Win2K8 Server Samba Signing Issue

[Dave Daugherty]

Does this sound familiar?

 

Samba 3.3.9 - with some Centrify patches

Windows 2008 Server - exact version unknown (could be a release
candidate)

 

1)     Join the Win2k8 Domain (okay we fixed up samba to be joined - did
not use net ads/rpc join...) 

2)     Start Samba

3)     From Win2k8 server try net use \\<ipaddress>\\samba-test (fails)

4)     Restart Samba

5)     From Win2k8 server try net use \\<ipaddress>\\samba-test
(succeeds)

 

The IP address forces NTLM authentication. 

 

The problem comes about because after successful authentication, the
next packet is a tree connect \\192.168.1.210\IPC$
 

Samba cannot calc the signature so it turns off signing.  The Windows
2K8 server does not like this so it breaks the connection.  After
several attempts it gives up.

 

The attached network trace shows the failure

The attached smb.log shows both the failure and a subsequent success
(not in the network trace).

 

It seems strange that restarting samba has the appearance of "fixing"
the problem.  It seems like it should have been sufficient to restart
the connection.  Is there some signing state for NTLM? Interestingly
enough Kerberos authentication appears to succeed without the Samba
restart!

 

Note that the Win2k8 accepted to NTLM response signature (or did not
check it, or ignored failure).  Does it make sense to just keep signing,
even if the Windows requests have bad signatures?

 

I think we can reliably repro the problem, so let me know if you need me
to go fetch some more rocks.

 

Regards

 

Dave Daugherty

Centrify

 

 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: w2k8signing.tar.gz
Type: application/x-gzip
Size: 152244 bytes
Desc: w2k8signing.tar.gz
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091224/1d5607c8/attachment-0001.bin>