accessing XP from Windows 2008 (Bug 6272)

Matthieu Patou mat+Informatique.Samba at
Wed Jul 15 08:21:03 MDT 2009

Hello andrew,

After a couple of tests and packet dissection I noticed this:

* Samba4 always add an AD-IF-REVELANT of type 142 
(KRB5-AUTHDATA-SIGNTICKET) when windows 2003 (as an AD) do not
* Windows 2008 ask to add in a ticket an authorization-data of type 141, 
Windows 2003 and Samba4 (both acting as a DC) add it in the replied ticket.
* Windows XP and Samba4 do no ask for this authorization-data in the ticket

So with the PAC ad-if-relevant (128), we have the following combination 
in the ticket that is presented to a XP workstation:

With a S4 DC
   S4 (as a client), relevant 128, 142
   XP (as a client), relevant 128, 142
   W2K8, relevant 141,128,142

With a W2K3 DC
   S3 (as client), relevant 128
   XP (as client), relevant 128
   W2K8, relevant 128,141

 From all this combination it appears that only relevant 128, 141 and 
142 are not working well together (at least when S4 is a DC).

 From this I modified S4 kerberos code so that I won't add the requested 
authentification-data in the ticket, the resulting ticket only contains 
relevant 128 and 142.
With this modification I am now able to browse a XP windows share from 
windows 2008 server.

I tried also to do make samba4 not to add the KRB5-AUTHDATA-SIGNTICKET 
so that S4 behave like w2k3 but it fails saying that some stuff are 
missing ...

I have no doubt that removing this entry is just a hack and that we 
should figure out why it didn't work (maybe it's just a problem of order 


More information about the samba-technical mailing list