[cifs-protocol] [REG:115030312463847] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

Andrew Bartlett abartlet at samba.org
Wed Mar 11 20:01:22 MDT 2015

On Wed, 2015-03-11 at 20:48 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> Using Samba DC (version 4.1.6-Ubuntu) and Windows 8.1 client I was
> able to reproduced the situation where windows client sends a S4U2Self
> TGS request to Samba and Samba responds with KRB5KDC_ERR_POLICY. 
> It happens when I check the effective access for a user, same as
> logged in or another does not matter. But  error in the windows
> explorer is 
> "You don't have permission to evaluate effective access rights for the
> remote resource. Contact the administrator of the target server"
> I also see the S4U2Self TGS request for that user, as mentioned
> above. 
> If I logged in as Administrator and query the effective access for
> "Administrators" group, then I get the error in the explorer that you
> reported, i.e.
> "Code 0x80070057 The parameter is incorrect"
> When using a windows domain I do not see the S4U2Self message go out
> from client although I see other network traffic that could be due to
> the policy since I used a coprnet share to test this. I'll do it on my
> internal Windows domain to see if I get the same error and/or S4U2Self
> goes out.

Thanks.  I wasn't able to spot that in my tests either. 

> Looking at the code, the use of S4U2Self is expected. I need to dig
> more on Windows-to-Windows scenario.
> So, it bowl down to what do we want to get out of this protocol wise.
> The bug about "Code 0x80070057 The parameter is incorrect" is already
> in place and platform people are working on it. 
> As I understand, you want to know if Samba should be returning an
> error or should it return the authorization info in response to
> S4U2Self TGS request. Right?

Yes.  My tests indicate we should return ERR_S_PRINCIPAL_UNKNOWN, but I
don't know 'why' (see other threads on mappings). 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list