Win7 + Live sign-in assistant = samba fails auth

Andrew Bartlett abartlet at samba.org
Mon Jul 19 16:29:44 MDT 2010


On Mon, 2010-07-19 at 14:53 -0700, Jeremy Allison wrote:
> On Mon, Jul 19, 2010 at 10:23:04AM -0400, david.kondrad at legrand.us wrote:
> > 
> > Greetings:
> > 
> > Our company uses libsmbclient to implement an embedded media player.
> > 
> > We received a support call that media discovery on a Win7 home
> > premium box showed music, but the player application was unable to
> > access the files.
> > 
> > Upon investigation, it was revealed that installing the "Microsoft
> > Live Sign-On Assistant" modified the spnego transaction to include a
> > mechToken, which seemingly all versions of samba 3.x.x fail to parse
> > and always return permission denied.
> > 
> > Crawling through support forums, mailing lists, and MS technet, it
> > seems that this is an issue that is plaguing many people. Using samba
> > 3.5.4 source, I have tracked the issue down to
> > 
> > libsmb/clispnego.c:164
> > 
> >     *principal = NULL;
> >     if (asn1_tag_remaining(data) > 0) {
> >         asn1_start_tag(data, ASN1_CONTEXT(3)); /* fails here */
> >         asn1_start_tag(data, ASN1_SEQUENCE(0));
> >         asn1_start_tag(data, ASN1_CONTEXT(0));
> >         asn1_read_GeneralString(data,talloc_autofree_context(),
> >                                  principal);
> >         asn1_end_tag(data);
> >         asn1_end_tag(data);
> >         asn1_end_tag(data);
> >     }
> > 
> > Looking at a wireshark dump, it turns out that after the two OIDs
> > we have a mechToken (ASN1_CONTEXT(2)) instead of a principal
> > (ASN1_CONTEXT(3)).
> 
> FYI for the list. Thanks for David's wonderful help and good
> code, I've fixed this in the master tree, and once the fix
> is confirmed it'll be in the next 3.5.x and 3.4.x releases
> (as well as being in 3.6.0 and beyond of course).

Jeremy,

We also need to fix this in the common code.  The code in
libcli/auth/spnego_parse.c is not yet used for CIFS in source3/ but is
used for ntlm_auth and for all the source4/ code.  

Can I work with you to fix it there too?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100720/23c24571/attachment.pgp>


More information about the samba-technical mailing list