NTLM packet signing gone bad - fixed by Samba restart
Dave Daugherty
dave.daugherty at centrify.com
Fri Jun 24 17:08:10 MDT 2011
I am hoping to have some time to work on this over the weekend but thought I would throw this out there to see if anyone knows what is happening.
1) Samba 3.5.5 with Centrify patches (no patches to packet signing that I am aware of and don't see any obvious 3.5.9 fixes for this problem).
2) NTLM Packet signing works fine between Samba and Windows XP/7/2003 clients
3) Flurry of connections
4) NTLM packet signing starts failing for all new NTLM authenticated connections - continues working for existing connections
5) New Kerberos authenticated connections continue to sign packets okay
6) Restart Samba
7) NTLM packet signing starts working again.
For 4) - Optional packet signing is negotiated and the Windows client does not complain about the signature generated by Samba in the SessionSetupAndX NTLM auth response, but Samba cannot verify the signature of the next client request (treeConnectAndX to IPC$) so it tries to disable packet signing. The Windows client does not like this, drops the connection and retries a number of times - all which fail in exactly the same way as the first failure.
I have a 300 meg log file (level 10) from a customer where the problem first starts occurring but have not examined it in detail yet. Also not sure how much of it I can post since I do not have permission yet.
Dave Daugherty
Centrify
More information about the samba-technical
mailing list