[cifs-protocol] Inability to use Win2k8 as a member server in Samba4 domain (was Clarify reserved bytes that are in fact used in LogonSamLogonEx response)

Sebastian Canevari Sebastian.Canevari at microsoft.com
Tue Jul 28 18:07:59 MDT 2009

Hi Andrew,

I'm working with the product group in confirming my findings.

I am pretty sure that the first two longs in  array ExpansionRoom in NETLOGON_VALIDATION_SAM_INFO4 ( MS-NRPC) are used for the LanmanSessionKey but like I said I need to confirm it with the product group before giving you a definitive answer.

I'll keep you updated as soon as I have the definitive response.

Thanks and regards,

Sebastian Canevari
Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc at microsoft.com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, July 27, 2009 10:42 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Inability to use Win2k8 as a member server in Samba4 domain (was Clarify reserved bytes that are in fact used in LogonSamLogonEx response)

On Fri, 2009-07-24 at 16:37 +1000, Andrew Bartlett wrote:
> On Mon, 2009-07-20 at 22:00 +1000, Andrew Bartlett wrote:
> > G'day,
> > 
> > My friend in Samba development Matthieu has been chasing down small 
> > but possibly significant differences between Samba4 and Windows.  He 
> > is puzzled by the following, and we wondered if you might be able to 
> > shed some light on the matter.
> I've reproduced the problem locally, and attach the sniffs of the 
> network behaviour.

Has there been any progress in reproducing this problem, or at the very least advising us of the answer to our initial inquiry?

We can handle the Kerberos issue (a partial fix for that is in already in the tree), but the STATUS_REQUEST_NOT_ACCEPTED issue has us stumped.  

> This is being tracked in Samba bug:
> https://bugzilla.samba.org/show_bug.cgi?id=6273
> The traces include:
> samba4-to-win2008-failure:
>  an NTLM login attempt, an attempt to use Samba's own SPNEGO libraries 
> (which are faulty)
> samba4-to-win2008-failure-gensec_spnego:
>  a Kerberos login attempt using Heimdal's SPENGO code
> This shows that the problem is not just in NTLM logins, but perhaps in 
> the PAC/info3 reply.  Is some kind of per-user licensing thing tied up 
> here?  I've tried to up the number of users permitted to access the 
> share, without success.
> If you need any assistance setting up Samba4 to reproduce this, I am 
> more than willing to assist.
> The commands I used were:
> bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kno 
> bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes 
> bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes 
> --option=gensec:spnego=no --option=gensec:gssapi_spnego=yes
> Also see the attached patch to Samba4 rev
> d005e4dabb396607d959ece8da3c649797d59d44 to make the last command work. 
> Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the cifs-protocol mailing list