[Samba] NET_SAMLOGON issue
Fabien Chevalier
fabien.chevalier at supelec.fr
Thu Oct 16 17:08:48 GMT 2003
Hi all,
I'm having a little trouble with my Samba setup. :-(
I hope some SMB protocol guru will be able to say to me what's going wrong!
I must apologize as it's a bit long and heavy in your mailbox, but this is not a trivial issue
and i think it requires some explanations to be fully understood.
So let's go!
Here is my setup:
- I use Samba 3.0.1-pre1 as PDC. Domain is called DC-SORRAL.
- Domain members are Win2K server and WinXP.
- SAM backend is ldapsam_compat.
- I can log on as a domain user in both Win2K and WinXP==->Roaming users work Ok.
Note: smb.conf is given as attachment
So i would say a 'common LDAP Samba 3 setup' is up and running.
But now i need to go a bit further.
I'm trying to have a third party Windows software (called HummingBird DM - that's
a proprietary electronic document management System) to authenticate it's users using the Samba PDC.
It's supposed to run with Windows NT4 SP4 or later as domain controller, so... I suppose it should run with Samba 3.
(Tell me if i'm wrong :-)).
HummmingBird DM uses a domain account which is in our case 'zzAdmin' with
password '55nm08dk55nm08dk'.
I can log on zzAdmin without issue, but when i tell HummingBird's wizard to use the account 'zzAdmin'
the wizard fails and sends back to me a wrong user name / wrong password error.
So i turn debugging level to 255, defined DEBUG_PASSWORD in auth_sam.c and recompile the whole, and
restart Samba.
Then i begin to analyse the log file:
(note: full log file is gziped as attachment - chosen parts are given below, as the whole is ~6000 lines long)
--SNIP--
[2003/10/14 16:40:37, 5] rpc_server/srv_pipe.c:api_pipe_request(1454)
Requested \PIPE\NETLOGON
[2003/10/14 16:40:37, 4] rpc_server/srv_pipe.c:api_rpcTNP(1488)
api_rpcTNP: NETLOGON op 0x2 - created /tmp/in_NETLOGON_2.10.prs
[2003/10/14 16:40:37, 3] rpc_server/srv_pipe.c:api_rpcTNP(1495)
api_rpcTNP: rpc command: NET_SAMLOGON
--SNIP--
It seems Hummingbird wants to authenticate itself...good news!!
--SNIP--
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
00e4 uni_str_len: 00000007
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:dbg_rw_punival(806)
00e8 buffer : z.z.A.d.m.i.n.
[2003/10/14 16:40:37, 9] rpc_parse/parse_prs.c:prs_debug(81)
0000f6 smb_io_unistr2 uni_wksta_name
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
00f8 uni_max_len: 0000000c
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
00fc undoc : 00000000
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
0100 uni_str_len: 0000000c
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:dbg_rw_punival(806)
0104 buffer : D.C.-.S.O.R.R.A.L.-.0.6.
[2003/10/14 16:40:37, 9] rpc_parse/parse_prs.c:prs_debug(81)
00011c smb_io_string2 nt_chal_resp
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
011c str_max_len: 00000020
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
0120 undoc : 00000000
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
0124 str_str_len: 00000020
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_string2(960)
0128 buffer : 5.5.n.m.0.8.d.k.5.5.n.m.0.8.d.k.
[2003/10/14 16:40:37, 9] rpc_parse/parse_prs.c:prs_debug(81)
000148 smb_io_string2 lm_chal_resp
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
0148 str_max_len: 0000000e
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
014c undoc : 00000000
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
0150 str_str_len: 0000000e
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_string2(960)
0154 buffer : 55NM08DK55NM08
[2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_uint16(605)
0162 validation_level: 0003
--SNIP--
HummingBird sends us zzAdmin...seems clever :-)
HummingBird sends us a clear text password...quite strange....as the debugging string 'nt_chal_resp'
would make us think it is rather a NTLM challenge response.
--SNIP--
sam_password_ok: Checking NTLMv2 password with domain [DC-SORRAL]
[2003/10/14 16:40:37, 100] auth/auth_sam.c:smb_pwd_check_ntlmv2(131)
Part password (P16) was |
[2003/10/14 16:40:37, 100] lib/util.c:dump_data(1825)
[000] 83 0D 28 64 3B F5 66 10 23 F9 14 15 80 08 95 40 ..(d;.f. #......@
Password from client was |
[2003/10/14 16:40:37, 100] lib/util.c:dump_data(1825)
[000] 35 00 35 00 6E 00 6D 00 30 00 38 00 64 00 6B 00 5.5.n.m. 0.8.d.k.
