[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.

Andrew Bartlett abartlet at samba.org
Wed Apr 13 00:18:19 GMT 2005 

On Tue, 2005-04-12 at 17:07 -0700, Jeremy Allison wrote:
> On Wed, Apr 13, 2005 at 08:13:34AM +1000, Andrew Bartlett wrote:

> > The reason we have not fixed this in the past is that session setups are
> > usually a 'rare' event (compared with others), and we just have not seen
> > (or considered) this race in the past.
> 
> Yes that's true. I'm thinking of adding the vuid token behaviour into
> Samba3 so we return something at the first sesssionsetup reply. However
> we expect the subsequent packets to be continuous (we expect the next
> packet to be the second part of the sessionsetup sequence, not a new
> sessionsetup request). We could fix this with the out-of-order processing
> we use for deferring opens, but it's nowhere near as transparent as it
> is with Samba4.

We should not need that - the NTLMSSP and SPNEGO code does not use piles
of static variables, it's just the one context that is the problem.
All you need to do is change 'global_ntlmssp_state' into something keyed
off that VUID.  See it's use in reply_spnego_negotiate() and
reply_spnego_auth().  

Just make sure you don't treat this new vuid as 'real' - I added a
'finished_sesssetup' flag on the VUID in Samba4, and use two different
lookup functions, one for the rest of samba, and one for just the
session setup.  

The next issue I need to tackle in Samba4 is that of resource
consumption - too many half-completed NTLMSSP logins.  But as we allow
guest logins anyway, it's not much worse than can already be done.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050413/f1bc7205/attachment.bin

More information about the samba-technical mailing list