[cifs-protocol] Inability to use Win2k8 as a member server in Samba4 domain (was Clarify reserved bytes that are in fact used in LogonSamLogonEx response)

Andrew Bartlett abartlet at samba.org
Mon Jul 27 21:41:36 MDT 2009


On Fri, 2009-07-24 at 16:37 +1000, Andrew Bartlett wrote:
> On Mon, 2009-07-20 at 22:00 +1000, Andrew Bartlett wrote:
> > G'day,
> > 
> > My friend in Samba development Matthieu has been chasing down small but
> > possibly significant differences between Samba4 and Windows.  He is
> > puzzled by the following, and we wondered if you might be able to shed
> > some light on the matter.
> 
> I've reproduced the problem locally, and attach the sniffs of the
> network behaviour.

Has there been any progress in reproducing this problem, or at the very
least advising us of the answer to our initial inquiry?

We can handle the Kerberos issue (a partial fix for that is in already
in the tree), but the STATUS_REQUEST_NOT_ACCEPTED issue has us
stumped.  

> This is being tracked in Samba bug:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=6273
> 
> 
> The traces include:
> 
> samba4-to-win2008-failure:
>  an NTLM login attempt, an attempt to use Samba's own SPNEGO libraries
> (which are faulty)
> 
> samba4-to-win2008-failure-gensec_spnego:
>  a Kerberos login attempt using Heimdal's SPENGO code
> 
> This shows that the problem is not just in NTLM logins, but perhaps in
> the PAC/info3 reply.  Is some kind of per-user licensing thing tied up
> here?  I've tried to up the number of users permitted to access the
> share, without success.
> 
> If you need any assistance setting up Samba4 to reproduce this, I am
> more than willing to assist.
> 
> The commands I used were:
> bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kno
> bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes
> bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes
> --option=gensec:spnego=no --option=gensec:gssapi_spnego=yes
> 
> Also see the attached patch to Samba4 rev
> d005e4dabb396607d959ece8da3c649797d59d44 to make the last command work. 
> 
> Andrew Bartlett
> 
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090728/e55f832e/attachment.pgp>


More information about the cifs-protocol mailing list