Re: [Samba] SMB signing broken? 3.0.7 - 3.0.8

2005-03-16 Thread Andrew Bartlett 
On Wed, 2005-03-16 at 11:46 +, Tim wrote:
 Hi Jeremy,
 
 Yep, that reversion patch you did fixed it.  I'm a little surprised
 nobody else has mentioned this before me though.  I assume it would
 affect everybody who's DCs require smb signing?
 
 Thanks for your help, I'll be rolling out 3.0.11 today.

It did bite others - I was dealing with one vendor on IRC.  What will be
interesting to find out is what RedHat was seeing in the first place...

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SMB signing broken? 3.0.7 - 3.0.8

2005-03-15 Thread Tim 
Hi all.

I originally suspected this problem was with netbios (which I have
disabled by default) and Jerry has helped me out a bit with but I've
been doing some more digging and I think the problem lies back further
than I expected.

I was trying to upgrade from 3.0.7 to 3.0.11 so I've recompiled all
versions back from 3.0.11 and the problem first occured in 3.0.8.  The
issue is with winbind, and the error I'm getting is
failed tcon_X with NT_STATUS_ACCESS_DENIED:

=== 3.0.7:  /usr/bin/winbind -i -d3 ===
...
Ticket in ccache[MEMORY:winbind_ccache] expiration Wed, 16 Mar 2005 00:41:08 GMT
ads: trusted_domains
Connected to LDAP server 10.140.72.17
got ldap server name [EMAIL PROTECTED], using bind path:
dc=DBG,dc=ADS,dc=DB,dc=COM
IPC$ connections done anonymously
Connecting to host=LONESWDBP4
Connecting to 10.140.72.17 at port 445
Doing spnego session setup (blob length=114)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got [EMAIL PROTECTED]
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Wed, 16 Mar 2005 00:41:18 GMT
add_trusted_domain: TRAN is an NT4  domain
Added domain TRAN tran.stt S-1-5-21-343818398-606747145-725345543
add_trusted_domain: ADS is an NT4  domain
Added domain ADS ADS.DB.COM S-1-5-21-1960408961-1935655697-1801674531
etc

=== 3.0.8:  /usr/bin/winbind -i -d3 ===
...
Ticket in ccache[MEMORY:winbind_ccache] expiration Wed, 16 Mar 2005 00:43:41 GMT
ads: trusted_domains
Connected to LDAP server 10.140.72.17
got ldap server name [EMAIL PROTECTED], using bind path:
dc=DBG,dc=ADS,dc=DB,dc=COM
IPC$ connections done anonymously
Connecting to host=LONESWDBP4
Connecting to 10.140.72.17 at port 445
Doing spnego session setup (blob length=114)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got [EMAIL PROTECTED]
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Wed, 16 Mar 2005 00:43:51 GMT
failed tcon_X with NT_STATUS_ACCESS_DENIED
...


Now, if I turn on more debugging, you see this:

=== 3.0.7:  /usr/bin/winbind -i -d10 ===
...
Got KRB5 session key of length 16
SMB signing enabled!
cli_simple_set_signing: user_session_key
[000] C1 6D 83 5F 6A 94 6B 73  57 46 0B CB 16 03 CB B1  .m._j.ks WF..
cli_simple_set_signing: NULL response_data
simple_packet_signature: sequence number 0
client_sign_outgoing_message: sent SMB signature of
[000] CD 85 93 7F A1 A8 34 22   ..4
store_sequence_for_reply: stored seq = 1 mid = 2
...
client_check_incoming_message: seq 1: got good SMB signature of
[000] 9D E9 1B CC 6F 48 42 92   oHB.
...

=== 3.0.8:  /usr/bin/winbind -i -d10 ===
...
Got KRB5 session key of length 8
SMB signing enabled!
cli_simple_set_signing: user_session_key
[000] C8 5E D6 1A A1 46 10 BA   .^...F..
cli_simple_set_signing: NULL response_data
simple_packet_signature: sequence number 0
client_sign_outgoing_message: sent SMB signature of
[000] 84 84 78 B3 60 4A 05 5B   ..x.`J.[
store_sequence_for_reply: stored seq = 1 mid = 2
...
client_check_incoming_message: BAD SIG: wanted SMB signature of
[000] D7 08 07 13 97 AC E9 8B   
client_check_incoming_message: BAD SIG: got SMB signature of
[000] EF 85 1C D4 6A 1D AC 9D   j...



