RE: FW: encrypt passwords = no, security=user, samba 3.0a22
Here you go. Enjoy :) N. -- Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org Father, why are all the children weeping? / They are merely crying son O, are they merely crying, father? / Yes, true weeping is yet to come -- Nick Cave and the Bad Seeds, The Weeping Song -Original Message- From: Richard Sharpe [mailto:[EMAIL PROTECTED] Sent: Saturday, March 15, 2003 2:30 AM To: Nir Soffer Cc: Christopher R. Hertel; [EMAIL PROTECTED] Subject: RE: FW: encrypt passwords = no, security=user, samba 3.0a22 On Tue, 11 Mar 2003, Nir Soffer wrote: FWIW turning off unicode with unicode=no helps somewhat, and both ethereal and Samba parse the session request correctly: Hmmm, I fixed a problem in Ethereal around Unicode handling last week at Connectathon. I would be very interested in a trace that shows the problem. Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com badpass.cap Description: badpass.cap aftersp.cap Description: aftersp.cap nounicode.cap Description: nounicode.cap
RE: FW: encrypt passwords = no, security=user, samba 3.0a22
On Tue, 11 Mar 2003, Nir Soffer wrote: FWIW turning off unicode with unicode=no helps somewhat, and both ethereal and Samba parse the session request correctly: Hmmm, I fixed a problem in Ethereal around Unicode handling last week at Connectathon. I would be very interested in a trace that shows the problem. Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: FW: encrypt passwords = no, security=user, samba 3.0a22
Richard Sharpe wrote: On Tue, 11 Mar 2003, Nir Soffer wrote: FWIW turning off unicode with unicode=no helps somewhat, and both ethereal and Samba parse the session request correctly: Hmmm, I fixed a problem in Ethereal around Unicode handling last week at Connectathon. I would be very interested in a trace that shows the problem. Run Samba 3.0 with plaintext passwords. Then log on from both a W2K and a W/XP system. Make sure the Windows clients have been registry-hacked to allow plaintext. Piece of cake. I'm pretty sure I've sent you a capture on this before. I also sent one that showed that WindowsNT4SP3 adds extra nul bytes following some Unicode strings, and that Window2000 will sometime drop one nul byte at the end of the PrimaryDomain field (such that the PrimaryDomain Unicode string isn't properly terminated). See also the !Alert box in section 2.7.2 of my book. ;l file:///home/crh/work/docs/cifsdocs/SMB.html#SMB.7.2 Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
FW: encrypt passwords = no, security=user, samba 3.0a22
Hi again! After quite a lot of help from Christopher Hertel (Thanks, Chris!), I managed W2K to play nicey-nicey with UNICODE and plaintext passwords. It seems everything he said was pure golden truth, as detailed in the following MS KB article: http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B257292 After installing the latest Service Packs on my test machine, apparently the problem went away (at least judging by ethereal and the Samba logs). I still haven't managed to log in properly using non-encrypted passwords, so if I find anything else I'll keep you posted. This one's probably on my side of configuration. :) Nir. -- Nir Soffer -=- Software Engineer, Exanet Inc. -=- The poor little kittens; They lost their mittens; And now you all must die. Mew, Mew, Mew, Mew, And now you all must die. www.sluggy.com, 24/10/02 -Original Message- From: Nir Soffer Sent: Tuesday, March 11, 2003 4:30 PM To: '[EMAIL PROTECTED]' Subject: FW: encrypt passwords = no, security=user, samba 3.0a22 Something our QA department stumbled on: I try to log on to my Samba 3.0a22 installation (make, make install, the usual shebang). The client name is CACOMISTLE (not the NativeOS), the user name is nirs, (not the domain). Any ideas or thoughts, or are we doing something incredibly stupid? (I've been reading some stuff about not having a guest user in the passdb causing such errors, but I do have a nobody user in the password files. Shouldn't this work properly out of the box? There's a log snippet that shows this may be related..) Thanks, Nir. Log snippets: [2003/03/11 16:21:40, 5] auth/auth_util.c:debug_unix_user_token(530) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2003/03/11 16:21:40, 5] smbd/uid.c:change_to_root_user(217) change_to_root_user: now uid=(0,0) gid=(0,0) [2003/03/11 16:21:40, 4] smbd/reply.c:reply_tcon_and_X(255) Got device type ? [2003/03/11 16:21:40, 5] smbd/service.c:make_connection(843) making a connection to 'normal' service ipc$ [2003/03/11 16:21:40, 5] lib/username.c:Get_Pwnam(288) Finding user nobody [2003/03/11 16:21:40, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is nobody [2003/03/11 16:21:40, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [nobody]! [2003/03/11 16:21:40, 3] smbd/service.c:make_connection_snum(525) Connect path is '/tmp' for service [IPC$] [2003/03/11 16:21:38, 3] smbd/sec_ctx.c:set_sec_ctx(287) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/11 