[Samba] ethereal dump analysis (was: smbspool to Windows 2000
Server: "ERRgeneral opening remote file")
Marc Haber
mh+samba at zugschlus.de
Fri Jun 18 15:53:42 GMT 2004
OK, I have now done a little more in-depth analysis with Ethereal. A
full log is available in private on request.
On Fri, Jun 18, 2004 at 03:22:20PM +0200, Marc Haber wrote:
> Trying to print with smbclient gives the same error message, and
> smbclient's queue command gives no output while there are jobs in the
> queue that should be displayed.
>
> An strace of smbclient suggests that the error message is indeed
> generated from and error code returned by the server (but the error
> message is not in the server's answer in clear text, so I suspect some
> error number that is translated to the clear text on the client).
Disclaimer: As a mainly Unix guy, I don't have too much clue about the
SMB protocol.
The trace was built by:
$ smbclient //server/printer <password> -U domain/account --debug=10
Domain=[domain] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \> print Makefile
ERRHRD - ERRgeneral (General failure.) opening remote file Makefile
smb: \> quit
I am condensing the trace, omitting what I find irrelevant.
Frame 7: UDP Client => DNS.53, DNS Query for the server: type A, class inet
Frame 8: UDP DNS.53 => Client, DNS Response, Host address a.b.c.d
Frame 9: TCP Client.33513 => Server.445, SYN
Frame 10: TCP Server.445 => Client. 33513, SYN/ACK
Frame 11: TCP Client.33513 => Server.445, ACK
Frame 12: TCP Client.33513 => Server.445, SMB Command Negotiate
Protocol, STATUS_SUCCESS Negotiate Protocol Request,
Requested Dialects: PC NETWORK PROGRAM 1.0, MICROSOFT
NETWORKS 1.03, MICROSOFT NETWORKS 3.0, LANMAN1.0, LM1.2X002,
DOS LANMAN2.1 Samba, NT LANMAN 1.0, NT LM 0.12
Frame 13: TCP Server.445 => Client.33513,
SMB Command Negotiate Protocol, STATUS_SUCCESS
Negotiate Protocol Response, Dialect Index: 8, greater than
LANMAN2.1, Security Mode: 0x07, Capabilities: 0x8000f3fd
Frame 14: TCP Client.33513 => Server.445, ACK
Frame 15: TCP Client.33513 => Server.445
SMB Command: Session Setup AndX (0x73)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x08 Flags2: 0xc805
Session Setup AndX Request (0x73)
AndXCommand: No further commands (0xff)
Capabilities: 0x8000005c
GSS-API OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
OID: 1.3.6.1.4.1.311.2.2.10
NTLM Message Type: NTLMSSP_NEGOTIATE
Flags: 0x60080215
Calling workstation domain: ZG2
Calling workstation name: VASH
Native OS: Unix
Native LAN Manager: Samba
Frame 16: TCP Server.445 => Client.33513
SMB Command: Session Setup AndX (0x73)
NT Status: STATUS_MORE_PROCESSING_REQUIRED (0xc0000016)
Flags: 0x88 Flags2: 0xc805
Session Setup AndX Response (0x73)
AndXCommand: No further commands (0xff)
Action: 0x0000
GSS-API SPNEGO negTokenTarg negResult: Accept Incomplete (0x0001)
supportedMech: 1.3.6.1.4.1.311.2.2.10
responseToken NTLMSSPNTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_CHALLENGE
Domain: <domain>
Flags: 0x62890215
Address List
Domain NetBIOS Name: <snip>
Server NetBIOS Name: <snip>
Domain DNS Name: <snip>
Server DNS Name: <snip>
List Terminator
mechListMIC NTLMSSP NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_CHALLENGE
Domain: <domain>
Flags: 0x62890215
Address List
Domain NetBIOS Name: <snip>
Server NetBIOS Name: <snip>
Domain DNS Name: <snip>
Server DNS Name: <snip>
List Terminator
Native OS: Windows 5.0
Native LAN Manager: Windows 2000 LAN Manager
Frame 17: TCP Client.33513 => Server.445
SMB Command: Session Setup AndX (0x73)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x08 Flags2: 0xc805
Session Setup AndX Request (0x73)
AndXCommand: No further commands (0xff)
Capabilities: 0x8000005c
GSS-API SPNEGO negTokenTarg responseToken NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_AUTH (0x00000003)
Lan Manager Response: <snip>
NTLM Response:
Domain name:
User name:
Host name:
Session Key:
Flags: 0x60080215
Native OS: Unix
Native LAN Manager: Samba
Frame 18: TCP Server.445 => Client.33513
SMB Command: Session Setup AndX (0x73)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88 Flags2: 0xc805
Session Setup AndX Response (0x73)
Action: 0x0000
GSS-API SPNEGO negTokenTarg negResult: Accept Completed (0x0000)
Native OS: Windows 5.0
Native LAN Manager: Windows 2000 LAN Manager
Frame 19: TCP Client.33513 => Server.445
SMB Command: Tree Connect AndX (0x75)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x08 Flags2: 0xc805
Tree Connect AndX Request (0x75)
AndXCommand: No further commands (0xff)
Flags: 0x0000
Password Length: 1
Password: 00
Path: \\server\printer
Service: ?????
Frame 20: TCP Server.445 => Client.33513
SMB Command: Tree Connect AndX (0x75)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88 Flags2: 0xc805
Tree Connect AndX Response (0x75)
AndXCommand: No further commands (0xff)
Optional Support: 0x0001
Service: LPT1:
Native File System:
Frame 21: TCP Client.33513 => Server.445
SMB Command: Check Directory (0x10)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x08 Flags2: 0xc805
Directory: \
Frame 22: TCP Server.445 => Client.33513
SMB Command: Check Directory (0x10)
NT Status: STATUS_ACCESS_DENIED (0xc0000022)
Flags: 0x88 Flags2: 0xc805
Frame 25: TCP Client.33513 => Server.445, ACK
Frame 32: TCP Client.33513 => Server.445
SMB Command: Open AndX (0x2d)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x08 Flags2: 0xc805
Open AndX Request (0x2d)
AndXCommand: No further commands (0xff)
Flags: 0x0000 Desired Access: 0x0042
Search Attributes: 0x0006 File Attributes: 0x00000000
Created: Jan 1, 1970 00:00:00.000000000
Open Function: 0x0012
File Name: Makefile
Frame 33: TCP Server.445 => Client.33513
SMB Command: Open AndX (0x2d)
Error Class: Hardware Error (0x03)
Error Code: General failure
Flags: 0x88 Flags2: 0x8805
Frame 34: TCP Client.33513 => Server.445, ACK
As far as I recon, authentication succeeds fine. What I find odd is
that the client, in Frame 19, Sends a password of "00", and a Service
that ethereal cannot parse. In Frame 20, the server sends back "LPT1"
as a service, but the printer in question is not connected to any
parallel port. In Frame 21, the client requests access to directory
"\" which seems to be missing the drive letter, which the server in
Frame 22 promptly rejects (that fact isn't logged. Can I tell NT to
log access violations more verbosely?). smbclient seems to ignore the
error message and tries to open a file on the share that is not
successfully opened and gets back the general failure error message
that is relayed to the user.
Again: I am not by any means an SMB expert, so my analysis may be
wrong. The full ethereal analysis is available on request as is the
raw dump file. But I surely hope that I delievered enough information
for better analysis. Any hints will be greatly appreciated.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Karlsruhe, Germany | lose things." Winona Ryder | Fon: *49 721 966 32 15
Nordisch by Nature | How to make an American Quilt | Fax: *49 721 966 31 29
More information about the samba
mailing list