So... and please correct me if I'm wrong, but something changed
between 3.0.7 and 3.0.8 to do with SMB signing.  The signature
size seems to have changed, but I don't know enough about the
SMB protocol to work out what this would mean.

I also notice this in the Changelog:

  o Fixes for kerberos interoperability with Windows 200x
domains when using DES keys.

...and a few other people have encountered this issue:

http://marc.theaimsgroup.com/?l=sambam=110217288924619w=2
http://marc.theaimsgroup.com/?l=sambam=110128503324928w=2
http://marc.theaimsgroup.com/?l=sambam=109171118423701w=2

but I don't see any resolutions in the mailing list.  Any
help would be appreciated, I'd really like to upgrade because of
the security vulnerabilities.

Thanks,

Tim.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SMB signing broken? 3.0.7 - 3.0.8

2005-03-15 Thread Jeremy Allison 
On Tue, Mar 15, 2005 at 03:00:17PM +, Tim wrote:
 Hi all.
 
 I originally suspected this problem was with netbios (which I have
 disabled by default) and Jerry has helped me out a bit with but I've
 been doing some more digging and I think the problem lies back further
 than I expected.
 
 I was trying to upgrade from 3.0.7 to 3.0.11 so I've recompiled all
 versions back from 3.0.11 and the problem first occured in 3.0.8.  The
 issue is with winbind, and the error I'm getting is
 failed tcon_X with NT_STATUS_ACCESS_DENIED:
 
 === 3.0.8:  /usr/bin/winbind -i -d10 ===
 ...
 Got KRB5 session key of length 8
 SMB signing enabled!
 cli_simple_set_signing: user_session_key
 [000] C8 5E D6 1A A1 46 10 BA   .^...F..
 cli_simple_set_signing: NULL response_data
 simple_packet_signature: sequence number 0
 client_sign_outgoing_message: sent SMB signature of
 [000] 84 84 78 B3 60 4A 05 5B   ..x.`J.[
 store_sequence_for_reply: stored seq = 1 mid = 2
 ...
 client_check_incoming_message: BAD SIG: wanted SMB signature of
 [000] D7 08 07 13 97 AC E9 8B   
 client_check_incoming_message: BAD SIG: got SMB signature of
 [000] EF 85 1C D4 6A 1D AC 9D   j...
 
 
 
 So... and please correct me if I'm wrong, but something changed
 between 3.0.7 and 3.0.8 to do with SMB signing.  The signature
 size seems to have changed, but I don't know enough about the
 SMB protocol to work out what this would mean.
 
 I also notice this in the Changelog:
 
   o Fixes for kerberos interoperability with Windows 200x
 domains when using DES keys.

Can you try this patch. It reverts that change.

Jeremy.
Index: libsmb/smb_signing.c
===
--- libsmb/smb_signing.c(revision 5789)
+++ libsmb/smb_signing.c(working copy)
@@ -277,14 +277,17 @@
MD5Init(md5_ctx);
 
/* intialise with the key */
+   MD5Update(md5_ctx, data-mac_key.data, data-mac_key.length); 
+#if 0
+   /* JRA - apparently this is incorrect. */
/* NB. When making and verifying SMB signatures, Windows apparently
zero-pads the key to 128 bits if it isn't long enough.
From Nalin Dahyabhai [EMAIL PROTECTED] */
-   MD5Update(md5_ctx, data-mac_key.data, data-mac_key.length); 
if (data-mac_key.length  sizeof(key_buf)) {
memset(key_buf, 0, sizeof(key_buf));
MD5Update(md5_ctx, key_buf, sizeof(key_buf) - 
data-mac_key.length);
}
+#endif
 
/* copy in the first bit of the SMB header */
MD5Update(md5_ctx, buf + 4, smb_ss_field - 4);
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba