[Samba] OS/2 client crash on "Find Close2"
Andreas Taegener
atsamba11 at eideltown.de
Mon Aug 7 17:44:12 GMT 2006
Hello,
I have just migrated an old OS/2 file server to a Linux box with Samba
3.0.23a. Now the OS/2 clients crash from time to time. I found a way to
reproduce/force the crash using PMMail and did some experiments.
The popuplog.os2 on the clients (Warp4 and eComStation) always names a
sys3175 in pmshell.exe / doscall1.dll.
Using Ethereal and comparing the network traffic between a) a client
and the Samba server and b) the same client and an OS/2 server (in this
setup the client doesn't crash) I found at least one difference in the
SMB protocol. It is the "Find Close2 Response" SMB message.
Here is the packet from the Samba server logged by Ethereal:
---START-----------------------------------------------------
No. Time Source Destination
Protocol Info
153 02:09:53.405713 192.168.1.223 192.168.1.1 SMB
Find Close2 Response
Frame 153 (97 bytes on wire, 97 bytes captured)
Arrival Time: Aug 7, 2006 02:09:53.405713000
Time delta from previous packet: 0.000384000 seconds
Time since reference or first frame: 58.338749000 seconds
Frame Number: 153
Packet Length: 97 bytes
Capture Length: 97 bytes
Protocols in frame: eth:ip:tcp:nbss:smb
Ethernet II, Src: srv3.taegi.eideltown.de (00:01:af:01:a0:a2), Dst:
Intel_3a:01:e1 (00:02:b3:3a:01:e1)
Destination: Intel_3a:01:e1 (00:02:b3:3a:01:e1)
Source: srv3.taegi.eideltown.de (00:01:af:01:a0:a2)
Type: IP (0x0800)
Frame check sequence: 0x94bcdc1f [correct]
Internet Protocol, Src: 192.168.1.223 (192.168.1.223), Dst: 192.168.1.1
(192.168.1.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 79
Identification: 0xcd9b (52635)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xe8dc [correct]
Good: True
Bad : False
Source: 192.168.1.223 (192.168.1.223)
Destination: 192.168.1.1 (192.168.1.1)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port:
1024 (1024), Seq: 45598, Ack: 1364, Len: 39
Source port: netbios-ssn (139)
Destination port: 1024 (1024)
Sequence number: 45598 (relative sequence number)
Next sequence number: 45637 (relative sequence number)
Acknowledgement number: 1364 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 5360
Checksum: 0x60fa [correct]
SEQ/ACK analysis
This is an ACK to the segment in frame: 152
The RTT to ACK the segment was: 0.000384000 seconds
NetBIOS Session Service
Message Type: Session message
Flags: 0x00
.... ...0 = Add 0 to length
Length: 35
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 152
Time from request: 0.000384000 seconds
SMB Command: Find Close2 (0x34)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0x0001
0... .... .... .... = Unicode Strings: Strings are ASCII
.0.. .... .... .... = Error Code Type: Error codes are DOS
error codes
..0. .... .... .... = Execute-only Reads: Don't permit
reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 0... .... .... = Extended Security Negotiation:
Extended security negotiation is not supported
.... .... .0.. .... = Long Names Used: Path names in
request are not long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 7
Process ID: 84
User ID: 100
Multiplex ID: 53506
Find Close2 Response (0x34)
Word Count (WCT): 0
Byte Count (BCC): 0
0000 00 02 b3 3a 01 e1 00 01 af 01 a0 a2 08 00 45 00 ...:..........E.
0010 00 4f cd 9b 40 00 40 06 e8 dc c0 a8 01 df c0 a8 .O.. at .@.........
0020 01 01 00 8b 04 00 64 d8 11 35 00 ce f6 10 50 18 ......d..5....P.
0030 14 f0 60 fa 00 00 00 00 00 23 ff 53 4d 42 34 00 ..`......#.SMB4.
