Browse list transfer between a DMB and a LMB, with plain text password

Thu Sep 30 11:54:23 MDT 2010

On 09/30/2010 06:12 PM, Christopher R. Hertel wrote:
> Anonymous logon is different than guest logon.
>
> For guest logon to work, the server must have a guest account and must be
> configured to allow guest access.  A "real" guest logon occurs when a "real"
> user logon is attempted but fails, and the server responds by granting guest
> access instead.  There's a bit in a field in the SessionSetupAndX response
> that indicates that guest access has been granted.
>
> Anonymous logon is an explicit request from the client to log on without
> credentials.  No username, no password.  Anonymous logon, if granted,
> provides access to a very limited set of $IPC share features.
>

So yes, I was using wrong terms. Sorry.

I used the 'guest' term because of the name of the functions involved
when sync_child() is called (on each part of the connection). But
indeed, no username nor password is set so it's an anonymous access, as
you say.

Anyway, apart from the wrong term, the functions I listed are those
which are called (unless I missed something else), leading to
reply_nterror(req, nt_status_squash(NT_STATUS_INVALID_PARAMETER)),
due to the empty password.

Oh, I forgot to mention that in the old samba version (3.0.23) I was 
successfully using, emptiness of password was not checked...

> Chris -)-----
>
> Samuel Degrande wrote:
>> On 09/30/2010 08:10 AM, Volker Lendecke wrote:
>>> On Wed, Sep 29, 2010 at 06:58:29PM +0200, Samuel Degrande wrote:
>>>> I have 2 samba servers, one DMB on one subnet, and one LMB on an
>>>> other subnet.
>>>>
>>>> We use plain text passwords.
>>>>
>>>> Browse list transfer was working fine with version 3.0.23. It does
>>>> no more work.
>>>>
>>>> I looked at the difference between old and new versions.
>>>>
>>>> The change is in reply_sesssetup_and_X(). Now, with plaintext password,
>>>> a password is mandatory, or a NT_STATUS_INVALID_PARAMETER is returned.
>>>>
>>>> However, as far as I can understand, a client asking for a browse list
>>>> will connect with a guest account, and no password is sent...
>>>>
>>>> Is it a known bug ? a feature change (and if so, how to continue to use
>>>> plaintext passwords) ?
>>>
>>> Please send a sniff and a debug level 10 log of the smbd.
>>>
>>
>> I will do, but, as far as I can see in the code:
>>
>> (I guess that you know all the details :-), it's just to explain how I
>> 'traced' things, confirmed by adding some debug printf, to find where my
>> issue seems to be)
>>
>> (Sorry if I do not use the rights terms in my explanation)
>>
>> 1) on the LMB, there is an anonymous access to IPC$ to retrieve the
>>     browse list:
>>
>>     nmbd_synclists.c:sync_child() calls
>>     cli_session_setup(&cli, "", "", 1, "", 0, workgroup)
>>
>>     no "user" is defined, so cli_session_setup_guest() is called,
>>     so a 'SMBsesssetupX" msg is forged with an empty user and an
>>     empty passwd.
>>
>> 2) on the DMB, reply_sesssetup_and_X() is called.
>>     I'm using plaintext password, so doencrypt is FALSE
>>     No SPNEGO session, and protocol>= PROTOCOL_NT1
>>
>>     srvstr_pull_talloc() is called to decode the password, which
>>     is empty. And it gets to:
>>      if (!pass) {
>>        reply_nterror(req, nt_status_squash(NT_STATUS_INVALID_PARAMETER));
>>        END_PROFILE(SMBsesssetupX);
>>        return;
>>      }
>>
>>     Later in this function's code, there are some checks against 'user'
>>     value, so that if 'user' is empty a guest session is validated.
>>
>> My guess is that the "empty password test" should be done later, only on
>> non-guest session... Doing it fixes my issue: the session is validated,
>> the connection to IPC$ is done, and the LMB gets the DMB's browse list.
>>
>

-- 
Samuel Degrande           LIFL - UMR8022 CNRS - INRIA LNE - Bat M3
Phone: (33)3.28.77.85.30  USTL - Universite de Lille 1
Fax:   (33)3.28.77.85.37  59655 VILLENEUVE D'ASCQ CEDEX - FRANCE