Win7 + Live sign-in assistant = samba fails auth

david.kondrad at david.kondrad at
Tue Jul 20 08:47:43 MDT 2010

Jeremy Allison <jra at> wrote on 07/19/2010 05:53:37 PM:

> On Mon, Jul 19, 2010 at 10:23:04AM -0400, david.kondrad at wrote:
> >
> > Greetings:
> >
> > Our company uses libsmbclient to implement an embedded media player.
> >
> > We received a support call that media discovery on a Win7 home
> > premium box showed music, but the player application was unable to
> > access the files.
> >
> > Upon investigation, it was revealed that installing the "Microsoft
> > Live Sign-On Assistant" modified the spnego transaction to include a
> > mechToken, which seemingly all versions of samba 3.x.x fail to parse
> > and always return permission denied.
> >
> > Crawling through support forums, mailing lists, and MS technet, it
> > seems that this is an issue that is plaguing many people. Using samba
> > 3.5.4 source, I have tracked the issue down to
> >
> > libsmb/clispnego.c:164
> >
> >     *principal = NULL;
> >     if (asn1_tag_remaining(data) > 0) {
> >         asn1_start_tag(data, ASN1_CONTEXT(3)); /* fails here */
> >         asn1_start_tag(data, ASN1_SEQUENCE(0));
> >         asn1_start_tag(data, ASN1_CONTEXT(0));
> >         asn1_read_GeneralString(data,talloc_autofree_context(),
> >                                  principal);
> >         asn1_end_tag(data);
> >         asn1_end_tag(data);
> >         asn1_end_tag(data);
> >     }
> >
> > Looking at a wireshark dump, it turns out that after the two OIDs
> > we have a mechToken (ASN1_CONTEXT(2)) instead of a principal
> > (ASN1_CONTEXT(3)).

> FYI for the list. Thanks for David's wonderful help and good
> code, I've fixed this in the master tree, and once the fix
> is confirmed it'll be in the next 3.5.x and 3.4.x releases
> (as well as being in 3.6.0 and beyond of course).

The patch fixes the issues we were seeing with Win7 auth failures.
Excellent work!

I wonder how many NAS drives and distros out there are having the same

Might be worth making a less technical post somewhere that normal
users can hit on a google search...

Worst case (not being able to update samba) is that they at least know
to uninstall live sign-in assistant and not spend days pulling their
hair out and merging totally unnecessary registry hacks that they
found on some forum somewhere.

> Thanks David !

Thank you for your updated patch - that should cover us in case MS decides
make use of other optional features for their own purposes.


David Kondrad
Software Design Engineer
Home Systems Division
Legrand, North America

david.kondrad at

This email, and any document attached hereto, may contain
confidential and/or privileged information.  If you are not the
intended recipient (or have received this email in error) please
notify the sender immediately and destroy this email.  Any
unauthorized, direct or indirect, copying, disclosure, distribution
or other use of the material or parts thereof is strictly

More information about the samba-technical mailing list