[cifs-protocol] [REG:115030312463847] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

Obaid Farooqi obaidf at microsoft.com
Fri Mar 13 16:31:27 MDT 2015

Hi Andrew:
So at least I know why Windows client when using Windows DC does not use S4U2Self. 
Windows client tries to use MS-RAA (Remote Authorization API Protocol) to get the authorization data when you try to calculate the effective access. In case of a Windows DC, the service is available and call succeeds. No need to use S4U2Self.

In case of Samba domain, the Samba DC responds with 0x16c9a0d6 to the end point mapper request, which means there is no MS-RAA implemented on Samba DC. This causes the client to create a local resource manager instead of remote resource manager (MS-RAA section "1.3 Overview"). This causes the client to use S4U2Self to get the authorization data.

I am looking into your question as to why sname is user's name in TGS for S4U2Self.

Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Wednesday, March 11, 2015 9:01 PM
To: Obaid Farooqi
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: Re: [REG:115030312463847] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

On Wed, 2015-03-11 at 20:48 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> Using Samba DC (version 4.1.6-Ubuntu) and Windows 8.1 client I was 
> able to reproduced the situation where windows client sends a S4U2Self 
> TGS request to Samba and Samba responds with KRB5KDC_ERR_POLICY.
> It happens when I check the effective access for a user, same as 
> logged in or another does not matter. But  error in the windows 
> explorer is "You don't have permission to evaluate effective access 
> rights for the remote resource. Contact the administrator of the 
> target server"
> I also see the S4U2Self TGS request for that user, as mentioned above.
> If I logged in as Administrator and query the effective access for 
> "Administrators" group, then I get the error in the explorer that you 
> reported, i.e.
> "Code 0x80070057 The parameter is incorrect"
> When using a windows domain I do not see the S4U2Self message go out 
> from client although I see other network traffic that could be due to 
> the policy since I used a coprnet share to test this. I'll do it on my 
> internal Windows domain to see if I get the same error and/or S4U2Self 
> goes out.

Thanks.  I wasn't able to spot that in my tests either. 

> Looking at the code, the use of S4U2Self is expected. I need to dig 
> more on Windows-to-Windows scenario.
> So, it bowl down to what do we want to get out of this protocol wise.
> The bug about "Code 0x80070057 The parameter is incorrect" is already 
> in place and platform people are working on it.
> As I understand, you want to know if Samba should be returning an 
> error or should it return the authorization info in response to 
> S4U2Self TGS request. Right?

Yes.  My tests indicate we should return ERR_S_PRINCIPAL_UNKNOWN, but I don't know 'why' (see other threads on mappings). 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list