[Samba] BAD SIG[nature] errors from XP client

[Dale Sedivec]

Greetings,

	I've set up a Samba 3.0.23a PDC on Fedora Core 5 and joined a
couple XP clients to the domain successfully.  However, when I start
using the Samba PDC's "homes" share from the XP client, I eventually
get errors such as the following:

[2006/08/05 03:28:07, 0] libsmb/smb_signing.c:srv_check_incoming_message(657)
  srv_check_incoming_message: BAD SIG: seq 798 wanted SMB signature of
[2006/08/05 03:28:07, 5] lib/util.c:dump_data(2237)
  [000] 38 72 55 75 A5 07 5E C3                           8rUu..^.
[2006/08/05 03:28:07, 0] libsmb/smb_signing.c:srv_check_incoming_message(661)
  srv_check_incoming_message: BAD SIG: seq 798 got SMB signature of
[2006/08/05 03:28:07, 5] lib/util.c:dump_data(2237)
  [000] FA B5 F7 8E 38 76 3C EA                           ....8v<.
[2006/08/05 03:28:07, 10] libsmb/smb_signing.c:simple_packet_signature(262)
  simple_packet_signature: sequence number 793
[2006/08/05 03:28:07, 10] libsmb/smb_signing.c:simple_packet_signature(262)
  simple_packet_signature: sequence number 794
[2006/08/05 03:28:07, 10] libsmb/smb_signing.c:simple_packet_signature(262)
  simple_packet_signature: sequence number 795
[2006/08/05 03:28:07, 10] libsmb/smb_signing.c:simple_packet_signature(262)
  simple_packet_signature: sequence number 796
[2006/08/05 03:28:07, 10] libsmb/smb_signing.c:simple_packet_signature(262)
  simple_packet_signature: sequence number 797
[2006/08/05 03:28:07, 0] libsmb/smb_signing.c:srv_check_incoming_message(673)
  srv_check_incoming_message: out of seq. seq num 797 matches. We were expecting seq 798
[2006/08/05 03:28:07, 0] libsmb/smb_signing.c:signing_good(232)
  signing_good: BAD SIG: seq 798
[2006/08/05 03:28:07, 0] lib/util_sock.c:receive_smb(741)
  receive_smb: SMB Signature verification failed on incoming packet!
[2006/08/05 03:28:07, 3] smbd/process.c:timeout_processing(1370)
  timeout_processing: receive_smb error bad smb signature. Exiting

Steps to reproduce:

1. Log in as a domain user with XP.
2. Go to Z: in an Explorer window, which is mapped to my home
   directory on the Samba server.
3. Browse around in Explorer: enter a few directories, hover over some
   files (brings up tool tip with information about the file), etc.

	That's all it takes.  I've always gotten the above error
within one minute of when I start browsing around the mapped drive.
After I get this error on the Samba server, XP closes the explorer
window and tells me the Samba PDC is on offline files mode.  If I
"Synchronize" my files with the PDC (My Documents is in my home
directory), it comes back online, and I can repeat the above procedure
again to trigger the error again.

	I've set "server signing = auto" in my configuration.  When I
comment it out (i.e., go back to default "server signing = no")
everything seems to work fine:  I browsed files for a little while,
opened some files to see that their contents appeared correct, etc.

Further notes:
- I successfully rsync'ed about 420GiB data to the server running
  Samba, so I don't think the network is a problem.
- I've been using this XP client with an old Samba 2.2 PDC on
  different hardware without any issues for at least a couple of
  months.  Of course, AFAIK, Samba 2.2 didn't do signing.
- I've never been able to recreate these bad signature errors with
  smbclient.
- Samba is as distributed by the Fedora Project; rpm verifies that
  files are unchanged from the distributed versions (except for
  smb.conf)
- Nothing meaningful in dmesg to indicate a larger system problem.
- Tested with SELinux on and off (I usually run with it in enforcing
  mode with the "targeted" policy in FC5).

