[Samba] Problem with smbclient to Windows 2003 Server.
Back Daniel
di0bada at chl.chalmers.se
Fri May 2 14:35:18 GMT 2003
Hello!
Im writing to you all on behalf of my working party, a group of students at
Chalmers Lindholmen University. We have been working on a problem for 6 weeks
but we have come to a dead stop. If you could help us in any way we would
remember it with gratitude and make sure its not forgotten!
We are wondering if someone can assist us with a dilemma we have regarding
Samba 3.0 alpha23 on Red Hat 8.0 and Windows 2003 Server when using smbclient.
The problem started when we tried to use Kerberos with smbclient to log on to a
Windows 2003 Server. We got Access Denied as you can se below:
[root at alpha23 root]# kinit
Password for administrator at XJSIMPLE.FOO:
[root at alpha23 root]# smbclient //192.168.0.1/public -k
added interface ip=192.168.0.3 bcast=192.168.0.255 nmask=255.255.255.0
Doing spnego session setup (blob length=112)
Doing kerberos session setup
OS=[Windows .NET 3663] Server=[Windows .NET 5.2]
tree connect failed: NT_STATUS_ACCESS_DENIED
So we tried to log on with a username and password instead of Kerberos and this
happened:
[root at alpha23 root]# smbclient //192.168.0.1/public -U administrator
added interface ip=192.168.0.3 bcast=192.168.0.255 nmask=255.255.255.0
Password:
Doing spnego session setup (blob length=112)
NTLMSSP packet check failed due to invalid signiture!
OS=[Windows .NET 3663] Server=[Windows .NET 5.2]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root at alpha23 root]# smbclient //192.168.0.1/public -U administrator d 10
---------8<----------------
crc32_calc_buffer: 3a4aa1f8
NTLMSSP packet check failed due to invalid signiture!
NTLMSSP signing failed with NT_STATUS_ACCESS_DENIED
got SMB signature of
[000] 22 80 CF FD 58 14 2C C9 "...X.,.
Server did not sign reply correctly
---------8<----------------
We captured the packages with Ethereal and found this:
---------8<----------------
Negotiate Protocol Response (0x72)
Word Count (WCT): 17
Dialect Index: 8, greater than LANMAN2.1
Security Mode: 0x0f
.... ...1 = Mode: USER security mode
.... ..1. = Password: ENCRYPTED password. Use challenge/response
.... .1.. = Signatures: Security signatures ENABLED
.... 1... = Sig Req: Security signatures REQUIRED
---------8<----------------
Windows 2003 Server requires every SMB-packet to have a security signature.
After this we did the same thing but instead of a Windows 2003 server we used a
Windows 2000 Server and we had no problem with smbclient and the server gave us
this:
---------8<----------------
Negotiate Protocol Response (0x72)
Word Count (WCT): 17
Dialect Index: 8, greater than LANMAN2.1
Security Mode: 0x07
.... ...1 = Mode: USER security mode
.... ..1. = Password: ENCRYPTED password. Use challenge/response
.... .1.. = Signatures: Security signatures ENABLED
.... 0... = Sig Req: Security signatures NOT required
---------8<----------------
So, W2K doesnt need SMB-packets signatures and we have no problems, but we
want it to work with Windows 2003. Whats the difference between Windows 2000
and Windows 2003 when it comes to security signatures of SMB-packets? Can we
disable signatures in Windows 2003 Server or do we have to make some changes in
Red Hat/Samba? Is ther another way to get around this problem?
Is the problem with Microsoft (we believe so) or is there something we can do
with Samba or Red Hat?
If you need more information just ask for it and we will give ASAP.
//Daniel
-----------------------------8<----------------------------------
smb.conf
--------8<----------------
[global]
workgroup = XJSIMPLE
realm = XJSIMPLE.FOO
ads server = 192.168.0.1
security = ads
encrypt passwords = yes
domain master = no
preferred master = yes
wins support = no
dns proxy = yes
---------8<----------------
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = XJSIMPLE.FOO
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[realms]
XJSIMPLE.FOO = {
kdc = 192.168.0.1:88
admin_server = 192.168.0.1:749
default_domain = xjsimple.foo
}
[domain_realm]
.xjsimple.foo = XJSIMPLE.FOO
xjsimple.foo = XJSIMPLE.FOO
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-----------------------------8<------------------------------
More information about the samba
mailing list