Kerberos/ADS and many groups

[Dave Daugherty]

Volker Lendecke Sent: Friday, December 15, 2006 10:58 AM

>Ok, got it reproduced. Just had to put a user in a couple of
>hundred groups, and even smbd3 would not accept the session
>setup anymore. Funny. Maybe some krb5 gurus can also try
>this? gd?

>Volker

Volker;

Now that smbd is in the mix, did you try the max_xmit=655536 to see if
this had any effect?  When I was looking at this bug originally (3.0.23b
code base), it seemed like there must have been a problem with the
reassembly of the Kerberos ticket fragments.  If the sesssetup request
all came in one big packet (from a Win XP client) everything was fine.

>From the customer...

After detecting the client arch st_remote_arch: Client is 'WinXP',
normaly
smbd.sesssetup continues with

reply_spnego_negotiate(486), ...

But in this case I always get

libsmbd/clispnego.c: parse_negTokenTarg(251) Failed to parse
negTokenTarg at
offset 66.

That error occurs when asn1_tag_remaining(&data) is less than 3.

>From my notes...

libsmbd/clispnego.c: parse_negTokenTarg(251) Failed to parse
negTokenTarg at
offset 66.

to fail (because the ASN.1 size fields don't match the size of the
incomplete 
security blob passed into this routine.

Sorry if this is a different problem - just trying to help.


Dave Daugherty