A couple of things that might make my situation "unique" (i.e.,
weird):

1. I'm migrating from an old server running a Samba 2.2 PDC to a new
   server running a Samba 3 PDC.  To accomplish this migration I did
   manually copy the PDC/domain SID from the old LDAP server to the
   new LDAP server.  I also copied my old user SID to the new server,
   so that my local profile on the XP client wouldn't (shouldn't?  It
   seems to work) require any changes.  When I move the XP client to
   the new PDC, I just re-join the (new) domain and my user account
   continues to work.

2. My XP client is running in VMware Workstation on a Fedora Core 5
   host (not the same FC5 server that's running Samba, but a different
   machine).  This is the XP client that's been successfully talking
   to the Samba 2.2 PDC for quite some time, though, and the XP client
   that talks to Samba 3 just fine when server signing is turned off.

	I did test from different hardware with a different XP
install, one that had never been on the domain, and got the same
error; note that this second XP install was also XP running inside
VMware Workstation on a FC5 host.  Also, on the second XP/VMware
client, I was going through an OpenVPN (TAP-Win32 Ethertap) tunnel;
since I got the same error, I feel like this rules out something like
VMware's network driver corrupting the packets, since they were
encapsulated by OpenVPN when VMware got them.

	Can anyone provide insight as to what I'm doing wrong, or is
this a bug?  I'm leaning towards bug, as unlikely as it seems that I
should run into a signing bug with such a relatively simple
configuration.  One thing that makes me believe this is a bug: it
always seems to happen (on both XP clients) on an identical looking
packet/request, as judged by reading the SMB fields both in the Samba
logs and the tcpdump output; i.e., size=71, SMB command=0xa0 (but
don't depend on that information too much as I wasn't particularly
rigorous about confirming it).

	The only thing I can think of is that you're not supposed to
use server signing without Kerberos set up (or perhaps without Active
Directory), based on a few messages I've seen mentioning problems with
MIT krb5 < 1.3.0 and signing.  If that's the case, though, why am I
allowed to turn on server signing?  And why does it seem to work until
a certain point in the conversation?

Thanks,
Dale

Relevant versions:

Server:
Fedora Core 5
kernel-smp-2.6.17-1.2157_FC5 (dual core Intel system, e1000 NIC)
samba-3.0.23a-1.fc5.1
Fedora Directory Server 1.0.2

Client:
Windows XP SP2, up-to-date with Windows Update
Running on VMware Workstation 5.5.1 19175, bridged networking
VMware host is FC5, kernel-2.6.17-1.2157_FC5, forcedeth NIC

Complete log: http://www.codefu.org/people/darkness/samba/ordeith.log
Packet dumps: look at *.dump.gz in
http://www.codefu.org/people/darkness/samba/
Output of testparm -v:
http://www.codefu.org/people/darkness/samba/ordeith.log
(verin is the server, ordeith is the client, PAD is the domain)

smb.conf (from testparm):

[global]
	workgroup = PAD
	server string = verin.caliginous.net
	obey pam restrictions = Yes
	passdb backend = ldapsam:ldap://ldap.caliginous.net
	lanman auth = No
	log level = 10
	log file = /var/log/samba/%m.log
	max log size = 50
	time server = Yes
	server signing = auto
	add machine script = /usr/sbin/luseradd -n -g samba-machines -c Machine -M -d /dev/null -s /sbin/nologin %u
	logon path = 
	logon drive = Z:
	domain logons = Yes
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	wins support = Yes
	ldap admin dn = cn=samba, ou=Special Users, dc=caliginous, dc=net
	ldap group suffix = ou=Groups
	ldap machine suffix = ou=Computers
	ldap passwd sync = Yes
	ldap suffix = dc=caliginous, dc=net
	ldap ssl = start tls
	ldap user suffix = ou=People
	hosts allow = 127., 10.
	use sendfile = Yes
	cups options = raw

[homes]
	comment = Home Directories
	path = /srv/storage/storage1/home/%u
	valid users = %S
	read only = No
	create mask = 0660
	directory mask = 0770
	browseable = No

[netlogon]
	comment = Network Logon Service
	path = /srv/smb/netlogon
	guest ok = Yes
	share modes = No