Windows Search Protocol for samba share

Jean-Daniel FISCHER jeandaniel.fischer at gmail.com
Sat Mar 23 09:03:39 MDT 2013 

Hi,

@Alexander: Thanks for sharing your experience. I hope, I can manage to
find some work around with the help out here :)

I joined the wireshark capture, the smbd full log and my smb.conf.

For reference: HYPERION is the Windows 8 client and GAIA is the standalone
server that host samba.

Best regards,

Jean-Daniel FISCHER

PS: this time with reasonable size for log file ;)

2013/3/23 Jean-Daniel FISCHER <jeandaniel.fischer at gmail.com>

> I forget, if you want to reproduce the trace on your network, here how I
> am testing so far:
>
> Use the Windows Explorer to browse a samba share. Then type a word in the
> search box.
> You should see your windows client trying to open the pipe and then start
> searching by browsing your entire share.
>
> Jean-Daniel FISCHER
>
>
> 2013/3/23 Jean-Daniel FISCHER <jeandaniel.fischer at gmail.com>
>
>> Hi,
>>
>> @Alexander: Thanks for sharing your experience. I hope, I can manage to
>> find some work around with the help out here :)
>>
>> I joined the wireshark capture, the smbd full log and my smb.conf.
>>
>> For reference: HYPERION is the Windows 8 client and GAIA is the
>> standalone server that host samba.
>>
>> Best regards,
>>
>> Jean-Daniel FISCHER
>>
>> 2013/3/23 Alexander Lüders <alexander.lueders at gmx.de>
>>
>>> Am 20.03.2013 21:43, schrieb Jean-Daniel FISCHER:
>>>
>>>  Hi Gregor and Jeremy,
>>>>
>>>> First of all, thanks for helping me :)
>>>>
>>>> @Gregor: It's seems promising and I will definitevely use it and give
>>>> you
>>>> feedback as soon as I start to code the server. For now, I will focus on
>>>> declaring the named pipe in samba and forward it to external daemon.
>>>>
>>>> @Jeremy: I am looking into the samba code. So far, I found the
>>>> nt_open_pipe
>>>> which is the function call when a client try to open a named pipe. It
>>>> calls
>>>> open_np_file, that calls np_open. At the end, this function calls
>>>> make_external_rpc_pipe_p if the pipe_mode is set
>>>> to RPC_SERVICE_MODE_EXTERNAL.
>>>>
>>>> Correct me if I am wrong but that mean I need to add
>>>> rpc_server:msftewds =
>>>> external into smb.conf.
>>>>
>>>> In the function code, I have spotted:
>>>> socket_dir = lp_parm_const_string(
>>>> GLOBAL_SECTION_SNUM, "external_rpc_pipe", "socket_dir",
>>>> lp_ncalrpc_dir());
>>>> So socket_dir = /var/run/samba/socket_dir in smb.conf should set this
>>>> value.
>>>>
>>>> Which should lead to a /var/run/samba/socket_dir/np/**msftewds file to
>>>> appear, am I right ? Because the directory is not created ?
>>>> Is it my external daemon that have to create the unix domain socket
>>>> exchange file ?
>>>>
>>>> I have done some fast wireshark capture. It seems taht the pipe is not
>>>> opened with NT Create And X. It is accessed with a SMB_COM_TRANSACTION
>>>> (0x25) containing the sub command TRANS_WAIT_NMPIPE (0x0053). Smbd
>>>> responds
>>>> with STATUS_NOT_SUPPORTED that is not indicated as a correct STATUS
>>>> return
>>>> code for this command in MS-CIFS specification. Do you have any idea
>>>> where
>>>> such smb message is handled in samba code ? If it is implemented ?
>>>>
>>>> Best regards,
>>>>
>>>> Jean-Daniel FISCHER
>>>>
>>>> 2013/3/20 Gregor Beck <gb at sernet.de>
>>>>
>>>>
>>>>>
>>>>> ---------- Message transféré ----------
>>>>> From: Gregor Beck <gbeck at sernet.de>
>>>>> To: samba-technical at lists.samba.**org<samba-technical at lists.samba.org>
>>>>> Cc: Jean-Daniel FISCHER <jeandaniel.fischer at gmail.com>
>>>>> Date: Wed, 20 Mar 2013 15:32:58 +0100
>>>>> Subject: Re: Windows Search Protocol for samba share
>>>>> Hi Jean-Daniel,
>>>>>
>>>>> I've started hacking a wireshark dissector for MS-WSP. It is far from
>>>>> complete
>>>>> but might be of some help.
>>>>>
>>>>> Check out:
>>>>>
>>>>> http://repo.or.cz/w/wireshark-**wip.git/shortlog/refs/heads/**ms-wsp<http://repo.or.cz/w/wireshark-wip.git/shortlog/refs/heads/ms-wsp>
>>>>>
>>>>> Any feedback is welcome ;-)
>>>>>
>>>>> Gregor
>>>>>
>>>>> Am Dienstag, 19. März 2013, 20:14:30 schrieb Jean-Daniel FISCHER:
>>>>>
>>>>>> Hi everyone,
>>>>>>
>>>>>> I wish to develop Windows Search Protocol (MS-WSP) support for samba
>>>>>>
>>>>> share.
>>>>>
>>>>>> I have gone through the specification and I am confident it can be
>>>>>> done.
>>>>>>
>>>>>> The protocol works on top of SMB using the named pipe MSFTEWDS
>>>>>> according
>>>>>>
>>>>> to
>>>>>
>>>>>> the specification MS provides.
>>>>>>
>>>>>> I am looking for a way to declare this named pipe into samba and make
>>>>>> all
>>>>>> requests made on that named pipe forward to an external program.
>>>>>>
>>>>>> I have  looked over samba source code, wiki and mailing list archives
>>>>>> during the last month, I can’t find a way to do it. Is there any way
>>>>>> to
>>>>>>
>>>>> do
>>>>>
>>>>>> this ?
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Jean-Daniel FISCHER
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>> Hi Jean-Daniel,
>>>
>>>
>>>  I have done some fast wireshark capture. It seems taht the pipe is not
>>>>> opened with NT Create And X. It is accessed with a SMB_COM_TRANSACTION
>>>>> (0x25) containing the sub command TRANS_WAIT_NMPIPE (0x0053).
>>>>>
>>>>
>>> I stumbled across the same problem a year ago while I was doing some
>>> prototype implementation for my master thesis. The problem is that the
>>> Windows Search Service relies on the pipe being opened with the
>>> SMB_COM_NT_CREATE_ANDX command rather than the SMB_COM_OPEN command. The
>>> former one allows the parameter 'ImpersonationLevel' being set. This is a
>>> mandatory parameter as stated in the MS-WSP section 2.1.
>>>
>>> At that time I did not find a suitable (rather quick) approach to handle
>>> the problem, as it seemed to require serious changes to the Samba Project
>>> implementation itself. Eventually I had to switch to jCIFS for further
>>> process.
>>>
>>> Hope this helps...
>>>
>>> Greets
>>> Alexander Lüders
>>>
>>>
>>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WSP.pcap
Type: application/octet-stream
Size: 8433 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130323/6365d21e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.hyperion
Type: application/octet-stream
Size: 10107 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130323/6365d21e/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb.conf
Type: application/octet-stream
Size: 963 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130323/6365d21e/attachment-0002.obj>

More information about the samba-technical mailing list