accessing XP from Windows 2008 (Bug 6272)
mat at matws.net
Wed Jul 15 08:18:47 MDT 2009
After a couple of tests and packet dissection I noticed this:
* Samba4 always add an AD-IF-REVELANT of type 142
(KRB5-AUTHDATA-SIGNTICKET) when windows 2003 (as an AD) do not
* Windows 2008 ask to add in a ticket an authorization-data of type 141,
Windows 2003 and Samba4 (both acting as a DC) add it in the replied ticket.
* Windows XP and Samba4 do no ask for this authorization-data in the ticket
So with the PAC ad-if-relevant (128), we have the following combination
in the ticket that is presented to a XP workstation:
With a S4 DC
S4 (as a client), relevant 128, 142
XP (as a client), relevant 128, 142
W2K8, relevant 141,128,142
With a W2K3 DC
S3 (as client), relevant 128
XP (as client), relevant 128
W2K8, relevant 128,141
From all this combination it appears that only relevant 128, 141 and
142 are not working well together (at least when S4 is a DC).
From this I modified S4 kerberos code so that I won't add the requested
authentification-data in the ticket, the resulting ticket only contains
relevant 128 and 142.
With this modification I am now able to browse a XP windows share from
windows 2008 server.
I tried also to do make samba4 not to add the KRB5-AUTHDATA-SIGNTICKET
so that S4 behave like w2k3 but it fails saying that some stuff are
I have no doubt that removing this entry is just a hack and that we
should figure out why it didn't work (maybe it's just a problem of order
More information about the samba-technical