0040 00 00 00 88 01 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 07 00 54 00 64 00 02 d1 00 00 00 94 bc dc ....T.d.........
0060 1f .
---END-------------------------------------------------------
And here the packet from the OS/2 server:
---START-----------------------------------------------------
No. Time Source Destination
Protocol Info
10956 04:39:42.694870 192.168.1.18 192.168.1.1 SMB
Find Close2 Response[Malformed Packet]
Frame 10956 (96 bytes on wire, 96 bytes captured)
Arrival Time: Aug 7, 2006 04:39:42.694870000
Time delta from previous packet: 0.000232000 seconds
Time since reference or first frame: 244.901074000 seconds
Frame Number: 10956
Packet Length: 96 bytes
Capture Length: 96 bytes
Protocols in frame: eth:ip:tcp:nbss:smb
Ethernet II, Src: Ibm_96:23:94 (00:04:ac:96:23:94), Dst: Intel_3a:01:e1
(00:02:b3:3a:01:e1)
Destination: Intel_3a:01:e1 (00:02:b3:3a:01:e1)
Source: Ibm_96:23:94 (00:04:ac:96:23:94)
Type: IP (0x0800)
Frame check sequence: 0xd830e64f [correct]
Internet Protocol, Src: 192.168.1.18 (192.168.1.18), Dst: 192.168.1.1
(192.168.1.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 78
Identification: 0x5d37 (23863)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x5a0f [correct]
Good: True
Bad : False
Source: 192.168.1.18 (192.168.1.18)
Destination: 192.168.1.1 (192.168.1.1)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port:
1028 (1028), Seq: 2515935, Ack: 1007042, Len: 38
Source port: netbios-ssn (139)
Destination port: 1028 (1028)
Sequence number: 2515935 (relative sequence number)
Next sequence number: 2515973 (relative sequence number)
Acknowledgement number: 1007042 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 33580
Checksum: 0xd8a6 [correct]
NetBIOS Session Service
Message Type: Session message
Flags: 0x00
.... ...0 = Add 0 to length
Length: 34
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 10954
Time from request: 0.000762000 seconds
SMB Command: Find Close2 (0x34)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0x0003
0... .... .... .... = Unicode Strings: Strings are ASCII
.0.. .... .... .... = Error Code Type: Error codes are DOS
error codes
..0. .... .... .... = Execute-only Reads: Don't permit
reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 0... .... .... = Extended Security Negotiation:
Extended security negotiation is not supported
.... .... .0.. .... = Long Names Used: Path names in
request are not long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 53250
Process ID: 137
User ID: 1
Multiplex ID: 53006
Find Close2 Response (0x34)
Word Count (WCT): 0
[Malformed Packet: SMB]
0000 00 02 b3 3a 01 e1 00 04 ac 96 23 94 08 00 45 00 ...:......#...E.
0010 00 4e 5d 37 40 00 40 06 5a 0f c0 a8 01 12 c0 a8 .N]7 at .@.Z.......
0020 01 01 00 8b 04 04 7e 2d 73 51 00 f0 b9 91 50 18 ......~-sQ....P.
0030 83 2c d8 a6 00 00 00 00 00 22 ff 53 4d 42 34 00 .,.......".SMB4.
0040 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 02 d0 89 00 01 00 0e cf 00 00 d8 30 e6 4f .............0.O
---END-------------------------------------------------------
The differences are in the last few lines:
---Samba----------------------------------------
Find Close2 Response (0x34)
Word Count (WCT): 0
Byte Count (BCC): 0
------------------------------------------------
---OS/2-----------------------------------------
Find Close2 Response (0x34)
Word Count (WCT): 0
[Malformed Packet: SMB]
------------------------------------------------
Has anybody else seen this problem or knows a solution for it? Or is it
possible to add a workaround to Samba?
Please let me know if more info is required.
Many thanks in advance and kind regards
Andreas Taegener
More information about the samba
mailing list