[Samba] CIFS proxy

Andrew Bartlett abartlet at samba.org
Tue Jul 26 16:46:28 MDT 2011


On Tue, 2011-07-26 at 19:34 -0300, Maximiliano Bertacchini wrote:
> On 22/07/11 20:40, Andrew Bartlett wrote:
> > On Fri, 2011-07-22 at 12:30 -0300, Maximiliano Bertacchini wrote:
> >> Hi. We managed to get samba 4 cifs proxy working with s4u2proxy auth in
> >> an AD environment. The problem is it won't let clients neither write
> >> files larger than 16441 bytes nor read files larger than 65536 bytes.
> >> For example, writing a 16641 byte file works ok, but writing a 16642
> >> byte (or larger) file fails:
> > My guess is that we are failing to clamp the maximum packet size when
> > doing SMB signing.  It seems Microsoft only signs the first 16641 (or
> > so) bytes of the packet, and not the 'extra large' packets that Samba
> > can support.
> >
> > If SMB signing is disabled (or perhaps enabled on both ends?) then this
> > should work, and confirm my theory.
> >
> > Andrew Bartlett
> >
> You're right. Turning off signing at the windows 2003 server did the 
> trick. It looks like it is now possible to write "large" files 
> correctly. Though I'm still not sure whether turning off smb signing is 
> secure enough. But we are still unable to read files larger than 64k 
> with smbclient.
> 
> We're also getting a "cli_list_new: unable to parse name from info level 
> 260" when connecting with smbclient to the samba4 cifs proxy and doing 
> ls on a directory with hundreds of files. ls is ok in smaller directories.

Thank-you very much for the feedback on this.  These are *really*
important data points.  

I think the next step is to either find a way to break up the packets,
or a way to ensure we don't allow the larger packets when we potentially
can use the CIFS proxy.  This may be a challenge, but I'm sure we can
sort it out one way or the other. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba-technical mailing list