[cifs-protocol] [REG:115030312463847] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)
Obaid Farooqi
obaidf at microsoft.com
Fri Apr 3 17:45:44 MDT 2015
Hi Andrew:
The error that should be returned is KDC_ERR_S_PRINCIPAL_UNKNOWN. This happens when a account does not have an SPN set on it and request a ticket as a service in S4U2Self. This is stated here https://technet.microsoft.com/fr-fr/library/cc772815(WS.10).aspx
"
Additionally, in Windows Server 2003, KDCs will not issue a service ticket for an account that does not have an SPN. If a service account were simply a user account with a human-generated password, then that account would be more vulnerable to an offline dictionary attack. For an account without an SPN, the KDC will return KDC_ERR_S_PRINCIPAL_UNKNOWN. However, the context of the error will be KRB_ERR_MUST_USE_USER2USER, which has the description of "Server principal valid for user-to-user only.
"
So your DC definitely does the right thing by returning an error albeit the policy error is not correct. Interestingly, Windows client does not use administrator at domain as sname is TGS when Windows is acting as DC. It uses the computer account sam name that has SPN set on it and therefore I do not see an error when Windows DC is used.
I'll keep looking as to why there is a difference in Windows client behavior when DC is Samba.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
-----Original Message-----
From: "Obaid Farooqi" <obaidf at microsoft.com>
Sent: Friday, March 13, 2015 5:31 PM
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: "cifs-protocol at lists.samba.org" <cifs-protocol at lists.samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:115030312463847] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)
Hi Andrew:
So at least I know why Windows client when using Windows DC does not use S4U2Self.
Windows client tries to use MS-RAA (Remote Authorization API Protocol) to get the authorization data when you try to calculate the effective access. In case of a Windows DC, the service is available and call succeeds. No need to use S4U2Self.
In case of Samba domain, the Samba DC responds with 0x16c9a0d6 to the end point mapper request, which means there is no MS-RAA implemented on Samba DC. This causes the client to create a local resource manager instead of remote resource manager (MS-RAA section "1.3 Overview"). This causes the client to use S4U2Self to get the authorization data.
I am looking into your question as to why sname is user's name in TGS for S4U2Self.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, March 11, 2015 9:01 PM
To: Obaid Farooqi
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: Re: [REG:115030312463847] Re: [MS-KILE] "View effective Access
- Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)
On Wed, 2015-03-11 at 20:48 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> Using Samba DC (version 4.1.6-Ubuntu) and Windows 8.1 client I was
> able to reproduced the situation where windows client sends a
S4U2Self
> TGS request to Samba and Samba responds with KRB5KDC_ERR_POLICY.
> It happens when I check the effective access for a user, same as
> logged in or another does not matter. But error in the windows
> explorer is "You don't have permission to evaluate effective access
> rights for the remote resource. Contact the administrator of the
> target server"
> I also see the S4U2Self TGS request for that user, as mentioned
above.
>
> If I logged in as Administrator and query the effective access for
> "Administrators" group, then I get the error in the explorer that you
> reported, i.e.
> "Code 0x80070057 The parameter is incorrect"
>
> When using a windows domain I do not see the S4U2Self message go out
> from client although I see other network traffic that could be due to
> the policy since I used a coprnet share to test this. I'll do it on my
> internal Windows domain to see if I get the same error and/or S4U2Self
> goes out.
Thanks. I wasn't able to spot that in my tests either.
> Looking at the code, the use of S4U2Self is expected. I need to dig
> more on Windows-to-Windows scenario.
> So, it bowl down to what do we want to get out of this protocol wise.
> The bug about "Code 0x80070057 The parameter is incorrect" is already
> in place and platform people are working on it.
> As I understand, you want to know if Samba should be returning an
> error or should it return the authorization info in response to
> S4U2Self TGS request. Right?
Yes. My tests indicate we should return ERR_S_PRINCIPAL_UNKNOWN, but I don't know 'why' (see other threads on mappings).
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list