[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Win2003 server/SMB -- 2003 changed the handshake (in violation



On Fri, 2004-12-31 at 08:15, Robert Citek wrote:
> On a related note.  We just upgrade one of our servers from Windows 
> 2000 server to Windows 2003 server.  With Win2k, I was able to connect 
> from Linux using smbclient and smbmount.  With Win2003, I am not.

Various legacy support has been removed from Windows Server 2003's SMB
stack.  Again, this is _not_ the ADS/RPC and legacy CIFS/RPC
functionality, but the SMB stack that actually provides the "server
message block" (SMB) which is used for actual data/file transfer
services.

> From what I hear, all the Windows machines can connect to the Win2003 server 
> just fine.

Of course, with the default options.  All NT4+ clients are fairly good. 

It's the DOS7 (95/98/ME) and extended NT4 and NT5.0 (2000) options that
are problematic.  In a nutshell, Microsoft stopped bothering trying to
deal with all the "quirks" in each implementation.

> And the Windows machine can connect just fine to our Linux machines
> that run Samba.

Of course, because Samba dynamically loads different support for
different SMB variants in the various Windows clients.

> The Linux machines are running Red Hat 9 with
> samba-client-2.2.7a-7.9.0.

That's different.  There is a well documented change in how Windows
Server 2003 handles the SMB handshake in violation of its own, published
state diagram on the handshake.  In a nutshell, they now "skip a step." 
Windows clients silently error but continue.  Samba marks it as an
improper negotiation and a possible protocol/security issue.

I believe (?) Samba 2.2.8 or 2.2.9 fixed the problem.

If you upgrade to newer Samba versions, it now recognizes that Windows
Server 2003 does not do this step.  Here are the latest updates of Samba
2.2.12 for Red Hat Linux 9:  
http://download.fedoralegacy.org/redhat/9/updates/i386/samba-2.2.12-0.90.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/samba-client-2.2.12-0.90.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/samba-common-2.2.12-0.90.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/samba-swat-2.2.12-0.90.2.legacy.i386.rpm

If you are interested in automated updates with YUM, see this page:  
http://www.fedoralegacy.org/docs/yum-rh9.php  

Also note that the RHN tool "up2date" also has APT/YUM repository
support, but I recommend using either APT/YUM directly -- especially now
that there is a new slew of features.

> BTW, the same problem happens under Mac OS/X using sbmclient v2.2.3a
> (build 26).

Same issue, as detailed above.

> Here's a sample of samba connecting from Linux to Windows 2000:
> $ smbclient -L maul -W foo -U rwcitek
> added interface ip=10.4.0.40 bcast=10.4.0.255 nmask=255.255.255.0
> Password:
> Domain=[FOO] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
> 
>          Sharename      Type      Comment
>          ---------      ----      -------
>   ...
> Here's a sample of samba connecting to Windows 2003:
> $ smbclient -L vader -W foo -U rwcitek
> added interface ip=10.4.0.40 bcast=10.4.0.255 nmask=255.255.255.0
> Password:
> Domain=[FOO] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 
> 5.2]
> tree connect failed: NT_STATUS_ACCESS_DENIED
> I've been googling using the error message but links I've found haven't 
> dealt mostly with Windows machines connecting to Linux Samba servers.  
> I'm going the other way.

Yes, that's because the Samba Service is used far more than the client.

> So, a few questions:
>   - any ideas where I should be looking?  Is this a Samba issue, a 
> Windows issue, other?

As detailed above.

>  - any recommend readings for getting up-to-speed quickly on Win2003, 
> especially debugging/log files?   - other ideas/suggestions?

The Samba documentation is _always_ the _best_authority_ on how the SMB
protocol works.  I constantly berate fellow MCSA/MCSEs who fail to
understand the basics when they have issues with even native Windows
Servers (no Linux/Samba anywhere).

> Still googling.

Make sure you target the Samba archives in your search.  They will be
the foremost authority.

Try prefixing with "smbclient" in your search.  Even "smbfs" uses
"smbclient" -- the "smbfs" portion is just the interface into the Linux
kernel VFS hack that makes it appear as a filesystem.

-- 
Bryan J. Smith                                    b.j.smith@ieee.org 
-------------------------------------------------------------------- 
Subtotal Cost of Ownership (SCO) for Windows being less than Linux
Total Cost of Ownership (TCO) assumes experts for the former, costly
retraining for the latter, omitted "software assurance" costs in 
compatible desktop OS/apps for the former, no free/legacy reuse for
latter, and no basic security, patch or downtime comparison at all.




-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.