[Samba] smbclient fails to connect wuth krb + signing

Michael Wilke m at 1982.cc
Thu Feb 7 22:53:37 MST 2013 

Dear all,

I hope you could assist me in finding a problem with samba and krb
connects when packet signing is activated in a domain.

I have a samba server as a AD 2k3 domain member and the connects are
working well, but when I try to use krb auth to connect to another
Windows server in the network I get an error.


Thanks a lot 
---
smbclient -d5 -U micha -k -L //gunter/software 
...
 session request ok
Doing spnego session setup (blob length=110)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=gunter$@CITY.DOMAIN.ORG
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0]
expiration Fri, 08 Feb 2013 15:16:52 EAT
ads_krb5_mk_req: server marked as OK to delegate to, building
forwardable TGT
smb_signing_check_pdu: BAD SIG: wanted SMB signature of
[0000] 04 4D 28 7D 47 20 46 41                            .M(}G FA 
smb_signing_check_pdu: BAD SIG: got SMB signature of
[0000] 42 53 52 53 50 59 4C 20                            BSRSPYL  
smb_signing_good: signing negotiated but not required and peer
isn't sending correct signatures. Turning off.
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server
2003 R2 5.2]
 session setup ok
 tconx ok

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

---


If I use standard smbclient connection it works fine:
---
smbclient -d 3 -U micha //gunter/software
...

Client started (version 3.6.3).
Enter micha's password: 
Connecting to 10.10.10.8 at port 445
Doing spnego session setup (blob length=110)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=gunter$@CITY.DOMAIN.ORG
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Domain=[DOMAIN] OS=[Windows Server 2003 R2 3790 Service Pack 2]
Server=[Windows Server 2003 R2 5.2]
smb: \> 

---



samba version:
smbd --version
Version 3.6.3

smb.conf:
[global]
        security = ads
        realm = CITY.DOMAIN.ORG
        netbios name = RESEARCH-SERVER
        password server = 10.10.10.17 # PDC
        client use spnego = yes
        client use spnego principal = true
        client signing = auto

More information about the samba mailing list