Win7 + Live sign-in assistant = samba fails auth
Andrew Bartlett
abartlet at samba.org
Mon Jul 19 16:29:44 MDT 2010
On Mon, 2010-07-19 at 14:53 -0700, Jeremy Allison wrote:
> On Mon, Jul 19, 2010 at 10:23:04AM -0400, david.kondrad at legrand.us wrote:
> >
> > Greetings:
> >
> > Our company uses libsmbclient to implement an embedded media player.
> >
> > We received a support call that media discovery on a Win7 home
> > premium box showed music, but the player application was unable to
> > access the files.
> >
> > Upon investigation, it was revealed that installing the "Microsoft
> > Live Sign-On Assistant" modified the spnego transaction to include a
> > mechToken, which seemingly all versions of samba 3.x.x fail to parse
> > and always return permission denied.
> >
> > Crawling through support forums, mailing lists, and MS technet, it
> > seems that this is an issue that is plaguing many people. Using samba
> > 3.5.4 source, I have tracked the issue down to
> >
> > libsmb/clispnego.c:164
> >
> > *principal = NULL;
> > if (asn1_tag_remaining(data) > 0) {
> > asn1_start_tag(data, ASN1_CONTEXT(3)); /* fails here */
> > asn1_start_tag(data, ASN1_SEQUENCE(0));
> > asn1_start_tag(data, ASN1_CONTEXT(0));
> > asn1_read_GeneralString(data,talloc_autofree_context(),
> > principal);
> > asn1_end_tag(data);
> > asn1_end_tag(data);
> > asn1_end_tag(data);
> > }
> >
> > Looking at a wireshark dump, it turns out that after the two OIDs
> > we have a mechToken (ASN1_CONTEXT(2)) instead of a principal
> > (ASN1_CONTEXT(3)).
>
> FYI for the list. Thanks for David's wonderful help and good
> code, I've fixed this in the master tree, and once the fix
> is confirmed it'll be in the next 3.5.x and 3.4.x releases
> (as well as being in 3.6.0 and beyond of course).
Jeremy,
We also need to fix this in the common code. The code in
libcli/auth/spnego_parse.c is not yet used for CIFS in source3/ but is
used for ntlm_auth and for all the source4/ code.
Can I work with you to fix it there too?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100720/23c24571/attachment.pgp>
More information about the samba-technical
mailing list