[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.

Andrew Bartlett abartlet at samba.org
Tue Apr 12 22:13:34 GMT 2005

On Tue, 2005-04-12 at 12:56 -0400, David Girard wrote: 
> OK, I have applied the "use spnego=no" and it seems to have resolved the problem...
> Could you describe what this setting is doing?...I haven't been able
> to find any reference to this setting other than your previous posts
> telling people to use it...

Samba 3.0 introduced the ability to support 'extended security', where
instead of the traditional NTLM challenge/response system being based on
a challenge in the NegProt packet, we would install break out to a
generalised authentications system, based on multiple round trips.

Session setup and authentication are fairly well described in CRH's
book: http://www.ubiqx.org/cifs/SMB.html#SMB.8

When we are using extended security, there are multiple legs to the
session setup part of this problem.  As the client sends the first of
the 4 packets in this system ('negotiate'), we should enclose a vuid
'cookie' with the 'challenge'.  When the client returns with the 'auth'
packet, we can line up the challenge we sent, and correctly finish the
state machine.

If as in Samba3, we do not include a vuid (we send 0) to connect to the
correct state machine, we would logically link a 'challenge' with an
'auth' to which there is no relation.  This then results in
WRONG_PASSWORD, as the cryptography is wrong.

The RAW-CONTEXT test from Samba4 should demonstrate this nicely.

> I need to understand if there are security or performance implications
> to this setting.

In particular, it will not be possible to use kerberos in any form to
this server and NTLM2 will not be negotiated so clients will send the LM
password on the wire..  Performance and reliability with the not-
recommended security=server will also suffer.

The reason we have not fixed this in the past is that session setups are
usually a 'rare' event (compared with others), and we just have not seen
(or considered) this race in the past.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050413/6efd214f/attachment.bin

More information about the samba-technical mailing list