Windows Search Protocol for samba share

Jean-Daniel FISCHER jeandaniel.fischer at gmail.com
Sat Mar 23 08:54:17 MDT 2013 

I forget, if you want to reproduce the trace on your network, here how I am
testing so far:

Use the Windows Explorer to browse a samba share. Then type a word in the
search box.
You should see your windows client trying to open the pipe and then start
searching by browsing your entire share.

Jean-Daniel FISCHER

2013/3/23 Jean-Daniel FISCHER <jeandaniel.fischer at gmail.com>

> Hi,
>
> @Alexander: Thanks for sharing your experience. I hope, I can manage to
> find some work around with the help out here :)
>
> I joined the wireshark capture, the smbd full log and my smb.conf.
>
> For reference: HYPERION is the Windows 8 client and GAIA is the standalone
> server that host samba.
>
> Best regards,
>
> Jean-Daniel FISCHER
>
> 2013/3/23 Alexander Lüders <alexander.lueders at gmx.de>
>
>> Am 20.03.2013 21:43, schrieb Jean-Daniel FISCHER:
>>
>>  Hi Gregor and Jeremy,
>>>
>>> First of all, thanks for helping me :)
>>>
>>> @Gregor: It's seems promising and I will definitevely use it and give you
>>> feedback as soon as I start to code the server. For now, I will focus on
>>> declaring the named pipe in samba and forward it to external daemon.
>>>
>>> @Jeremy: I am looking into the samba code. So far, I found the
>>> nt_open_pipe
>>> which is the function call when a client try to open a named pipe. It
>>> calls
>>> open_np_file, that calls np_open. At the end, this function calls
>>> make_external_rpc_pipe_p if the pipe_mode is set
>>> to RPC_SERVICE_MODE_EXTERNAL.
>>>
>>> Correct me if I am wrong but that mean I need to add rpc_server:msftewds
>>> =
>>> external into smb.conf.
>>>
>>> In the function code, I have spotted:
>>> socket_dir = lp_parm_const_string(
>>> GLOBAL_SECTION_SNUM, "external_rpc_pipe", "socket_dir",
>>> lp_ncalrpc_dir());
>>> So socket_dir = /var/run/samba/socket_dir in smb.conf should set this
>>> value.
>>>
>>> Which should lead to a /var/run/samba/socket_dir/np/**msftewds file to
>>> appear, am I right ? Because the directory is not created ?
>>> Is it my external daemon that have to create the unix domain socket
>>> exchange file ?
>>>
>>> I have done some fast wireshark capture. It seems taht the pipe is not
>>> opened with NT Create And X. It is accessed with a SMB_COM_TRANSACTION
>>> (0x25) containing the sub command TRANS_WAIT_NMPIPE (0x0053). Smbd
>>> responds
>>> with STATUS_NOT_SUPPORTED that is not indicated as a correct STATUS
>>> return
>>> code for this command in MS-CIFS specification. Do you have any idea
>>> where
>>> such smb message is handled in samba code ? If it is implemented ?
>>>
>>> Best regards,
>>>
>>> Jean-Daniel FISCHER
>>>
>>> 2013/3/20 Gregor Beck <gb at sernet.de>
>>>
>>>
>>>>
>>>> ---------- Message transféré ----------
>>>> From: Gregor Beck <gbeck at sernet.de>
>>>> To: samba-technical at lists.samba.**org <samba-technical at lists.samba.org>
>>>> Cc: Jean-Daniel FISCHER <jeandaniel.fischer at gmail.com>
>>>> Date: Wed, 20 Mar 2013 15:32:58 +0100
>>>> Subject: Re: Windows Search Protocol for samba share
>>>> Hi Jean-Daniel,
>>>>
>>>> I've started hacking a wireshark dissector for MS-WSP. It is far from
>>>> complete
>>>> but might be of some help.
>>>>
>>>> Check out:
>>>>
>>>> http://repo.or.cz/w/wireshark-**wip.git/shortlog/refs/heads/**ms-wsp<http://repo.or.cz/w/wireshark-wip.git/shortlog/refs/heads/ms-wsp>
>>>>
>>>> Any feedback is welcome ;-)
>>>>
>>>> Gregor
>>>>
>>>> Am Dienstag, 19. März 2013, 20:14:30 schrieb Jean-Daniel FISCHER:
>>>>
>>>>> Hi everyone,
>>>>>
>>>>> I wish to develop Windows Search Protocol (MS-WSP) support for samba
>>>>>
>>>> share.
>>>>
>>>>> I have gone through the specification and I am confident it can be
>>>>> done.
>>>>>
>>>>> The protocol works on top of SMB using the named pipe MSFTEWDS
>>>>> according
>>>>>
>>>> to
>>>>
>>>>> the specification MS provides.
>>>>>
>>>>> I am looking for a way to declare this named pipe into samba and make
>>>>> all
>>>>> requests made on that named pipe forward to an external program.
>>>>>
>>>>> I have  looked over samba source code, wiki and mailing list archives
>>>>> during the last month, I can’t find a way to do it. Is there any way to
>>>>>
>>>> do
>>>>
>>>>> this ?
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Jean-Daniel FISCHER
>>>>>
>>>>
>>>>
>>>>
>>>
>> Hi Jean-Daniel,
>>
>>
>>  I have done some fast wireshark capture. It seems taht the pipe is not
>>>> opened with NT Create And X. It is accessed with a SMB_COM_TRANSACTION
>>>> (0x25) containing the sub command TRANS_WAIT_NMPIPE (0x0053).
>>>>
>>>
>> I stumbled across the same problem a year ago while I was doing some
>> prototype implementation for my master thesis. The problem is that the
>> Windows Search Service relies on the pipe being opened with the
>> SMB_COM_NT_CREATE_ANDX command rather than the SMB_COM_OPEN command. The
>> former one allows the parameter 'ImpersonationLevel' being set. This is a
>> mandatory parameter as stated in the MS-WSP section 2.1.
>>
>> At that time I did not find a suitable (rather quick) approach to handle
>> the problem, as it seemed to require serious changes to the Samba Project
>> implementation itself. Eventually I had to switch to jCIFS for further
>> process.
>>
>> Hope this helps...
>>
>> Greets
>> Alexander Lüders
>>
>>
>>
>

More information about the samba-technical mailing list