[9fans] aquarela woes

[9fans] aquarela woes

[Akshat Kumar]

I'm quite sure I'm not doing anything right here, but:

cpu% aquarela -p -d allcmds
Aquarela 0.5 running
SMB_COM_NEGOTIATE request: tid 0xffff pid 0x125f uid 0xffff mid 0x8f07
received:
0x0000   ff53 4d42 7200 0000 0018 4520 0000 4253        .SMBr.....E ..BS
0x0010   5253 5059 4c20 0000 ffff 5f12 ffff 078f        RSPYL ...._.....
0x0020   000c 0002 4e54 204c 4d20 302e 3132 00          ....NT LM 0.12.
smbnegotiate: 'NT LM 0.12'
smbnegotiate: couldn't get mschap challenge
reply: error 2/1
sending:
0x0000   ff53 4d42 7202 0001 0088 0080 0000 0000        .SMBr...........
0x0010   0000 0000 0000 0000 ffff 5f12 ffff 078f        .........._.....
0x0020   1100 0003 0100 0100 ffff 0100 0000 0100        ................
0x0030   0300 0000 1400 0000 df38 1b5c 3c29 cb01        .........8.\<)..
0x0040   a401 0800 0000 0000                            ........

happens, when trying to connect with:

cpu% aux/cifs oxen.appnano dump
aux/cifs: oxen.appnano - cannot negioate common protocol, network, non
specific error

cpu%

I have a bunch of keys I've tried:

cpu% cat /mnt/factotum/ctl
key proto=p9sk1 user=bootes dom=appnano !hex? !password?
key proto=mschap server=oxen.appnano user=akumar !password?
key proto=mschap server=oxen.appnano user=bootes !password?
key proto=mschap role=server user=bootes !password?
key proto=pass dom=appnano service=cifs user=akumar !password?
cpu%

same sort of thing (with lot more output from aquarela)
happens when trying to connect from Windows 7 or
XP. Any clues?

Re: [9fans] aquarela woes

[Steve Simon]

> smbnegotiate: 'NT LM 0.12'
> smbnegotiate: couldn't get mschap challenge
> reply: error 2/1

Re: aquarela

I don't use aquarela these days, but I think the problem is
to do with aquarela being unable to contact keyfs.

aquarela must be started on your server after keyfs, I run it
on my work terminal/fs/auth/cpu all-in-one server and it is
envoked in /cfg/$sysname/termrc after keyfs (starting keyfs
and aquarela in termrc is very unusual but as I said I have
an all in one box).

check how it is started.

RE cifs

BTW, I am interested if you have problems with cifs.

I know there a bug in the default ntlmv2 auth when working with Vista
(and probably windows 7 too), but if you fall back to less secure
auth on the wire (e.g. by adding -a ntlm to the cifs command line)
then it works.

Windows auth is a mess, and kerberos with asn.1 is ugly.

-Steve

Re: [9fans] aquarela woes

[Akshat Kumar]

RE: aquarela

I think the problem is in my setup of interfaces and
stacks on the CPU/Auth server; I've been unable to
yet properly setup the two interfaces - local and
external - of the CPU/Auth server to play in conjunction
with each other. So it's possible that it's trying to
connect to the auth server on the internal IP, which is
unreachable once I bind the external stack over the
internal stack in /net. I'm not sure what the fix is...

On Thu, Jul 22, 2010 at 1:50 AM, Steve Simon <steve@quintile.net> wrote:
>> smbnegotiate: 'NT LM 0.12'
>> smbnegotiate: couldn't get mschap challenge
>> reply: error 2/1
>
> Re: aquarela
>
> I don't use aquarela these days, but I think the problem is
> to do with aquarela being unable to contact keyfs.
>
> aquarela must be started on your server after keyfs, I run it
> on my work terminal/fs/auth/cpu all-in-one server and it is
> envoked in /cfg/$sysname/termrc after keyfs (starting keyfs
> and aquarela in termrc is very unusual but as I said I have
> an all in one box).
>
> check how it is started.
>
> RE cifs
>
> BTW, I am interested if you have problems with cifs.
>
> I know there a bug in the default ntlmv2 auth when working with Vista
> (and probably windows 7 too), but if you fall back to less secure
> auth on the wire (e.g. by adding -a ntlm to the cifs command line)
> then it works.
>
> Windows auth is a mess, and kerberos with asn.1 is ugly.
>
> -Steve
>
>

Re: [9fans] aquarela woes

[Akshat Kumar]

what does this mean:


smbcomsessionsetupandx: case sensitive/insensitive password length not 24
reply: error 2/2

surely not that every password must be 24 chars?

Re: [9fans] aquarela woes

[Akshat Kumar]

On Thu, Jul 22, 2010 at 1:50 AM, Steve Simon <steve@quintile.net> wrote:
> I know there a bug in the default ntlmv2 auth when working with Vista
> (and probably windows 7 too), but if you fall back to less secure
> auth on the wire (e.g. by adding -a ntlm to the cifs command line)
> then it works.

actually, -a ntlm and -a ntlmv2 both give:

aux/cifs: session authentication failed, network, bad password

but -a lm+ntlm succeeds; ideas?

