[Samba] Leopard Macs using Kerberos: Failed to parse negTokenTarg
I think I've found out why MacOS 10.5.x (Leopard) clients are unable to connect to Samba shares when authenticating with Kerberos. Basically, the Leopard Macs insert a few extra bytes (Padding and reqFlags, according to wireshark) into the security blob within the Session Setup AndX Request packet, bytes whose start tag is 0xa1, in a spot where Samba's parser expects 0xa2. The critical error is Failed to parse negTokenTarg at offset 54, which looks like it's being caused by the call asn1_start_tag(data, ASN1_CONTEXT(2)); in parse_negTokenTarg(). Here's an excerpt from the smbd log with debug=10: [2008/08/01 16:07:07, 3] smbd/process.c:switch_message(886) switch message SMBsesssetupX (pid 5281) conn 0x0 [2008/08/01 16:07:07, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/01 16:07:07, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2008/08/01 16:07:07, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/08/01 16:07:07, 5] smbd/uid.c:change_to_root_user(296) change_to_root_user: now uid=(0,0) gid=(0,0) [2008/08/01 16:07:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) wct=12 flg2=0xc801 [2008/08/01 16:07:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego (535) Doing spnego session setup [2008/08/01 16:07:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego (566) NativeOS=[Mac OS X 10.5] NativeLanMan=[SMBFS 1.4.2] PrimaryDomain=[] [2008/08/01 16:07:07, 1] libsmb/clispnego.c:parse_negTokenTarg(251) Failed to parse negTokenTarg at offset 54 [2008/08/01 16:07:07, 3] smbd/error.c:error_packet(129) error packet at smbd/sesssetup.c(425) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE For comparison, here's the corresponding excerpt from the log of a successful connection from a MacOS 10.4.11 client: [2008/08/01 10:40:05, 3] smbd/process.c:switch_message(886) switch message SMBsesssetupX (pid 4681) conn 0x0 [2008/08/01 10:40:05, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/01 10:40:05, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2008/08/01 10:40:05, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/08/01 10:40:05, 5] smbd/uid.c:change_to_root_user(296) change_to_root_user: now uid=(0,0) gid=(0,0) [2008/08/01 10:40:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) wct=12 flg2=0xc801 [2008/08/01 10:40:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego (535) Doing spnego session setup [2008/08/01 10:40:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego (566) NativeOS=[MacOSX] NativeLanMan=[NETSMB] PrimaryDomain=[] [2008/08/01 10:40:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 48018 1 2 2 [2008/08/01 10:40:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(447) Got secblob of size 1438 [2008/08/01 10:40:05, 10] passdb/secrets.c:secrets_named_mutex(702) secrets_named_mutex: got mutex for replay cache mutex [2008/08/01 10:40:05, 10] lib/util.c:name_to_fqdn(2626) name_to_fqdn: lookup for LAGOS - LAGOS.Stanford.EDU. Here's an excerpt from the packet containing the data block Samba can't parse (captured by wireshark); I think the problem is the section labeled Padding and reqFlags inside the security blob: SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response in: 78] SMB Command: Session Setup AndX (0x73) NT Status: STATUS_SUCCESS (0x) Flags: 0x08 Flags2: 0xc801 Session Setup AndX Request (0x73) Word Count (WCT): 12 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 0 Max Buffer: 16644 Max Mpx Count: 50 VC Number: 111 Session Key: 0x13d3 Security Blob Length: 2414 Reserved: Capabilities: 0x8080c05c Byte Count (BCC): 2467 Security Blob: 6082096A06062B0601050502A082095E3082095AA0... GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) SPNEGO negTokenInit mechTypes: 3 items Item: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) Item: 1.3.5.1.5.2 (SNMPv2-SMI::org.5.1.5.2) Item: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft K5) Padding: 1 reqFlags: 04 (confFlag) 0... = delegFlag: False .0.. = mutualFlag: False ..0. = replayFlag: False ...0 = sequenceFlag: False 0... =
Re: [Samba] Leopard Macs using Kerberos: Failed to parse negTokenTarg
