Win7 + Live sign-in assistant = samba fails auth

david.kondrad at legrand.us david.kondrad at legrand.us
Mon Jul 19 08:23:04 MDT 2010 

Greetings:

Our company uses libsmbclient to implement an embedded media player.

We received a support call that media discovery on a Win7 home
premium box showed music, but the player application was unable to
access the files.

Upon investigation, it was revealed that installing the "Microsoft
Live Sign-On Assistant" modified the spnego transaction to include a
mechToken, which seemingly all versions of samba 3.x.x fail to parse
and always return permission denied.

Crawling through support forums, mailing lists, and MS technet, it
seems that this is an issue that is plaguing many people. Using samba
3.5.4 source, I have tracked the issue down to

libsmb/clispnego.c:164

    *principal = NULL;
    if (asn1_tag_remaining(data) > 0) {
        asn1_start_tag(data, ASN1_CONTEXT(3)); /* fails here */
        asn1_start_tag(data, ASN1_SEQUENCE(0));
        asn1_start_tag(data, ASN1_CONTEXT(0));
        asn1_read_GeneralString(data,talloc_autofree_context(),
                                 principal);
        asn1_end_tag(data);
        asn1_end_tag(data);
        asn1_end_tag(data);
    }

Looking at a wireshark dump, it turns out that after the two OIDs
we have a mechToken (ASN1_CONTEXT(2)) instead of a principal
(ASN1_CONTEXT(3)).


I'm not familiar enough with the internal workings of GSS-API to know
whether this is a violation of the protocol or not.

So my question is what would be the "right" way to fix this issue so
that authentication succeeds with these machines without introducing a
regression where auth will fail with other servers?

Here is the packet decode for the SMB negotiation:

SMB (Server Message Block Protocol)
    SMB Header
    Negotiate Protocol Response (0x72)
        Word Count (WCT): 17
        Dialect Index: 9: NT LM 0.12
        Security Mode: 0x03
        Max Mpx Count: 10
        Max VCs: 1
        Max Buffer Size: 4356
        Max Raw Buffer: 65536
        Session Key: 0x00000000
        Capabilities: 0x8001e3fc
        System Time: Jul 16, 2010 16:17:55.406250000
        Server Time Zone: 240 min from UTC
        Key Length: 0
        Byte Count (BCC): 336
        Server GUID: B3A217CC5F419E4D9073F8971A82E202
        Security Blob:
        6082013C06062B0601050502A08201303082012CA01A3018...
            GSS-API Generic Security Service Application Program
            Interface
                OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected
                Negotiation)
                SPNEGO
                    negTokenInit
                        mechTypes: 2 items
                            MechType: 1.3.6.1.4.1.311.2.2.30 (SNMPv2-
                            SMI::enterprises.311.2.2.30)
                            MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP
                            - Microsoft NTLM Security Support
                            Provider)
                        mechToken:
                        4E45474F45585453010000000000000060000000700000
                        00...

Hex of Security BLOB: (mechToken starts at offset 00cb)

0090  -- -- -- -- -- -- -- -- | -- -- -- 60 82 01 3c 06
00a0  06 2b 06 01 05 05 02 a0 | 82 01 30 30 82 01 2c a0
00b0  1a 30 18 06 0a 2b 06 01 | 04 01 82 37 02 02 1e 06
00c0  0a 2b 06 01 04 01 82 37 | 02 02 0a a2 82 01 0c 04
00d0  82 01 08 4e 45 47 4f 45 | 58 54 53 01 00 00 00 00
00e0  00 00 00 60 00 00 00 70 | 00 00 00 c9 9b 9a 09 7b
00f0  48 dd a2 d3 aa 67 2a c7 | 93 b5 bc 06 02 cc 9f 8f
0100  db 1a 66 b2 68 83 9a 93 | 6c f2 16 1c 31 76 a8 a3
0110  8c 1f 8c 26 80 97 ff 0e | 8e 25 18 00 00 00 00 00
0120  00 00 00 60 00 00 00 01 | 00 00 00 00 00 00 00 00
0130  00 00 00 5c 33 53 0d ea | f9 0d 4d b2 ec 4a e3 78
0140  6e c3 08 4e 45 47 4f 45 | 58 54 53 03 00 00 00 01
0150  00 00 00 40 00 00 00 98 | 00 00 00 c9 9b 9a 09 7b
0160  48 dd a2 d3 aa 67 2a c7 | 93 b5 bc 5c 33 53 0d ea
0170  f9 0d 4d b2 ec 4a e3 78 | 6e c3 08 40 00 00 00 58
0180  00 00 00 30 56 a0 54 30 | 52 30 27 80 25 30 23 31
0190  21 30 1f 06 03 55 04 03 | 13 18 54 6f 6b 65 6e 20
01a0  53 69 67 6e 69 6e 67 20 | 50 75 62 6c 69 63 20 4b
01b0  65 79 30 27 80 25 30 23 | 31 21 30 1f 06 03 55 04
01c0  03 13 18 54 6f 6b 65 6e | 20 53 69 67 6e 69 6e 67
01d0  20 50 75 62 6c 69 63 20 | 4b 65 79

Text of Security BLOB:

009b             `..<.
00a0  .+........00..,.
00b0  .0...+.....7....
00c0  .+.....7........
00d0  ...NEGOEXTS.....
00e0  ...`...p.......{
00f0  H....g*.........
0100  ..f.h...l...1v..
0110  ...&.....%......
0120  ...`............
0130  ...\3S....M..J.x
0140  n..NEGOEXTS.....
0150  ... at ...........{
0160  H....g*....\3S..
0170  ..M..J.xn.. at ...X
0180  ...0V.T0R0'.%0#1
0190  !0...U....Token
01a0  Signing Public K
01b0  ey0'.%0#1!0...U.
01c0  ...Token Signing
01d0   Public Key


Best Regards,
David

--
David Kondrad
Software Design Engineer
Home Systems Division
Legrand, North America

717.546.5442
david.kondrad at legrand.us
www.legrand.us/onq

This email, and any document attached hereto, may contain
confidential and/or privileged information.  If you are not the
intended recipient (or have received this email in error) please
notify the sender immediately and destroy this email.  Any
unauthorized, direct or indirect, copying, disclosure, distribution
or other use of the material or parts thereof is strictly
forbidden.

More information about the samba-technical mailing list