On Tue, Mar 15, 2005 at 03:00:17PM +0000, Tim wrote:
> Hi all.
>
> I originally suspected this problem was with netbios (which I have
> disabled by default) and Jerry has helped me out a bit with but I've
> been doing some more digging and I think the problem lies back further
> than I expected.
>
> I was trying to upgrade from 3.0.7 to 3.0.11 so I've recompiled all
> versions back from 3.0.11 and the problem first occured in 3.0.8. The
> issue is with winbind, and the error I'm getting is
> "failed tcon_X with NT_STATUS_ACCESS_DENIED":
>
> === 3.0.8: /usr/bin/winbind -i -d10 ===
> ...
> Got KRB5 session key of length 8
> SMB signing enabled!
> cli_simple_set_signing: user_session_key
> [000] C8 5E D6 1A A1 46 10 BA .^...F..
> cli_simple_set_signing: NULL response_data
> simple_packet_signature: sequence number 0
> client_sign_outgoing_message: sent SMB signature of
> [000] 84 84 78 B3 60 4A 05 5B ..x.`J.[
> store_sequence_for_reply: stored seq = 1 mid = 2
> ...
> client_check_incoming_message: BAD SIG: wanted SMB signature of
> [000] D7 08 07 13 97 AC E9 8B ........
> client_check_incoming_message: BAD SIG: got SMB signature of
> [000] EF 85 1C D4 6A 1D AC 9D ....j...
>
>
>
> So... and please correct me if I'm wrong, but something changed
> between 3.0.7 and 3.0.8 to do with SMB signing. The signature
> size seems to have changed, but I don't know enough about the
> SMB protocol to work out what this would mean.
>
> I also notice this in the Changelog:
>
> o Fixes for kerberos interoperability with Windows 200x
> domains when using DES keys.
Can you try this patch. It reverts that change.
Jeremy.
Index: libsmb/smb_signing.c
===================================================================
--- libsmb/smb_signing.c (revision 5789)
+++ libsmb/smb_signing.c (working copy)
@@ -277,14 +277,17 @@
MD5Init(&md5_ctx);
/* intialise with the key */
+ MD5Update(&md5_ctx, data->mac_key.data, data->mac_key.length);
+#if 0
+ /* JRA - apparently this is incorrect. */
/* NB. When making and verifying SMB signatures, Windows apparently
zero-pads the key to 128 bits if it isn't long enough.
From Nalin Dahyabhai <[EMAIL PROTECTED]> */
- MD5Update(&md5_ctx, data->mac_key.data, data->mac_key.length);
if (data->mac_key.length < sizeof(key_buf)) {
memset(key_buf, 0, sizeof(key_buf));
MD5Update(&md5_ctx, key_buf, sizeof(key_buf) -
data->mac_key.length);
}
+#endif
/* copy in the first bit of the SMB header */
MD5Update(&md5_ctx, buf + 4, smb_ss_field - 4);
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
