#77 winexe failure with any samba newer than v4.1

[bill hudacek]

You can find a thread that discusses the problem here - http://forums.fedoraforum.org/showthread.php?p=1749571&posted=1#post1749571

After commenting on that thread, I completed field-hackery of the winexe source, and after stripping every reference to anything relating to libsamba-debug-samba4, winexe compiled & linked. Now I won't get any output as those DEBUG macros (and 'DEBUGLVL' in one place) are not included in the binary, but as long as the thing works I don't care much.

Now the question is - is 'winexe' dead? Is anyone reading this?

[Daniel B.]

Same problem here. winexe was OK up to EL 7.1, but with EL 7.2 (coming with samba 4.2.3), we can't compile it. Not only some libs were renamed (cli-ldap -> cli-ldap-samba4, errors -> errors-samba4, dcerpc-samba -> dcerpc-samba4) but also every DEBUG macros are now unusable

[Michael Stowe]

For anybody who compiles from source, I forked it and hacked together a fix. Source Your mileage may vary, and it's a little hackish, but it works.

[Francis Lessard]

Using Micheal Stowe's fork, I was able to get winexe working on a Ubuntu 14.04.4 using samba-dev 4.3.8. Winexe was no longer working after my last apt-get dist-upgrade. Here's my magic one-liner :

Being root, and starting in /root

git clone git://git.code.sf.net/u/mstowe/winexe u-mstowe-winexe && cd u-mstowe-winexe/source && apt-get -y install python2.7 gcc-mingw-w64 libtevent-dev samba-dev && ln -s /usr/lib/x86_64-linux-gnu/samba/libcli-ldap.so.0 /usr/lib/x86_64-linux-gnu/samba/libcli-ldap-samba4.so.0 ; ln -s /usr/lib/x86_64-linux-gnu/samba/libdcerpc-samba.so.0 /usr/lib/x86_64-linux-gnu/samba/libdcerpc-samba-samba4.so.0 ; ln -s /usr/lib/x86_64-linux-gnu/samba/liberrors.so.0 /usr/lib/x86_64-linux-gnu/samba/liberrors-samba4.so.0 ; ./waf configure build && build/winexe --help

If it all goes well, you should see the result of build/winexe --help

Next just :

cp build/winexe /usr/bin/

This build might not have all the debug options though. Like Michael said, your mileage may vary...

EDIT 03-05-2016

Succesfully tested on Ubuntu Server 16.04 LTS today.

[srikar]

Hi Francis,
Being a noob I ran the command you posted for winexe bug '77' on "Ubuntu 16.04 server" .I got the below error.
Build of shared winexe : disabled
Cannot continue! Please either install Samba shared libraries and re-run waf, or download the Samba source code and re-run waf with the "--samba-dir" option.
(complete log in /root/u-mstowe-winexe/source/build/config.log)

Since you have successfully installed winexe on ubuntu 16.04, can you please give me the details
regarding that.Thanks in advance.

[Francis Lessard]

Hello Srikar

I tried this morning with a fresh Ubuntu 16.04.2 fully patched server. I do obtain the same error as you did have. Something was changed June 01-2017 by Michael Stowe on his Winexe fork to get it to compile against samba 4.5. Our distro is still at version 4.3.11 so I beleive something was broken there.

I will investigate if something could be done to adapt to the new corrected fork. In the meantime you could download the previous v0.1 at https://sourceforge.net/u/mstowe/winexe/ci/v0.1/tarball

Micheal, do you have insights on this ?

[Michael Stowe]

You're exactly correct, I tagged the version that compiles against Samba 4.0-4.4 as v0.1, which is the one that you've provided the tarball link to already. v0.2 compiles against Samba 4.5, which was changed enough so that the previous version had no hope of compiling as it was.

[srikar]

Thank you Francis and Micheal for the inputs. I was able to build winexe on Ubuntu 16.04.2 LTS after doing a git to the above link of v0.1 and doing git of old-v4-0-stable branch.

[Jesse]

Been trying to get this to compile in Fedora 23 all day, Using Michael Stowe's fork and Francis's advice (thanks for the tips, guys) got me part way there, but I was still getting errors about missing libraries (even though the reported library is right where it should be):

Checking for library cli-ldap-samba4     : not found 
Checking for library :libcli-ldap-samba4.so.0 : not found 
Build of shared winexe                        : disabled 
Cannot continue! Please either install Samba shared libraries and re-run waf, or download the Samba source code and re-run waf with the "--samba-dir" option.
(complete log in /home/garrettj/builds/u-mstowe-winexe/source/build/config.log)

After digging through the logs, the link that finally did it for me was:

sudo ln -s /usr/lib64/samba/libgenrand-samba4.so /usr/lib64/libgenrand-samba4.so

I did quite a few other things trying to get this to work, so it's possible there was something else undocumented that got me here, but hopefully this helps the next Fedora user who's trying this.

