cm_prepare_connection() & SMBSERVER Netbios query

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Dec 12 09:16:56 MST 2010


On Sun, Dec 12, 2010 at 03:45:29PM +0000, Dina_Fine at Dell.com wrote:
> I am testing Windows 2008 AD functionality. And I noticed
> that wbinfo -t (checking machine secret) sometimes fails.
> The reason for that failure is that the Windows 2008 AD we
> have, responses with negative answer for netbios query:
> "*SMBSERVER<20> from c19<00>" with an error: "Called name
> not present"
>
> I read in "Implementing CIFS" that it is a legal response
> for such a query and that a server MAY not support this
> query.

*SMBSERVER used to be the wildcard name every CIFS server
should listen on. This was done because on the internet
(Yes, the expansion of "CIFS" does contain that word)
usually all you have is the IP of the target host. I would
guess that the fact that W2K8 does not do this anymore is a
simple bug.

> But cm_prepare_connection() function (winbindd_cm.c)
> doesn't deal well with this failure.
> The flow is that cm_open_connection calls to
> open_any_socket_out with two ports 139 and 445. And when
> the port 139 is ready first (As far as I understand the
> code), the cm_prepare_connection() will use this port and
> will send *SMBSERVER query to initiate a session.

That's pretty much how it was supposed to work when it was
initially written.

> Taking into consideration that some AD servers will not
> support *SMBSERVER query, is not it better to use only
> socket 445 for AD authentication requests? Or perhaps to
> have some kind of fallback to 445 port after the
> *SMBSERVER query fails?

Sure, sounds perfectly reasonable. The simplest way would be
to just skip 139 if winbind knows that a domain is AD. This
might break some obscure, broken firewall settings. So for
those I think winbind should improve the fallback: If you
get exactly that error message, retry with just 445.
Alternatively, it might keep the 445 connection attempt
queued in case we get the "name not present". In any case,
that should not be more than very few hours of coding. With
tevent_req the latter alternative should be pretty easy to
do. Just make two async routines: One to just connect to
445 and one to connect to 139 and do the nb session setup.
Set up the 445 connect, wait a few milliseconds and then
fire the 139/nbsesssetup combo. Whichever of both gets
through successfully wins.

Volker


More information about the samba-technical mailing list