Browse list transfer between a DMB and a LMB, with plain text password

Christopher R. Hertel crh at
Thu Sep 30 10:12:23 MDT 2010

Anonymous logon is different than guest logon.

For guest logon to work, the server must have a guest account and must be
configured to allow guest access.  A "real" guest logon occurs when a "real"
user logon is attempted but fails, and the server responds by granting guest
access instead.  There's a bit in a field in the SessionSetupAndX response
that indicates that guest access has been granted.

Anonymous logon is an explicit request from the client to log on without
credentials.  No username, no password.  Anonymous logon, if granted,
provides access to a very limited set of $IPC share features.

Chris -)-----

Samuel Degrande wrote:
> On 09/30/2010 08:10 AM, Volker Lendecke wrote:
>> On Wed, Sep 29, 2010 at 06:58:29PM +0200, Samuel Degrande wrote:
>>> I have 2 samba servers, one DMB on one subnet, and one LMB on an
>>> other subnet.
>>> We use plain text passwords.
>>> Browse list transfer was working fine with version 3.0.23. It does
>>> no more work.
>>> I looked at the difference between old and new versions.
>>> The change is in reply_sesssetup_and_X(). Now, with plaintext password,
>>> a password is mandatory, or a NT_STATUS_INVALID_PARAMETER is returned.
>>> However, as far as I can understand, a client asking for a browse list
>>> will connect with a guest account, and no password is sent...
>>> Is it a known bug ? a feature change (and if so, how to continue to use
>>> plaintext passwords) ?
>> Please send a sniff and a debug level 10 log of the smbd.
> I will do, but, as far as I can see in the code:
> (I guess that you know all the details :-), it's just to explain how I
> 'traced' things, confirmed by adding some debug printf, to find where my
> issue seems to be)
> (Sorry if I do not use the rights terms in my explanation)
> 1) on the LMB, there is an anonymous access to IPC$ to retrieve the
>    browse list:
>    nmbd_synclists.c:sync_child() calls
>    cli_session_setup(&cli, "", "", 1, "", 0, workgroup)
>    no "user" is defined, so cli_session_setup_guest() is called,
>    so a 'SMBsesssetupX" msg is forged with an empty user and an
>    empty passwd.
> 2) on the DMB, reply_sesssetup_and_X() is called.
>    I'm using plaintext password, so doencrypt is FALSE
>    No SPNEGO session, and protocol >= PROTOCOL_NT1
>    srvstr_pull_talloc() is called to decode the password, which
>    is empty. And it gets to:
>     if (!pass) {
>       reply_nterror(req, nt_status_squash(NT_STATUS_INVALID_PARAMETER));
>       END_PROFILE(SMBsesssetupX);
>       return;
>     }
>    Later in this function's code, there are some checks against 'user'
>    value, so that if 'user' is empty a guest session is validated.
> My guess is that the "empty password test" should be done later, only on
> non-guest session... Doing it fixes my issue: the session is validated,
> the connection to IPC$ is done, and the LMB gets the DMB's browse list.

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team --     -)-----   Christopher R. Hertel
jCIFS Team --   -)-----   ubiqx development, uninq.
ubiqx Team --     -)-----   crh at
OnLineBook --    -)-----   crh at

More information about the samba-technical mailing list