Re: [9fans] aquarela woes

[Akshat Kumar]

I should add that this relates to my previous post -
with auth methods ntlm and ntlmv2, I get the

"smbcomsessionsetupandx: case sensitive/insensitive password length not 24"

error.

On Thu, Jul 22, 2010 at 2:37 PM, Akshat Kumar
<akumar@mail.nanosouffle.net> wrote:
> On Thu, Jul 22, 2010 at 1:50 AM, Steve Simon <steve@quintile.net> wrote:
>> I know there a bug in the default ntlmv2 auth when working with Vista
>> (and probably windows 7 too), but if you fall back to less secure
>> auth on the wire (e.g. by adding -a ntlm to the cifs command line)
>> then it works.
>
> actually, -a ntlm and -a ntlmv2 both give:
>
> aux/cifs: session authentication failed, network, bad password
>
> but -a lm+ntlm succeeds; ideas?
>

Re: [9fans] aquarela woes

[Akshat Kumar]

So, currently, I can only use aquarela with Windows XP it seems...
can't establish connection, really, with Windows 7.

But beyond that, I have a rather serious problem with aquarela's
setup: since it must run as bootes so that any use can login,
it seems that *all* privileges (read/write, etc.) are those only of
bootes! Is there any way so that each user that has logged in
has his/her own read/write privileges, as if they logged into their
own Plan 9 account (in fact, they *are* logging into their Plan 9
account, so each user inheriting only the privileges of bootes,
makes NO sense!)?

Re: [9fans] aquarela woes

[Steve Simon]

> I have a rather serious problem with aquarela's
> setup: since it must run as bootes so that any use can login,
> it seems that *all* privileges (read/write, etc.) are those only of
> bootes! Is there any way so that each user that has logged in
> has his/her own read/write privileges, as if they logged into their
> own Plan 9 account (in fact, they *are* logging into their Plan 9
> account, so each user inheriting only the privileges of bootes,
> makes NO sense!)?

You misunderstand.

When the user successfully authenticates aquarela changes the owner
of the process to the authenticated user so it can read and write only
those files that that plan9 user can read and write.

Aquarela must be envoked as bootes as only bootes has the rights to
become any user.

see /sys/src/cmd/aquarela/smbcomsessionsetupandx.c:137

-Steve

Re: [9fans] aquarela woes

[Akshat Kumar]

On Thu, Jul 22, 2010 at 5:03 PM, Steve Simon <steve@quintile.net> wrote:
>> I have a rather serious problem with aquarela's
>> setup: since it must run as bootes so that any use can login,
>> it seems that *all* privileges (read/write, etc.) are those only of
>> bootes! Is there any way so that each user that has logged in
>> has his/her own read/write privileges, as if they logged into their
>> own Plan 9 account (in fact, they *are* logging into their Plan 9
>> account, so each user inheriting only the privileges of bootes,
>> makes NO sense!)?
>
> You misunderstand.
>
> When the user successfully authenticates aquarela changes the owner
> of the process to the authenticated user so it can read and write only
> those files that that plan9 user can read and write.
>
> Aquarela must be envoked as bootes as only bootes has the rights to
> become any user.
>
> see /sys/src/cmd/aquarela/smbcomsessionsetupandx.c:137

I see that, but for some reason, the results in practice are different...
also, what is the supposed case when client does not specify a password?

Re: [9fans] aquarela woes

[Akshat Kumar]

> also, what is the supposed case when client does not specify a password?

I ask this because from what I see, the client simply logs in as bootes...

that shouldn't be the case, should it?

Re: [9fans] aquarela woes

[Akshat Kumar]

Ah, nevermind that last one - the process is started as the
last user I logged in as (I forgot I'd used that computer to
login to the CIFS share already).

But the main problem is still there: my share is called
"example", which is basically just:

srvfs example /usr

where /usr contains:

/usr/akumar
/usr/bootes

and when I access \\192.168.2.141\example\akumar,
I can't do anything in the directory except move around
and read files - trying to create a file or directory, or
trying to move files around, etc., yields a "Network access
denied" error. However, I can do all of that stuff in
\\192.168.2.141\example\bootes - why is that?
This is all despite the fact that I see the aquarela
process being started by the user that I logged in as
(akumar). I tried running with -d allcmds to get clues,
but I can't really figure this out... ideas?

Re: [9fans] aquarela woes

[Akshat Kumar]

ahh, I see... I ran the srvfs command
as bootes, then did chmod 666 /srv/example.
so, even if I mount it in Plan 9, I see the
same effects; I'm sorry, this isn't aquarela's
fault. it's just my crappy namespace
creation - what's the proper way to do
this?

again, my appologies...

Re: [9fans] aquarela woes

[Akshat Kumar]

just for future reference, this works fine in
/rc/bin/9fs (I use a special 9fs just for cifs
share, so that the rest of the system is
not available):

case example
    bind -c /usr /n/example

sorry for the noise :)


Best,
ak


On Thu, Jul 22, 2010 at 5:27 PM, Akshat Kumar
<akumar@mail.nanosouffle.net> wrote:
> ahh, I see... I ran the srvfs command
> as bootes, then did chmod 666 /srv/example.
> so, even if I mount it in Plan 9, I see the
> same effects; I'm sorry, this isn't aquarela's
> fault. it's just my crappy namespace
> creation - what's the proper way to do
> this?
>
> again, my appologies...
>