[cifs-protocol] [REG:115041312628206] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

Obaid Farooqi obaidf at microsoft.com
Wed Apr 29 16:35:28 MDT 2015


Hi Andrew:
What I thought was a difference between the behaviors of windows client when Samba is DC and when Windows is DC seems to be wrong. I can no longer reproduced the scenario. If I try to calculate the effective access of a different user (than the logged in user) in my private, Windows DC environment, windows client does not send s4u2self request. It instead uses MS-RAA. If I try to repro in my work domain, I get an unauthorized error when I try to calculate the effective access (for a different user) on a directory under sysvol.

As for as why windows client sends administrator at domain.com, the request in your scenario is sent by file explorer and the file explorer runs under logged in users security token. The lsass just gets the asking process's token (impersonate) and used the UPN of that security descriptor in s4u2self TGS request. 

In cases where I saw that computer account UPN is used for sname, the request was sent by a service and since services in Windows run under computer account, the security token had computer account name and the behavior is consistent with what I described above.

If you can repro this scenario in private environment and windows does not use logged in user's UPN, please let me. 
I have already answer the reason for an error response and have also filed a TDI to include that in MS-SFU. I consider this issue resolved. If you can repro the situation where Windows client in case of a Windows DC uses computer account instead of logged in user UPN, please let me know and I'll be happy to investigate. 

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: Obaid Farooqi 
Sent: Monday, April 13, 2015 12:27 PM
To: 'Andrew Bartlett'
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: RE: [REG:115030312463847] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

Hi Andrew,
I have filed a TDI to document the SPN requirement.
I'll continue to explore the difference between behaviors when DC is Samba and will update you.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Sunday, April 12, 2015 5:31 PM
To: Obaid Farooqi
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: Re: [REG:115030312463847] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

On Wed, 2015-04-08 at 22:32 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> Does my answer resolve your issue?
> I am asking since I answered your basic question. 

Thanks, it is great to see the SPN requirement in writing.  Can we get at added to the WSPP docs?

> I am working on figuring out why Windows client sends different sname based on the type of DC but this is a side issue, not the question you asked. Can I mark the case solution provided?

Thanks.  That would be interesting to understand. 

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba






More information about the cifs-protocol mailing list