16:21:38, 5] auth/auth_util.c:debug_nt_user_token(511) NT user token: (NULL) [2003/03/11 16:21:38, 5] auth/auth_util.c:debug_unix_user_token(530) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2003/03/11 16:21:38, 5] smbd/uid.c:change_to_root_user(217) change_to_root_user: now uid=(0,0) gid=(0,0) [2003/03/11 16:21:38, 3] smbd/sesssetup.c:reply_sesssetup_and_X(482) wct=13 flg2=0xc807 [2003/03/11 16:21:38, 3] smbd/sesssetup.c:reply_sesssetup_and_X(582) Domain=[nirs] NativeOS=[CACOMISTLE] NativeLanMan=[Windows 2000 2195] ^^^ [2003/03/11 16:21:38, 3] smbd/sesssetup.c:reply_sesssetup_and_X(601) sesssetupX:[EMAIL PROTECTED] [2003/03/11 16:21:38, 6] param/loadparm.c:lp_file_list_changed(2347) lp_file_list_changed() file /usr/local/samba/lib/smb.conf - /usr/local/samba/lib/smb.conf last mod_ time: Tue Mar 11 16:16:23 2003 smb.conf: [global] blocking locks = no dns proxy = no encrypt passwords = no keepalive = 120 level2 oplocks = no lock directory = /usr/local/samba/var/locks locking = no log file = /tmp/log.smbd.%m log level = 10 machine password timeout = 9 mangled names = no map to guest = bad user name resolve order = lmhosts wins bcast host netbios name = windlg1 oplocks = no security = user socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash workgroup = exanet-qa winbind enum groups = yes winbind enum users = yes winbind gid = 1-2 winbind separator = + winbind uid = 1-2 [CIFS] comment = cifs exported dir path = /mnt/fs read only = no -- Nir Soffer -=- Software Engineer, Exanet Inc. -=- The poor little kittens; They lost their mittens; And now you all must die. Mew, Mew, Mew, Mew, And now you all must die. www.sluggy.com, 24/10/02
FW: encrypt passwords = no, security=user, samba 3.0a22
Something our QA department stumbled on: I try to log on to my Samba 3.0a22 installation (make, make install, the usual shebang). The client name is CACOMISTLE (not the NativeOS), the user name is nirs, (not the domain). Any ideas or thoughts, or are we doing something incredibly stupid? (I've been reading some stuff about not having a guest user in the passdb causing such errors, but I do have a nobody user in the password files. Shouldn't this work properly out of the box? There's a log snippet that shows this may be related..) Thanks, Nir. Log snippets: [2003/03/11 16:21:40, 5] auth/auth_util.c:debug_unix_user_token(530) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2003/03/11 16:21:40, 5] smbd/uid.c:change_to_root_user(217) change_to_root_user: now uid=(0,0) gid=(0,0) [2003/03/11 16:21:40, 4] smbd/reply.c:reply_tcon_and_X(255) Got device type ? [2003/03/11 16:21:40, 5] smbd/service.c:make_connection(843) making a connection to 'normal' service ipc$ [2003/03/11 16:21:40, 5] lib/username.c:Get_Pwnam(288) Finding user nobody [2003/03/11 16:21:40, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is nobody [2003/03/11 16:21:40, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [nobody]! [2003/03/11 16:21:40, 3] smbd/service.c:make_connection_snum(525) Connect path is '/tmp' for service [IPC$] [2003/03/11 16:21:38, 3] smbd/sec_ctx.c:set_sec_ctx(287) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/11 16:21:38, 5] auth/auth_util.c:debug_nt_user_token(511) NT user token: (NULL) [2003/03/11 16:21:38, 5] auth/auth_util.c:debug_unix_user_token(530) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2003/03/11 16:21:38, 5] smbd/uid.c:change_to_root_user(217) change_to_root_user: now uid=(0,0) gid=(0,0) [2003/03/11 16:21:38, 3] smbd/sesssetup.c:reply_sesssetup_and_X(482) wct=13 flg2=0xc807 [2003/03/11 16:21:38, 3] smbd/sesssetup.c:reply_sesssetup_and_X(582) Domain=[nirs] NativeOS=[CACOMISTLE] NativeLanMan=[Windows 2000 2195] ^^^ [2003/03/11 16:21:38, 3] smbd/sesssetup.c:reply_sesssetup_and_X(601) sesssetupX:[EMAIL PROTECTED] [2003/03/11 16:21:38, 6] param/loadparm.c:lp_file_list_changed(2347) lp_file_list_changed() file /usr/local/samba/lib/smb.conf - /usr/local/samba/lib/smb.conf last mod_ time: Tue Mar 11 16:16:23 2003 smb.conf: [global] blocking locks = no dns proxy = no encrypt passwords = no keepalive = 120 level2 oplocks = no lock directory = /usr/local/samba/var/locks locking = no log file = /tmp/log.smbd.%m log level = 10 machine password timeout = 9 mangled names = no map to guest = bad user name resolve order = lmhosts wins bcast host netbios name = windlg1 oplocks = no security = user socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash workgroup = exanet-qa winbind enum groups = yes winbind enum users = yes winbind gid = 1-2 winbind separator = + winbind uid = 1-2 [CIFS] comment = cifs exported dir path = /mnt/fs read only = no -- Nir Soffer -=- Software Engineer, Exanet Inc. -=- The poor little kittens; They lost their mittens; And now you all must die. Mew, Mew, Mew, Mew, And now you all must die. www.sluggy.com, 24/10/02
RE: FW: encrypt passwords = no, security=user, samba 3.0a22
