[Samba] Vista SP1-rc1 appears to break against Samba-3.0.27a
Jason Haar
Jason.Haar at trimble.co.nz
Wed Dec 12 00:49:43 GMT 2007
We've got nicely ADS integrated Samba-3.0.27a servers that are working
fine with Win2000 through to standard Vista.
However, we are starting to test RC1 of Vista SP1 and discovered that
once applied, that workstation cannot connect to Samba server shares -
unless the share is open - i.e. no "valid user" style settings. The
moment one is defined, Vista fails to connect and pops up an
authentication dialog - which still doesn't work.
workgroup = AD
realm = AD.DOMAIN.NAME
security = ADS
auth methods = winbind
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
lanman auth = Yes
ntlm auth = Yes
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
server signing = auto
I have tried altering "server signing = no" to "auto", and "client
NTLMv2 auth = No " to "yes" - no difference. I saw MS07-063 refers to
Vista having being patched to do with a signing bug - so I took a punt
it was related - no such luck.
If a share is configured as
[test]
path = /tmp
...then Vista-SP1rc1 works fine, but if it's...
[test]
path = /tmp
valid users = @"AD\Some Group"
...then it doesn't. WinXP and Win2K3 server both work against both share
options of course.
Setting "log level = 10" shows Win2K3 working with
[2007/12/12 00:25:16, 5] smbd/password.c:user_in_netgroup(466)
looking for user ad\myaccount of domain (ANY) in netgroup ad\some group
[2007/12/12 00:25:16, 10] passdb/lookup_sid.c:lookup_name(64)
lookup_name: ad\some group => ad (domain), some group (name)
[2007/12/12 00:25:16, 10] smbd/share_access.c:user_ok_token(232)
user_ok_token: share test is ok for unix user AD\myaccount
..whereas Vista-SP1rc1 shows
[2007/12/12 00:20:42, 10]
libsmb/clikrb5.c:get_krb5_smb_session_key(735) Got KRB5 session
key of length 16
[2007/12/12 00:20:42, 10] libsmb/clikrb5.c:unwrap_pac(292) authorization
data is not a Windows PAC (type: 141)
....
[2007/12/12 00:25:16, 5] smbd/password.c:user_in_netgroup(466)
looking for user ad\myaccount of domain (ANY) in netgroup ad\some group
[2007/12/12 00:25:16, 10] passdb/lookup_sid.c:lookup_name(64)
lookup_name: ad\some group => ad (domain), some group (name)
[2007/12/12 00:21:14, 10] smbd/share_access.c:user_ok_token(211)
User AD\myaccount not in 'valid users'
[2007/12/12 00:21:14, 2] smbd/service.c:make_connection_snum(616)
user 'AD\myaccount' (from session setup) not permitted to access this
share (test)
Any ideas? I can send the entire log (even a packet trace) to someone if
they need it.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the samba
mailing list