Win7 + Live sign-in assistant = samba fails auth

Jeremy Allison jra at
Mon Jul 19 15:53:37 MDT 2010

On Mon, Jul 19, 2010 at 10:23:04AM -0400, david.kondrad at wrote:
> Greetings:
> Our company uses libsmbclient to implement an embedded media player.
> We received a support call that media discovery on a Win7 home
> premium box showed music, but the player application was unable to
> access the files.
> Upon investigation, it was revealed that installing the "Microsoft
> Live Sign-On Assistant" modified the spnego transaction to include a
> mechToken, which seemingly all versions of samba 3.x.x fail to parse
> and always return permission denied.
> Crawling through support forums, mailing lists, and MS technet, it
> seems that this is an issue that is plaguing many people. Using samba
> 3.5.4 source, I have tracked the issue down to
> libsmb/clispnego.c:164
>     *principal = NULL;
>     if (asn1_tag_remaining(data) > 0) {
>         asn1_start_tag(data, ASN1_CONTEXT(3)); /* fails here */
>         asn1_start_tag(data, ASN1_SEQUENCE(0));
>         asn1_start_tag(data, ASN1_CONTEXT(0));
>         asn1_read_GeneralString(data,talloc_autofree_context(),
>                                  principal);
>         asn1_end_tag(data);
>         asn1_end_tag(data);
>         asn1_end_tag(data);
>     }
> Looking at a wireshark dump, it turns out that after the two OIDs
> we have a mechToken (ASN1_CONTEXT(2)) instead of a principal
> (ASN1_CONTEXT(3)).

FYI for the list. Thanks for David's wonderful help and good
code, I've fixed this in the master tree, and once the fix
is confirmed it'll be in the next 3.5.x and 3.4.x releases
(as well as being in 3.6.0 and beyond of course).

Thanks David !


More information about the samba-technical mailing list