[010] 35 00 35 00 6E 00 6D 00 30 00 38 00 64 00 6B 00 5.5.n.m. 0.8.d.k.
Variable data from client was |
[2003/10/14 16:40:37, 100] lib/util.c:dump_data(1825)
[000] 35 00 35 00 6E 00 6D 00 30 00 38 00 64 00 6B 00 5.5.n.m. 0.8.d.k.
Given challenge was |
[2003/10/14 16:40:37, 100] lib/util.c:dump_data(1825)
[000] 00 00 00 00 00 00 00 00 ........
Value from encryption was |
[2003/10/14 16:40:37, 100] lib/util.c:dump_data(1825)
[000] 29 B5 0F 96 7B 27 70 12 A4 11 76 7C 22 0B 9E 50 )...{'p. ..v|"..P
[2003/10/14 16:40:37, 4] auth/auth_sam.c:sam_password_ok(200)
sam_password_ok: Checking NTLMv2 password without a domain
[2003/10/14 16:40:37, 100] auth/auth_sam.c:smb_pwd_check_ntlmv2(131)
Part password (P16) was |
[2003/10/14 16:40:37, 100] lib/util.c:dump_data(1825)
[000] 83 0D 28 64 3B F5 66 10 23 F9 14 15 80 08 95 40 ..(d;.f. #......@
Password from client was |
[2003/10/14 16:40:37, 100] lib/util.c:dump_data(1825)
[000] 35 00 35 00 6E 00 6D 00 30 00 38 00 64 00 6B 00 5.5.n.m. 0.8.d.k.
[010] 35 00 35 00 6E 00 6D 00 30 00 38 00 64 00 6B 00 5.5.n.m. 0.8.d.k.
Variable data from client was |
[2003/10/14 16:40:37, 100] lib/util.c:dump_data(1825)
[000] 35 00 35 00 6E 00 6D 00 30 00 38 00 64 00 6B 00 5.5.n.m. 0.8.d.k.
Given challenge was |
[2003/10/14 16:40:37, 100] lib/util.c:dump_data(1825)
[000] 00 00 00 00 00 00 00 00 ........
Value from encryption was |
[2003/10/14 16:40:37, 100] lib/util.c:dump_data(1825)
[000] E3 2F 84 BF D8 C3 34 49 AE B0 17 89 84 5F EF BD ./....4I ....._..
[2003/10/14 16:40:37, 3] auth/auth_sam.c:sam_password_ok(210)
sam_password_ok: NTLMv2 password check failed
--SNIP--
So this is what i thought of.
Samba treats the cleartext string an NTLMv2 challenge response...which makes
HummingBird fail to authenticate.
It took me a few days to find the issue, and to review the 6000+ lines of log,
as i was a complete newbie with the SMB protocol.
So i would like now if possible the opinion of more knowledged people about NT internals...
as i cannot pursue my analysis any further without external help (I did not find any usefull information
on NT RPCS).
What i would like to know is:
- if my analysis is right
- if it is a bug in HummingBird DM auth mechanism
- if it is a bad assumption in Samba (Is SAM_NETLOGON RPC always using NTLMv2?)
- if it is an unimplemented dark NT feature in Samba ;-)
...and of course if it is fixable.
I hope somebody out there can help.
Best regards,
Fabien Chevalier
Computer Science Student - www.supelec.fr
-------------- next part --------------
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not many any basic syntactic
# errors.
#
#======================= Global Settings =======================
[global]
unix charset = ISO8859-1
nt acl support = yes
client ntlmv2 auth = yes
client lanman auth = no
## Browsing/Identification ###
workgroup = DC-SORRAL
netbios name = STR-DON-01
domain master = yes
domain logons = yes
# server string is the equivalent of the NT Description field
server string = Serveur de Fichiers micro-informatique Sorral
# LDAP support
ldap admin dn = cn=admin,dc=sorral,dc=duferco-coating,dc=com
ldap ssl = off
# start_tls should run on 389, but samba defaults incorrectly to 636
ldap suffix = dc=sorral,dc=duferco-coating,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap passwd sync = true
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
# wins server = 172.16.0.3
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
# What naming service and in what order should we use to resolve host names
# to IP addresses
; name resolve order = lmhosts host wins bcast
# Needed by NT PDC support
add machine script = /usr/sbin/useradd -d /dev/null -g nogroup -c 'Machine account' -s /bin/false %u
#Logon settings
logon home = \\%L\%U
logon drive = P:
