svn commit: samba r8164 - in branches/SAMBA_4_0/source: auth auth/kerberos include

Andrew Bartlett abartlet at samba.org
Wed Jul 6 10:21:29 GMT 2005 

On Wed, 2005-07-06 at 06:36 +0200, Stefan (metze) Metzmacher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Bartlett schrieb:
> > On Tue, 2005-07-05 at 10:57 +0000, metze at samba.org wrote:
> > 
> >>Author: metze
> >>Date: 2005-07-05 10:57:39 +0000 (Tue, 05 Jul 2005)
> >>New Revision: 8164
> >>
> >>WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8164
> >>
> >>Log:
> >>- match the ordering w2k3 uses for the PAC_BUFFER:
> >>   LOGON_INFO
> >>   LOGON_NAME
> >>   SRV_CHECKSUM
> >>   KDC_CHECKSUM
> >>
> >>- w2k3 also don't use the groupmembership array with rids
> >>  it uses the othersids array
> > 
> > 
> > Can you check how this behaves in the netlogon reply?  It seems odd to
> > me that the same structure would be encoded in different ways between
> > the two.
> 
> I saw it using the groupmembership array with rids in a later try in the PAC too,
> 
> but I have also tested to send invalid signatures and a complete ZERO PAC blob,
> and all gave the same error on the logon prompt:
> 
> name or SID doesn't match the trusted domain info
> 
> and I think this means the pac validation fails,

My errors (with WinXP) is actually the normal 'logon failure' response.

> btw: I used w2k3 server to join samba4
> and I have tried to join this w2k3 server as a member to my w2k3 domain,
> and compare the results. And I saw some differences but had no time to look at closer.
> 
> Can you try to handle ldap/sernox4.sernoxdom4.mx.base/sernox4.sernoxdom4.mx.base style TGS-REQ's
> And also try to send the PAC in the AS-REP.

Handling extra principals is easy, I'll look at that tonight.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050706/ad418b9f/attachment.bin

More information about the samba-technical mailing list