[cifs-protocol] [REG:115041312628206] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

Andrew Bartlett abartlet at samba.org
Wed Apr 29 17:06:41 MDT 2015

On Wed, 2015-04-29 at 22:35 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> What I thought was a difference between the behaviors of windows
> client when Samba is DC and when Windows is DC seems to be wrong. I
> can no longer reproduced the scenario. If I try to calculate the
> effective access of a different user (than the logged in user) in my
> private, Windows DC environment, windows client does not send s4u2self
> request. It instead uses MS-RAA. If I try to repro in my work domain,
> I get an unauthorized error when I try to calculate the effective
> access (for a different user) on a directory under sysvol.
> As for as why windows client sends administrator at domain.com, the
> request in your scenario is sent by file explorer and the file
> explorer runs under logged in users security token. The lsass just
> gets the asking process's token (impersonate) and used the UPN of that
> security descriptor in s4u2self TGS request. 
> In cases where I saw that computer account UPN is used for sname, the
> request was sent by a service and since services in Windows run under
> computer account, the security token had computer account name and the
> behavior is consistent with what I described above.
> If you can repro this scenario in private environment and windows does
> not use logged in user's UPN, please let me. 
> I have already answer the reason for an error response and have also
> filed a TDI to include that in MS-SFU. I consider this issue resolved.
> If you can repro the situation where Windows client in case of a
> Windows DC uses computer account instead of logged in user UPN, please
> let me know and I'll be happy to investigate. 

That all sounds fine.  Thanks for looking into it.

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list