logon path = \\%L\Profiles\%U
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
log level = 200
# Put a capping on the size of the log files (in Kb).
max log size = 5000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
; syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc
# package for details.
security = user
# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam ldapsam_compat:ldap://localhost
;passdb backend = tdbsam
obey pam restrictions = no
; guest account = nobody
; invalid users = root
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
; unix password sync = no
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Augustin Luton <aluton at hybrigenics.fr> for
# sending the correct chat script for the passwd program in Debian Potato).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
; pam password change = no
########## Printing ##########
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
; load printers = yes
# lpr(ng) printing. You may wish to override the location of the
# printcap file
; printing = bsd
; printcap name = /etc/printcap
# CUPS printing. See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
printing = cups
printcap name = cups
# When using [print$], root is implicitly a 'printer admin', but you can
# also give this right to other users to add drivers and set printer
# properties
; printer admin = @ntadmin
######## File sharing ########
# Name mangling options
; preserve case = yes
; short preserve case = yes
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
domain master = auto
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
#créons le répertoire perso au cas ou il n'existe pas
root preexec = mkdir /home/%u; chown %u /home/%u; chmod 700 /home/%u;
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
#[printers]
# comment = All Printers
# browseable = no
# path = /tmp
# printable = yes
# public = no
# writable = no
# create mode = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
; write list = root, @ntadmin
# A sample share for sharing your CD-ROM with others.
;[cdrom]
; comment = Samba server's CD-ROM
; writable = no
; locking = no
; path = /cdrom
; public = yes
# The next two parameters show how to auto-mount a CD-ROM when the
# cdrom share is accesed. For this to work /etc/fstab must contain
# an entry like this:
#
# /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0
#
# The CD-ROM gets unmounted automatically after the connection to the
#
# If you don't want to use auto-mounting/unmounting make sure the CD
# is mounted on /cdrom
#
; preexec = /bin/mount /cdrom
; postexec = /bin/umount /cdrom
[Profiles]
path = /users/profiles
nt acl support = yes
profile acls = Yes
browsable = no
writable = yes
directory mask = 700
create mask = 700
# This script can be enabled to create profile directories on the fly
# You may want to turn off guest access if you enable this, as it
# hasn't been thoroughly tested.
# root preexec = PROFILEDIR=/users/profiles; if [ ! -e $PROFILEDIR/%u ]; \
# then cp -R $PROFILEDIR/default $PROFILEDIR/%u; \
# chmod -R 700 $PROFILEDIR/%u; chown -R %u:%g $PROFILEDIR/%u; fi
#########################Partie Spécifique Sorral#############################
#Faux virus - Pour test des antivirus
[Test Antivirus]
path = /var/eicar
read only = yes
user = @utilisateurs
#Section des groupes
#Le public
[public]
path = /users/groups/public
browseable = yes
writable = yes
#L'option suivante assure que les acls par défaut seront bien héritées
#Les acls de la doivent sont positionnées ainsi
## file: public
## owner: root
## group: root
#user::rwx
#group::---
#group:users:rwx
#mask::rwx
#other::---
#default:user::rwx
#default:group::---
#default:group:users:rwx
#default:mask::rwx
#default:other::---
#grace aux deux commandes suivantes
# setfacl -s u::rwx,g::---,o::---,g:users:rwx public
# setfacl -d -s u::rwx,g::---,o::---,g:users:rwx public
inherit acls = yes
#Seuls les membres du groupe "users" ont le droit d'accéder au public
#Donc tous les utilisateurs humains doivent etre dans le groupe users
valid users = @utilisateurs
#Voici un exemple de groupe
[informatique]
path = /users/groups/informatique
browseable = yes
writable = yes
#L'option suivante assure que les acls par défaut seront bien héritées
#Les acls de la doivent sont positionnées ainsi
## file: informatique
## owner: root
## group: root
#user::rwx
#group::---
#group:info:rwx
#mask::rwx
#other::---
#default:user::rwx
#default:group::---
#default:group:info:rwx
#default:mask::rwx
#default:other::---
#grace aux deux commandes suivantes
# setfacl -s u::rwx,g::---,o::---,g:info:rwx informatique
# setfacl -d -s u::rwx,g::---,o::---,g:info:rwx informatique
inherit acls = yes
#Seuls les membres du groupe "info" ont le droit d'accéder à ce répertoire
valid users = @info
#partages spécifiques
[ghost]
comment = Images disques des PC clients
path = /users/ghost
valid users = root
public = no
writable = yes
printable = no
browseable = yes
More information about the samba
mailing list