[cifs-protocol] [REG:115030312463847] [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

Bryan Burgin bburgin at microsoft.com
Mon Mar 2 23:19:37 MST 2015 

[dochelp on bcc]
[+casemail]

Starting new thread for SR 115030312463847: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)
An engineer from the protocols team will contact you soon.

Bryan

-----Original Message-----
From: Bryan Burgin 
Sent: Monday, March 2, 2015 10:15 PM
To: 'Andrew Bartlett'
Cc: cifs-protocol at lists.samba.org
Subject: RE: View effective Access - Parameter is incorrect

[Dochelp to bcc]

Hi Andrew,

Thank you for raising this issue.  We're creating two cases to track this: one to chase down the error (which I'll own, potentially a QFE hotfix request) and the second as a [MS-KILE] doc issue (someone from the team will pick up).  Please note that as for the error message itself, we are investigating this and published KB 3041857 to acknowledge it: https://support.microsoft.com/kb/3041857.

SR 115030312463820: Windows behavior re  '0x80070057 the parameter is incorrect'.
SR 115030312463847: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

Don't reply to this mail; I'll start a separate thread for each to keep the discussions separate.

[Note: in your mail below, I appended your add-on observation re Windows 8.1 to Windows 2012R2 "in-line"]

Bryan

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, March 2, 2015 6:12 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at lists.samba.org
Subject: View effective Access - Parameter is incorrect

Using a Windows 8, and a Windows 8.1 Pro machine, joined to a Samba domain.

I open up \\$SERVER\sysvol and right-click on one of the files.  I then select properties, security, advanced, effective access.

I select one of the other users in my domain (I logged in as administrator), and then 'view effective access'.  The error I get is
'0x80070057 the parameter is incorrect'.

I can't see anything odd, except that in frame 91-93 the client asks for a TGS-REQ (S4U2Self) for a server of Administrator at REALM as an enterprise principal, perhaps being denied because Administrator is not a server account. 

Samba master gives 'KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (see trace) Samba 4.2 give 'KRB5KDC_ERR_POLICY' (not attached)

Is this the issue, if so, cue my discussion about MS-KILE clarifications :-)

Oddly, when looking at a comparitive trace of Windows 8.1 to Windows 2012R2, I can't even see a S4U2Self request.  

Thanks,

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list