Browse list transfer between a DMB and a LMB, with plain text password

Samuel Degrande Samuel.Degrande at
Thu Sep 30 04:05:57 MDT 2010

On 09/30/2010 08:10 AM, Volker Lendecke wrote:
> On Wed, Sep 29, 2010 at 06:58:29PM +0200, Samuel Degrande wrote:
>> I have 2 samba servers, one DMB on one subnet, and one LMB on an
>> other subnet.
>> We use plain text passwords.
>> Browse list transfer was working fine with version 3.0.23. It does
>> no more work.
>> I looked at the difference between old and new versions.
>> The change is in reply_sesssetup_and_X(). Now, with plaintext password,
>> a password is mandatory, or a NT_STATUS_INVALID_PARAMETER is returned.
>> However, as far as I can understand, a client asking for a browse list
>> will connect with a guest account, and no password is sent...
>> Is it a known bug ? a feature change (and if so, how to continue to use
>> plaintext passwords) ?
> Please send a sniff and a debug level 10 log of the smbd.

I will do, but, as far as I can see in the code:

(I guess that you know all the details :-), it's just to explain how I
'traced' things, confirmed by adding some debug printf, to find where 
my issue seems to be)

(Sorry if I do not use the rights terms in my explanation)

1) on the LMB, there is an anonymous access to IPC$ to retrieve the
    browse list:

    nmbd_synclists.c:sync_child() calls
    cli_session_setup(&cli, "", "", 1, "", 0, workgroup)

    no "user" is defined, so cli_session_setup_guest() is called,
    so a 'SMBsesssetupX" msg is forged with an empty user and an
    empty passwd.

2) on the DMB, reply_sesssetup_and_X() is called.
    I'm using plaintext password, so doencrypt is FALSE
    No SPNEGO session, and protocol >= PROTOCOL_NT1

    srvstr_pull_talloc() is called to decode the password, which
    is empty. And it gets to:
     if (!pass) {
       reply_nterror(req, nt_status_squash(NT_STATUS_INVALID_PARAMETER));

    Later in this function's code, there are some checks against 'user'
    value, so that if 'user' is empty a guest session is validated.

My guess is that the "empty password test" should be done later, only on
non-guest session... Doing it fixes my issue: the session is validated,
the connection to IPC$ is done, and the LMB gets the DMB's browse list.

Samuel Degrande           LIFL - UMR8022 CNRS - INRIA LNE - Bat M3
Phone: (33)  USTL - Universite de Lille 1
        (33)  59655 VILLENEUVE D'ASCQ CEDEX - FRANCE
[CA certs: ]

More information about the samba-technical mailing list