On Tue, Aug 05, 2008 at 01:02:49PM -0700, Kai Lanz wrote: I think I've found out why MacOS 10.5.x (Leopard) clients are unable to connect to Samba shares when authenticating with Kerberos. Basically, the Leopard Macs insert a few extra bytes (Padding and reqFlags, according to wireshark) into the security blob within the Session Setup AndX Request packet, bytes whose start tag is 0xa1, in a spot where Samba's parser expects 0xa2. The critical error is Failed to parse negTokenTarg at offset 54, which looks like it's being caused by the call asn1_start_tag(data, ASN1_CONTEXT(2)); in parse_negTokenTarg(). In Samba 3.2.0 and 3.2.1 this is fixed by the following code in parse_negTokenTarg(). /* Skip any optional req_flags that are sent per RFC 4178 */ if (asn1_check_tag(data, ASN1_CONTEXT(1))) { uint8 flags; asn1_start_tag(data, ASN1_CONTEXT(1)); asn1_start_tag(data, ASN1_BITFIELD); while (asn1_tag_remaining(data) 0) asn1_read_uint8(data, flags); asn1_end_tag(data); asn1_end_tag(data); } I'd try an upgrade :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Leopard Macs using Kerberos: Failed to parse negTokenTarg
2008/8/5 Kai Lanz [EMAIL PROTECTED]: I think I've found out why MacOS 10.5.x (Leopard) clients are unable to connect to Samba shares when authenticating with Kerberos. Basically, the Leopard Macs insert a few extra bytes (Padding and reqFlags, according to wireshark) into the security blob within the Session Setup AndX Request packet, bytes whose start tag is 0xa1, in a spot where Samba's parser expects 0xa2. The critical error is Failed to parse negTokenTarg at offset 54, which looks like it's being caused by the call asn1_start_tag(data, ASN1_CONTEXT(2)); in parse_negTokenTarg(). Here's an excerpt from the smbd log with debug=10: [2008/08/01 16:07:07, 3] smbd/process.c:switch_message(886) switch message SMBsesssetupX (pid 5281) conn 0x0 [2008/08/01 16:07:07, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/01 16:07:07, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2008/08/01 16:07:07, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/08/01 16:07:07, 5] smbd/uid.c:change_to_root_user(296) change_to_root_user: now uid=(0,0) gid=(0,0) [2008/08/01 16:07:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) wct=12 flg2=0xc801 [2008/08/01 16:07:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) Doing spnego session setup [2008/08/01 16:07:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) NativeOS=[Mac OS X 10.5] NativeLanMan=[SMBFS 1.4.2] PrimaryDomain=[] [2008/08/01 16:07:07, 1] libsmb/clispnego.c:parse_negTokenTarg(251) Failed to parse negTokenTarg at offset 54 [2008/08/01 16:07:07, 3] smbd/error.c:error_packet(129) error packet at smbd/sesssetup.c(425) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE For comparison, here's the corresponding excerpt from the log of a successful connection from a MacOS 10.4.11 client: [2008/08/01 10:40:05, 3] smbd/process.c:switch_message(886) switch message SMBsesssetupX (pid 4681) conn 0x0 [2008/08/01 10:40:05, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/01 10:40:05, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2008/08/01 10:40:05, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/08/01 10:40:05, 5] smbd/uid.c:change_to_root_user(296) change_to_root_user: now uid=(0,0) gid=(0,0) [2008/08/01 10:40:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) wct=12 flg2=0xc801 [2008/08/01 10:40:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) Doing spnego session setup [2008/08/01 10:40:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) NativeOS=[MacOSX] NativeLanMan=[NETSMB] PrimaryDomain=[] [2008/08/01 10:40:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 48018 1 2 2 [2008/08/01 10:40:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(447) Got secblob of size 1438 [2008/08/01 10:40:05, 10] passdb/secrets.c:secrets_named_mutex(702) secrets_named_mutex: got mutex for replay cache mutex [2008/08/01 10:40:05, 10] lib/util.c:name_to_fqdn(2626) name_to_fqdn: lookup for LAGOS - LAGOS.Stanford.EDU. Here's an excerpt from the packet containing the data block Samba can't parse (captured by wireshark); I think the problem is the section labeled Padding and reqFlags inside the security blob: SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response in: 78] SMB Command: Session Setup AndX (0x73) NT Status: STATUS_SUCCESS (0x) Flags: 0x08 Flags2: 0xc801 Session Setup AndX Request (0x73) Word Count (WCT): 12 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 0 Max Buffer: 16644 Max Mpx Count: 50 VC Number: 111 Session Key: 0x13d3 Security Blob Length: 2414 Reserved: Capabilities: 0x8080c05c Byte Count (BCC): 2467 Security Blob: 6082096A06062B0601050502A082095E3082095AA0... GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) SPNEGO negTokenInit mechTypes: 3 items Item: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) Item: 1.3.5.1.5.2 (SNMPv2-SMI::org.5.1.5.2) Item: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft K5) Padding: 1 reqFlags: 04 (confFlag) 0... = delegFlag: False .0.. = mutualFlag: False ..0. = replayFlag: False ...0 = sequenceFlag: False