On Fri, 2003-10-17 at 03:08, Fabien Chevalier wrote: > Hi all, > > I'm having a little trouble with my Samba setup. :-( > I hope some SMB protocol guru will be able to say to me what's going wrong! > I must apologize as it's a bit long and heavy in your mailbox, but this is not a > trivial issue > and i think it requires some explanations to be fully understood.
We like e-mails like this. To everybody else on the list: Try to do as good a job as this when preparing your questions! > So let's go! > > Here is my setup: > - I use Samba 3.0.1-pre1 as PDC. Domain is called DC-SORRAL. > - Domain members are Win2K server and WinXP. > - SAM backend is ldapsam_compat. > - I can log on as a domain user in both Win2K and WinXP==->Roaming users work Ok. > Note: smb.conf is given as attachment > > So i would say a 'common LDAP Samba 3 setup' is up and running. > But now i need to go a bit further. > I'm trying to have a third party Windows software (called HummingBird DM - that's > a proprietary electronic document management System) to authenticate it's users > using the Samba PDC. > It's supposed to run with Windows NT4 SP4 or later as domain controller, so... I > suppose it should run with Samba 3. > (Tell me if i'm wrong :-)). It very much depends what parts of Samba 3.0 it's using. In this case, you hit something that doesn't work, but can easily be made to work. > HummmingBird DM uses a domain account which is in our case 'zzAdmin' with > password '55nm08dk55nm08dk'. > > I can log on zzAdmin without issue, but when i tell HummingBird's wizard to use the > account 'zzAdmin' > the wizard fails and sends back to me a wrong user name / wrong password error. > So i turn debugging level to 255, defined DEBUG_PASSWORD in auth_sam.c and recompile > the whole, and > restart Samba. > > Then i begin to analyse the log file: > (note: full log file is gziped as attachment - chosen parts are given below, as the > whole is ~6000 lines long) The full log didn't make it. Can you send it to me personally? > --SNIP-- > [2003/10/14 16:40:37, 5] rpc_server/srv_pipe.c:api_pipe_request(1454) > Requested \PIPE\NETLOGON > [2003/10/14 16:40:37, 4] rpc_server/srv_pipe.c:api_rpcTNP(1488) > api_rpcTNP: NETLOGON op 0x2 - created /tmp/in_NETLOGON_2.10.prs > [2003/10/14 16:40:37, 3] rpc_server/srv_pipe.c:api_rpcTNP(1495) > api_rpcTNP: rpc command: NET_SAMLOGON > --SNIP-- > > It seems Hummingbird wants to authenticate itself...good news!! > > --SNIP-- > [2003/10/14 16:40:37, 5] rpc_parse/parse_prs.c:prs_string2(960) > 0128 buffer : 5.5.n.m.0.8.d.k.5.5.n.m.0.8.d.k. And here is your password. > --SNIP-- > > HummingBird sends us zzAdmin...seems clever :-) > HummingBird sends us a clear text password...quite strange....as the debugging > string 'nt_chal_resp' > would make us think it is rather a NTLM challenge response. Yes, we would normally expect a challenge-response in that field. > --SNIP-- > > So this is what i thought of. > Samba treats the cleartext string an NTLMv2 challenge response...which makes > HummingBird fail to authenticate. > > It took me a few days to find the issue, and to review the 6000+ lines of log, > as i was a complete newbie with the SMB protocol. Given that, you have done very well. > So i would like now if possible the opinion of more knowledged people about NT > internals... > as i cannot pursue my analysis any further without external help (I did not find any > usefull information > on NT RPCS). > > What i would like to know is: > - if my analysis is right It seems so. > - if it is a bug in HummingBird DM auth mechanism No, they just call standard MS functions. IMAP on exchange is rumoured to do the same. > - if it is a bad assumption in Samba (Is SAM_NETLOGON RPC always using NTLMv2?) Samba has never seen this before. > - if it is an unimplemented dark NT feature in Samba ;-) > > ...and of course if it is fixable. Given we have the plain-text password, it's quite easy to fix. Can I have that full log, and an ethereal trace if possible, by private mail? An idea for a patch is attached. I have not tested it - it's just so you know what I'm looking at. Bonus points if it actually works :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba