000000}, {00000000}, {13000000}, "t.e.s.t.1.0. .g.l.o.b.a.l. .g.r.o.u.p."}
{7200 {13000000}, {00000000}, {13000000}, "t.e.s.t.1.1. .g.l.o.b.a.l. .g.r.o.u.p."}
{7000 {13000000}, {00000000}, {13000000}, "t.e.s.t.1.2."}
};
};
};
see how the returned list of group names is not complete. I think there must
be another sort of packet I should send that would result in NT sending me a
continuation of the list. Does that sound reasonable, or should I just send a
shorter gid list?
I am now successfully sending a series of requests containing smaller
sections of the gid list and that is working. It is not efficient
though because I don't know in advance how many group names I can ask
for without getting this error. It means I have to ask for the largest
possible number of group names I know will never cause an error. For
global group names that is 256/20 and for local group names I can only
ask for one at a time.
Thanks again.
- Ben
On Tue, Jun 25, 2002 at 10:05:42AM -0400, Kevin Stefanik wrote:
> Have you done a packet capture with a recent version of ethereal or something
> similar that will break out the packets? Some of the old API's that just
> pass strings of user names and groups have a buffer size and an offset. The
> way to get the list is to pass along a buffer size that you can manage and
> the response will tell you both the number of total users or groups, your
> next request includes an offset count so the server knows that you've already
> received some of the response.
>
> I can't tell immediately tell from your byte array if you're looking at one of
> those api's though. The only such place that I'm familiar with is the lanman
> api's (see a recent smbd/lanman.c for details).
>
> Kevin Stefanik
>
>
> On Friday 21 June 2002 03:51 pm, Ben Johnson wrote:
> > Hi. I'm a junior engineer (who's starting to grow up) at WatchGuard
> > Tech. We use some extremely old Samba code in our firewall to provide
> > user authentication against an NT server. I've been working on and off
> > on a number of bugs in this type of authentication for more than a year
> > now, and I am finally making some headway.
> >
> > I have found a work around for one of our bugs earlier today, but I am
> > hoping to fix it the right way, if that's possible.
> >
> > The bug: if the concatenated groupnames a user is in form a string of
> > greater than 255 characters long, the authentication fails.
> >
> > I found that the problem occurs when the first of presumably many
> > packets containing group names returns from the NT server with a status
> > code of 0x80000005. Our code interpreted this as a failure.
> >
> > I found that if I ignore it I can get a truncated list of groups from
> > the single packet. Better yet, if I send a number of packets, each
> > asking for a small number of groups, then I can get the entire list in
> > chunks with no error code at all. This seems awfully hackish though.
> >
> > I've tried sending the same packet to the server more than once when I
> > get a 0x80000005 status. I've tried sending a new packet that asks for
> > only the groups that weren't returned in the first reply. None of this
> > has worked. The result is a new error code: 0xC00000AE, which I don't
> > know how to interpret.
> >
> > I have feeling that what I need is a transaction definition that tells
> > the NT server that I am ready to receive more of the group names. I
> > don't know how to find that though. And, unfortunately, all our
> > transaction command definitions are defined as raw byte arrays, which is
> > difficult to interpret. example...
> >
> > // CreateFile("\samr")
> > const UCHAR Transaction00[] = { // DB
> > 0x05,0x00,0x0B,0x00,0x10,0x00,0x00,0x00,
> > 0x48,0x00,0x00,0x00,0x67,0x00,0x68,0x00,
> > 0x30,0x16,0x30,0x16,0x00,0x00,0x00,0x00,
> > 0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
> > 0x78,0x57,0x34,0x12,0x34,0x12,0xCD,0xAB,
> > 0xEF,0x00,0x01,0x23,0x45,0x67,0x89,0xAC,
> > 0x01,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,
> > 0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
> > 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
> >
> > Can anyone help me out, or should I just go with my
> > ask-for-many-small-lists workaround?
> >
> > Thanks a lot for any help.
> >
> > - Ben
>
More information about the samba-technical
mailing list