Nir Soffer wrote: Something our QA department stumbled on: I try to log on to my Samba 3.0a22 installation (make, make install, the usual shebang). The client name is CACOMISTLE (not the NativeOS), the user name is nirs, (not the domain). Any ideas or thoughts, or are we doing something incredibly stupid? At a guess, you are using plaintext passwords with Unicode. If my guess is correct (a simple capture of the SMB SESSION SETUP ANDX exchange would prove it) then read on... I do not know how to convince a Windows *server* to request plaintext passwords. As you are probably aware, it is easy to get Samba to request plaintext if that's really what you want to do. What that means is that the combination of Unicode and plaintext passwords is unusual. I have seen that W2K and W/XP clients will send Unicode plaintext passwords if Samba requests it. Unfortunately, they get the field values wrong--in different ways--and it breaks the existing parsing in Samba. [ snip wonderful explanation ] The Windows systems that I've been able to check do not send Plaintext Unicode passwords correctly. My *guess* is that Microsoft never tested this because their servers don't set up the situation that would require testing. I believe that Samba can compensate, but I have not had time to look at the code (let alone fix it). It should be an easy fix. Eg.: if( Unicode Password begins with 0x00 ) skip a byte if( Unicode Password does not end in 0x ) Add two to the password length before processing Someone care to look into providing a patch? It seems to me that a more correct fix would be, in the case of encrypt passwords = no, to request a normal password and not a UNICODE one. Is this even possible in the protocol? (e.g - request non-unicode passwords, but still support non-unicode filenames?) This is definitely broken now if this the case, regardless where the bug is... Nir. -- Nir Soffer -=- Software Engineer, Exanet Inc. -=- The poor little kittens; They lost their mittens; And now you all must die. Mew, Mew, Mew, Mew, And now you all must die. www.sluggy.com, 24/10/02
Re: FW: encrypt passwords = no, security=user, samba 3.0a22
Nir Soffer wrote: : : It seems to me that a more correct fix would be, in the case of encrypt passwords = no, to request a normal password and not a UNICODE one. Is this even possible in the protocol? (e.g - request non-unicode passwords, but still support non-unicode filenames?) Unicode is either ON or OFF. If Unicode is negotiated, then the Windows clients will try to send a Unicode password. This is definitely broken now if this the case, regardless where the bug is... There are bugs in the Windows clients, clearly, but I think that we can work around them. I also think that smbclient needs to be tested in this regard. Chris -)- PS. It would also be nice (hint to others on this list) if Ethereal were patched to read these messed-up packets correctly. :) -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
RE: FW: encrypt passwords = no, security=user, samba 3.0a22
Nir Soffer wrote: : : It seems to me that a more correct fix would be, in the case of encrypt passwords = no, to request a normal password and not a UNICODE one. Is this even possible in the protocol? (e.g - request non-unicode passwords, but still support non-unicode filenames?) Unicode is either ON or OFF. If Unicode is negotiated, then the Windows clients will try to send a Unicode password. This is definitely broken now if this the case, regardless where the bug is... There are bugs in the Windows clients, clearly, but I think that we can work around them. I also think that smbclient needs to be tested in this regard. FWIW turning off unicode with unicode=no helps somewhat, and both ethereal and Samba parse the session request correctly: [2003/03/11 20:11:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(732) Domain=[CACOMISTLE] NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5 .0] [2003/03/11 20:11:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(742) sesssetupX:[EMAIL PROTECTED] So it seems you hit the mark. Now it's time to figure out how to fix it :) Thanks again! Nir. -- Nir Soffer -=- Software Engineer, Exanet Inc. -=- The poor little kittens; They lost their mittens; And now you all must die. Mew, Mew, Mew, Mew, And now you all must die. www.sluggy.com, 24/10/02
Re: FW: encrypt passwords = no, security=user, samba 3.0a22
Nir Soffer wrote: : FWIW turning off unicode with unicode=no helps somewhat, and both ethereal and Samba parse the session request correctly: [2003/03/11 20:11:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(732) Domain=[CACOMISTLE] NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5 .0] [2003/03/11 20:11:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(742) sesssetupX:[EMAIL PROTECTED] So it seems you hit the mark. Now it's time to figure out how to fix it :) It's something I would do if I had time right now, but I am trying to finish up several projects all at once. Thanks again! We aims to please. :) Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]