[cifs-protocol] Clarify reserved bytes that are in fact used in LogonSamLogonEx response

Hongwei Sun hongweis at microsoft.com
Thu Jul 30 18:30:09 MDT 2009


  We are able to set up environment with a W2k8 server joined to Samba domain.  I ran the three commands you mentioned in your e-mail.

bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kno
bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes
bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes --option=gensec:spnego=no --option=gensec:gssapi_spnego=yes

   I get the same error as you in the first command that is basically using NTLM.  But I have problem with the next two commands that use Kerberos.  Please see the errors returned on screen shots.   It complains when running Kinit command that KDC cannot be reached, but from the Samba output screen on the back , it shows that KDC is processing TGS-REQ from the W2k8 server; obviously KDC is working.  Could you take a look at it and give us some advice ?  Have we missed configuring anything ?

   Also listing the expected failure from each test will also be helpful.  It will ensure that we have the correct repros.



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, July 24, 2009 1:37 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] Clarify reserved bytes that are in fact used in LogonSamLogonEx response

On Mon, 2009-07-20 at 22:00 +1000, Andrew Bartlett wrote:
> G'day,
> My friend in Samba development Matthieu has been chasing down small
> but possibly significant differences between Samba4 and Windows.  He
> is puzzled by the following, and we wondered if you might be able to
> shed some light on the matter.

I've reproduced the problem locally, and attach the sniffs of the network behaviour.

This is being tracked in Samba bug:


The traces include:

 an NTLM login attempt, an attempt to use Samba's own SPNEGO libraries (which are faulty)

 a Kerberos login attempt using Heimdal's SPENGO code

This shows that the problem is not just in NTLM logins, but perhaps in the PAC/info3 reply.  Is some kind of per-user licensing thing tied up here?  I've tried to up the number of users permitted to access the share, without success.

If you need any assistance setting up Samba4 to reproduce this, I am more than willing to assist.

The commands I used were:
bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kno bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes --option=gensec:spnego=no --option=gensec:gssapi_spnego=yes

Also see the attached patch to Samba4 rev
d005e4dabb396607d959ece8da3c649797d59d44 to make the last command work.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen-shot-command-1&2.jpg
Type: image/jpeg
Size: 309090 bytes
Desc: Screen-shot-command-1&2.jpg
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090731/738c40c9/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen-shot-command-3.jpg
Type: image/jpeg
Size: 306508 bytes
Desc: Screen-shot-command-3.jpg
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090731/738c40c9/attachment-0003.jpg>

More information about the cifs-protocol mailing list