cm_prepare_connection() & SMBSERVER Netbios query
Christopher R. Hertel
crh at ubiqx.mn.org
Sun Dec 12 11:10:23 MST 2010
Dina_Fine at Dell.com wrote:
> Hello,
>
> I am testing Windows 2008 AD functionality. And I noticed that wbinfo -t (checking machine secret) sometimes fails.
> The reason for that failure is that the Windows 2008 AD we have, responses with negative answer for netbios query: "*SMBSERVER<20> from c19<00>" with an error: "Called name not present"
> I read in "Implementing CIFS" that it is a legal response for such a query and that a server MAY not support this query.
Called Name Not Present means that the query itself was received and
processed, but the name "*SMBSERVER<20>" was not in the local name table of
the server.
This, unfortunatly, makes sense. Microsoft added the "*SMBSERVER<20>" name
in Windows NT 4 (if I remember correctly). The name is never registered,
but it is added to the local name table as a "generic" name representing the
SMB Server Service.
They used that name in NT4, W2K, WXP, W2003... and then abandoned it.
Windows server 2008 doesn't support that name any more, and I have no idea
why not. It's a small bit of insanity on Microsoft's part.
So, what you need to do is send an NBT NODE STATUS REQUEST to the server,
get the list of names that *are* registered, figure out which of them is the
SMB Server Service, and send your request message to that name instead.
The name you want will be the Machine Name with a suffix byte of <20>.
I have some code that can help, if you're interested.
> But cm_prepare_connection() function (winbindd_cm.c) doesn't deal well with this failure.
That sounds like a bug.
> The flow is that cm_open_connection calls to open_any_socket_out with two ports 139 and 445. And when the port 139 is ready first (As far as I understand the code), the cm_prepare_connection() will use this port and will send *SMBSERVER query to initiate a session.
You said above that wbinfo -t is sending a query to "*SMBSERVER<20>". Is it
a query, or is it sending an NBT Session Service Session Request message?
If it is on port 139, then it must be the Session Request. NBT Session
Request messages can generate "Called Name Not Present" errors.
> If the call fails, the cm_prepare_connection() fails as well.
Ah.
> Taking into consideration that some AD servers will not support *SMBSERVER query, is not it better to use only socket 445 for AD authentication requests? Or perhaps to have some kind of fallback to 445 port after the *SMBSERVER query fails?
Well... I think that the logic should attempt to create a connection on
*both* ports and favor port 445 if both succeed. I also think that it would
be best if the port testing order were configurable... but because of my
contract with Microsoft I can't really "fix" anything in Samba until next May.
>
> Thanks a lot,
Most welcome! :)
> Dina Fine
> Engineering Team Leader
> Dell | IDC
> office +972 97698825, fax +972 97698889
> dina_fine at dell.com<mailto:dina_fine at dell.com>
> Dell IDC. 4 Hacharoshet St, Raanana 43657, Israel
>
Chris -)-----
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical
mailing list