[Samba] server signing broken for non-kerberos auth

Paul B. Henson henson at acm.org
Wed Jan 12 13:26:55 MST 2011 

I'm working with the Solaris bundled version of samba 3.5.5 and having a
problem with server signing. samba is configured into an active directory
domain with security = ads.

With signing enabled, connections from clients in the domain work fine.
However, connections from clients not in the domain fail:

-----
>net use /user:WIN\henson \\ike.unx.csupomona.edu\henson
Enter the password for 'WIN\henson' to connect to 'ike.unx.csupomona.edu':
System error 64 has occurred.

The specified network name is no longer available.
-----

Similarly, with smbclient, signed kerberos authentication works, but
signed non-kerberos authentication fails:

-----
 $ smbclient --signing=required -U 'WIN\henson' '\\ike.unx.csupomona.edu\henson'
Enter WIN\henson's password:
signing_good: BAD SIG: seq 1
session setup failed: NT_STATUS_OK
-----

If I enable debugging for smbclient it spits out:

-----
Mandatory SMB signing enabled!
SMB signing enabled!
cli_simple_set_signing: user_session_key
cli_simple_set_signing: NULL response_data
simple_packet_signature: sequence number 0
client_sign_outgoing_message: sent SMB signature of
[0000] 1E F5 1B 99 6C D0 80 5A                            ....l..Z
store_sequence_for_reply: stored seq = 1 mid = 3
get_sequence_for_reply: found seq = 1 mid = 3
simple_packet_signature: sequence number 1
client_check_incoming_message: BAD SIG: wanted SMB signature of
[0000] DF 9D 91 B0 77 C5 E5 CD                            ....w...
client_check_incoming_message: BAD SIG: got SMB signature of
[0000] 4E 74 FD EE B2 55 62 54                            Nt...UbT
simple_packet_signature: sequence number 4294967292
simple_packet_signature: sequence number 4294967293
simple_packet_signature: sequence number 4294967294
simple_packet_signature: sequence number 4294967295
simple_packet_signature: sequence number 0
simple_packet_signature: sequence number 1
simple_packet_signature: sequence number 2
simple_packet_signature: sequence number 3
simple_packet_signature: sequence number 4
simple_packet_signature: sequence number 5
signing_good: BAD SIG: seq 1
SPNEGO login failed: Access denied
-----

It seems the server is sending bad signatures.

Any thoughts on this?

Thanks...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the samba mailing list