[Samba] NT_STATUS_WRONG_PASSWORD with multiple concurrent connects from same IP Address.

David Girard DGirard at lason.com
Fri Jun 3 17:07:32 GMT 2005 

Andrew:

RE: SPNEGO=NO to solve Multiple simultaneous connects from the same client system..

We're finally getting around to implementing this parameter...we've discovered that it breaks connectivity with some of our Windows Xp clients...for some reason certain users are unable to authenticate from some of the Xp systems (the logs report NT_STATUS_NO_SUCH_USER).  Strangely enough, other user ID's work fine from these systems..

I also see that SPNEGO = yes is noted in one of the documents as being required to join a Windows 2003 AD structure...is this true?...we're moving to Active directory within the next 30 -60 days...

I'm not sure where to go from here...and hoping that you might be able to point me in the right direction.

PS:  I still owe you a frosty beverage...;-}

Thanks
_David...



>>> Andrew Bartlett <abartlet at samba.org> 04/12/05 6:13 PM >>>
On Tue, 2005-04-12 at 12:56 -0400, David Girard wrote: 
> OK, I have applied the "use spnego=no" and it seems to have resolved the problem...
> 
> Could you describe what this setting is doing?...I haven't been able
> to find any reference to this setting other than your previous posts
> telling people to use it...

Samba 3.0 introduced the ability to support 'extended security', where
instead of the traditional NTLM challenge/response system being based on
a challenge in the NegProt packet, we would install break out to a
generalised authentications system, based on multiple round trips.

Session setup and authentication are fairly well described in CRH's
book: http://www.ubiqx.org/cifs/SMB.html#SMB.8 

When we are using extended security, there are multiple legs to the
session setup part of this problem.  As the client sends the first of
the 4 packets in this system ('negotiate'), we should enclose a vuid
'cookie' with the 'challenge'.  When the client returns with the 'auth'
packet, we can line up the challenge we sent, and correctly finish the
state machine.

If as in Samba3, we do not include a vuid (we send 0) to connect to the
correct state machine, we would logically link a 'challenge' with an
'auth' to which there is no relation.  This then results in
WRONG_PASSWORD, as the cryptography is wrong.

The RAW-CONTEXT test from Samba4 should demonstrate this nicely.

> I need to understand if there are security or performance implications
> to this setting.

In particular, it will not be possible to use kerberos in any form to
this server and NTLM2 will not be negotiated so clients will send the LM
password on the wire..  Performance and reliability with the not-
recommended security=server will also suffer.

The reason we have not fixed this in the past is that session setups are
usually a 'rare' event (compared with others), and we just have not seen
(or considered) this race in the past.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/ 
Authentication Developer, Samba Team           http://samba.org 
Student Network Administrator, Hawker College  http://hawkerc.net

More information about the samba-technical mailing list