[cifs-protocol] [REG:115030312463847] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

Obaid Farooqi obaidf at microsoft.com
Wed Mar 11 14:48:49 MDT 2015

Hi Andrew:
Using Samba DC (version 4.1.6-Ubuntu) and Windows 8.1 client I was able to reproduced the situation where windows client sends a S4U2Self TGS request to Samba and Samba responds with KRB5KDC_ERR_POLICY. 
It happens when I check the effective access for a user, same as logged in or another does not matter. But  error in the windows explorer is 
"You don't have permission to evaluate effective access rights for the remote resource. Contact the administrator of the target server"
I also see the S4U2Self TGS request for that user, as mentioned above. 

If I logged in as Administrator and query the effective access for "Administrators" group, then I get the error in the explorer that you reported, i.e.
"Code 0x80070057 The parameter is incorrect"

When using a windows domain I do not see the S4U2Self message go out from client although I see other network traffic that could be due to the policy since I used a coprnet share to test this. I'll do it on my internal Windows domain to see if I get the same error and/or S4U2Self goes out.

Looking at the code, the use of S4U2Self is expected. I need to dig more on Windows-to-Windows scenario.
So, it bowl down to what do we want to get out of this protocol wise. The bug about "Code 0x80070057 The parameter is incorrect" is already in place and platform people are working on it. 
As I understand, you want to know if Samba should be returning an error or should it return the authorization info in response to S4U2Self TGS request. Right?

Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: "Andrew Bartlett" <abartlet at samba.org> 
Sent: Tuesday, March 3, 2015 3:59 PM
To: "Obaid Farooqi" <obaidf at microsoft.com>
Cc: "cifs-protocol at lists.samba.org" <cifs-protocol at lists.samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:115030312463847] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

On Tue, 2015-03-03 at 21:44 +0000, Obaid Farooqi wrote: 
> Hi Andrew: 
> I'll help you with this issue and will be in touch as soon as I have
an answer. 
> From your question, it appears that you were asked to perform this
test and are really not blocked by this. Does this mean it is a low priority issue for you?

> I am asking so that I prioritize my work on it. 

It can be bundled up with the overall work describing what principals are valid in what circumstances.  Partial answers here are not nearly as helpful as the full pattern, so I would prefer to wait for that. 

I do have some patches that, now I was made aware of the issue, that I'm not pushing to 4.2 because I want to sort this out once and for all.
the meantime I'll be implementing the 'obvious' answer that you can always do S4U2Self to yourself, even if you are not otherwise a service. 

In short, while this started because of an outside suggestion, it showed up issues in other work I had previously considered finished, so it is 'live' in that sense. 

Andrew Bartlett 

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba 

More information about the cifs-protocol mailing list