R: winbindd UPN problem

fules fules at balabit.hu
Tue Jan 27 14:49:24 GMT 2009

Diego Zuccato wrote:
> Seems UPN logins are the "trouble of the day" :-)
> I'm having a problem that could be related, but I'm only trying to login.
> Does your system accept upn logins?
Over RDP it does. However, I must use a full qualified name like 
'user at TEST1DOMAIN.COMPANY', the short one ('user at TEST1DOMAIN') doesn't work, 
indeed. (As far as I remember, last week the short one worked, too, so either an 
automatic update has changed some code or one of my fellow colleagues some 
setting on the server :)...)

Besides, while trying this approach I found another phenomenon, namely that 
while I pass an empty domain name to wbcAuthenticateUserEx() as this is what I 
got from the client, for some reason winbind tries to fix it anyway and replaces 
it by the short domain name:

netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
     in: struct netr_LogonSamLogonEx
         server_name              : *
            server_name              : '\\test1.test1domain.balabit'
         computer_name            : *
            computer_name            : 'CHAOS'
         logon_level              : NET_LOGON_TYPE (2)
         logon                    : *
             logon                    : union netr_LogonInfo(case 2)
             network                  : *
                network: struct netr_NetworkInfo
                    identity_info: struct netr_IdentityInfo
                         domain_name: struct lsa_String
                            length                   : 0x0016 (22)
                            size                     : 0x0016 (22)
                            string                   : *
                                string                   : 'TEST1DOMAIN'
Here the domain name should be empty

                         parameter_control        : 0x00000820 (2080)
                                0: MSV1_0_CLEARTEXT_PASSWORD_ALLOWED
                                0: MSV1_0_UPDATE_LOGON_STATISTICS
                                0: MSV1_0_RETURN_USER_PARAMETERS
                                1: MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
                                0: MSV1_0_RETURN_PROFILE_PATH
                                1: MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
                         logon_id_low             : 0x0000dead (57005)
                         logon_id_high            : 0x0000beef (48879)
                         account_name: struct lsa_String
                             length                   : 0x0032 (50)
                             size                     : 0x0032 (50)
                             string                   : *
                                 string                   : 
'fules at test1domain.balabit'
                         workstation: struct lsa_String
                             length                   : 0x000e (14)
                             size                     : 0x000e (14)
                             string                   : *
                                 string                   : '\\CHAOS'
                     challenge                : 8a1018542a7c6c64
                     nt: struct netr_ChallengeResponse
                         length                   : 0x0132 (306)
                         size                     : 0x0132 (306)
                         data                     : *
                             data                     : 
                     lm: struct netr_ChallengeResponse
                         length                   : 0x0000 (0)
                         size                     : 0x0000 (0)
                         data                     : NULL
         validation_level         : 0x0003 (3)
         flags                    : *
             flags                    : 0x00000000 (0)

Since this way the domain name is not the one used by the client, it's no wonder 
that the calculated nt hashes don't match and so the authentication fails.

I think I'm going to try to locate where the domain name gets this value 
assigned to, comment it out and try that way. I don't have too much faith in 
this kind of hacking, but it's better than just staring at the log anyway :).


More information about the samba-technical mailing list