Edit: in case someone else is having trouble with installing the dependencies in Fedora, I've found that for most Debian apt-get packages ending with "-dev", there's a Fedora dnf/yum equivalent ending in "-devel". This may be common knowledge, but it took me a while to figure out. :)

[Duane Voth]

Also used Michael Stowe's fork: git clone git://git.code.sf.net/u/mstowe/winexe u-mstowe-winexe to get it working on Arch Linux. Had to go back to samba 4.3.6 which can be found here (https://archive.archlinux.org/packages/s/samba) but still had to change the wscript file thusly:

diff --git a/source/wscript b/source/wscript
index 4210c2d..7dd75ee 100644
--- a/source/wscript
+++ b/source/wscript
@@ -78,7 +78,7 @@ def configure(ctx):
                 ''' % (h in 'smb_cli.h smb_cliraw.h smb_composite.h util/debug.h'.split(), h))

             libs = []
-            for l in 'cli-ldap-samba4 dcerpc-samba4 dcerpc-samba-samba4 errors-samba4 popt talloc ndr-standard samba-hostconfig samba-credentials smbclient-raw'.split():
+            for l in 'cli-ldap-samba4 dcerpc-samba4 dcerpc-samba-samba4 samba-errors popt talloc ndr-standard samba-hostconfig samba-credentials smbclient-raw-samba4'.split():
                 if ctx.check(lib=l, libpath=ctx.env.SAMBA_LIBS, mandatory=False):
                     libs.append(l)
                 else:

Also needed to: # pacman -S mingw-w64-gcc

[dentar]

Thanks for the workarounds so far, all is ok up to samba 4.3.12
Anyone got winexe compiling for samba >4.5.x?

[Mark Ridley]

Please could I get a copy of your 4.3.12 winexe-static?

Really appreciated. Thanks, Mark

[dentar]

My approach is to use a docker container. In my case, i used a fedora23 base image (which was using samba 4.3.x) and added winexe + dynamically loaded samba.
At this time, i had a 'full' fedora23 system to properly compile the winexe executable, so all left over was to include it into the container.
Runs smoothly as a containerized shell command, if you accept the container-loading time overhead ;-)

[Mark Ridley]

Sounds good.

Why do you need to run it in a docker container?

I would really like to give it a go.

What version of samba? was it 4.3.12? Could you let us have some build instructions please.

thanks.

The reason for needing at least 4.3.8 is the source4 version of samba does not work correctly with SMB2. source3 got fixed somewhere around 4.3.8 to talk correctly to SMB2.
After the latest ransomware most windows servers are having SMB1 disabled to winexe-static built on before 4.3.8 will no longer work so would be good to get this working.

thanks for you help

[dentar]

Why docker? 'cause it's cool :-)
And it solves the dll-hell equivalent in linux...
I chose docker because i already had winexe running in fedora23, and by lazyness all went into the container.
Since then, all is fine with fedora24, fedora25, ... Winexe still uses samba 4.3.x of course, but no problems at all (and i am using winexe a lot to access different windows installations)

[dentar]

btw, i just checked: docker + winexe v.1.1 + samba v.4.3.12

[dentar]

Mark,
looking at your other posts, your problem seems to be the communication protocol used by winexe. As you already mentioned, smbclient can be configured to use smb2/smb3 protocol (in case NT1 was disabled on the windows machines).
Winexe, in contrast, seems to uses NT1 exclusively, at least this was my finding when disabling NT1.
Do you know about how to parameterize winexe to change protocols? Or is this hardcoded somewhere in the sources? You said, since 4.3.12 of samba we could use smb2/smb3. How?
I am happy to help if you want to :-)

[Mark Ridley]

Hi Dentar,

I have made Iots of progress and have now got winexe (Michael Stowes version) to compile and link dynamically against samba-4-4

There were lots of header files to copy to the /usr/include areas and a hack into winexe to get it to understand the -mPROTOCOL. The problem with that is the -m option is ignored by samba/source4 and only takes what is in the smb.conf file. BUT winexe does not load the smb.conf file so the samba libraries would not connect to SMB2.
1. I changed winexe.c in main: ldprm_ctx = loadparm_init_global(true); it was false before.
it still ignores the -m option but can read min client protocol and max client protocol from the smb.conf file. Not great but a workaround

so winexe now runs and does not get the NT_STATUS_CONNECTION_RESET error.

basically what was happening (i think) is windows sees you are trying to connect as SMB1 (NT1) and does not what to talk to you anymore and disconnects without any more messages.

with the new winexe it gets further, SMB2 messages are now sent and rpc calls at the start are working.

however,when winexe trys to open ADMIN$ (to load the service) or IPC$ it just closes with:
ERROR: Failed to open connection - NT_STATUS_INVALID_PARAMETER_MIX

mounting ADMIN$ from the command line you have to add vers=2.0 to the -o
i.e
mount -t cifs //a.b.c.d/ADMIN$ /root/test -o username=abc%def,vers=2.0

the call failing is:
smbcli_full_connection and I am wondering if it needs to somehow pass vers=2.0 to the kernel mount function.

I have tested this to make sure it is not just winexe by building samba 4-4-4 or even samba-4.6.4 (the latest) and smbclient4 (in source4) still fails with the same NT_STATUS_INVALID_PARAMETER_MIX message with you try to connect to a share, not list shares.

smbclient in source3 works fine but is in source3 and winexe is built against source4.

Sorry for the long post.

I think that may be a bug in the source4 libraries of samba that do not like to mount shares with SMB2.

What do you think? is there someone at samba I can log a problem with?

[ubentobox]

I believe this has to do with Badlock CVE.. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2118 It seems compatibility broke after this point when it was patched.

[ahajda]

Regarding the question if winexe is dead, I can say so, maybe better word would be hibernated :( Unfortunatelly my current job is not connected at all with Windows/Linux interaction. And I have not enough spare time to work on it. I still hope to find some time to detach it from samba sources and compile against samba libs but it is hard to say when it happens.

[Mark Ridley]

I really need winexe-static to build against 4.3.12? as source4 before this is broken with SMB2/3
After the ransomware most windows systems are getting patched to block SMB1

Can anyone look at this? I am willing to pay!

[Michael Stowe]

I have to admit I'm not clear on the precise definition of "winexe-static" (I can certainly figure out the broad outlines, of course.) Is it simply a static build? Which distro/architecture/packaging system? (Perhaps some of that does not matter?)

[Mark Ridley]

HI michael,
thanks for getting back to me.

i am using centos 7. winexe-static is the name he build gives to the static linked version of winexe. i just followed the instructions about downloading samba and using your fork.

so i type waf build configure --samba-dir=../samba

no joy though and after 3 days and many attempts i am no closer.

i need to get it working on samba minimum 4-3-12 as that seems to have source4 connecting correctly to SMBv2 and v3

what do you think? thanks

mark

[Mark Ridley]

Does anyone know if it is possible to re-write winexe to use the source3 version of samba code?

source4 is broken with SMB2/3. I have emailed bugzilla at samba to let them know but do not expect a reply anytime soon.

using the samba binary: cifsdd which also uses source4 it can be seen to fail to connect to windows on SMBv2:
cifsdd: connecting to //192.168.1.67/C$: NT_STATUS_INVALID_PARAMETER_MIX

[Michael Stowe]

The short version is that yes, it's possible.

The longer answer is that as Samba development progresses, it's becoming increasingly difficult to maintain in its current form, anyway, and that a better approach (as already suggested) is to extricate it from Samba itself and use Samba libraries, which is a larger task, but I can't guess offhand whether that's larger or smaller than reverting to Samba3 -- but I can suggest that it's likely to garner more support as CIFS continues to evolve and Winexe needs to continue to be maintained.

On a vaguely related note, my distro appears to have leapt from Samba 4.2 to Samba 4.5, which prompted me to update my fork enough to get Winexe compiling with Samba 4.5, and local testing shows that this works as well as 4.2 and 4.3 did, at least. I've tagged the respective updates, although the 4.5 version will probably work fine with earlier Sambas, I haven't tested it.

[Mark Ridley]

The problem with the samba4 branch is the share or tree opening code, smbcli_full_connection does not call the smb2 code if SMB2 is required to it crashes.

so for example in the cifsdd or winexe or even smbclient4 when smb1 is disabled it still calls the SMB1 code which then gets cut off. I have logged a ticket with samba but no one has picked it up yet.
the smbcli_full_connection calls smb_composite_connect which is only smb1.
i do not have enough knowledge to call the smb2 code.

any ideas?

i starting on moving it to samba3, but I am missing the async read/write calls that winexe uses.