[SCM] Samba Shared Repository - branch master updated

Jim McDonough jmcd at samba.org
Thu May 26 20:36:12 MDT 2011

On Thu, May 26, 2011 at 9:13 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2011-05-27 at 02:58 +0200, Jeremy Allison wrote:
>> The branch, master has been updated
>>        via  e05c9cd Fix bug #6911 - Kerberos authentication from vista to samba fails when security blob size is greater than 16 kB
>>       from  875e29b s3: Document "async smb echo handler"
>> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>> - Log -----------------------------------------------------------------
>> commit e05c9cdcb6bf710ddb7d683916ca26857a3bce18
>> Author: Jeremy Allison <jra at samba.org>
>> Date:   Thu May 26 16:48:42 2011 -0700
>>     Fix bug #6911 - Kerberos authentication from vista to samba fails when security blob size is greater than 16 kB
>>     We were not correctly checking the output of asn1_start_tag().
>>     asn1_start_tag() returns -1 and sets data->has_error if the
>>     remaining blob size is too short to contain the tag length.
>>     We were checking data->has_error and returning NT_STATUS_OK
>>     (to allow the second asn.1 parse to fail in that case). We
>>     should not be checking data->has_error in this case, but
>>     falling through to the code that already checks the length.
>>     Thanks to Jim for reproducing this for me. We don't get bitten
>>     by this as we announce a max buffer size of 16k, greater than
>>     Windows's 4k, which means that most krb5 spnego packets already
>>     fit.
>>     Jeremy.
>>     Autobuild-User: Jeremy Allison <jra at samba.org>
>>     Autobuild-Date: Fri May 27 02:57:27 CEST 2011 on sn-devel-104
> How many groups did it take to make this fail?
Well, I added 2000 groups, but it depends on the group.  I have a user
that hit it with 770 groups, but 1000 was not enough for me, because I
had only global groups.

>From http://support.microsoft.com/kb/327825

Therefore, a MaxTokenSize value for more than 1015 effective SIDs is
not useful. In the following formula:
MaxTokenSize = 1200 + 40d + 8s
40d means that you must have 40 bytes for a Domain Local Group SID. 8s
means 8 bytes for a Domain Global/Universal Group SID. Therefore, if
you have a MaxTokenSize value of 0x0000FFFF (64K), you may be able to
buffer approximately 1600 Domain Local Group SIDs or approximately
8000 Domain Global/Universal Group SIDs. If you use "trusted for
delegation" accounts, the buffer requirement for each SID may be
doubled. In these scenarios, you can only store approximately 800
Domain Local Group SIDs when a MaxTokenSize value of 64K is used.
However, having only Domain Local Group SIDs is not a realistic
scenario. A value of 64K should be sufficient even for delegation
scenarios. Additionally, applications may have trouble if a token size
buffer contains more than 64K.

> I've already promised to write a test for this (I can add more groups to
> the ktest environment I made the blobs for ktest with), but some details
> will make that process easier.
> Thanks,
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org

Jim McDonough
Samba Team
SUSE labs
jmcd at samba dot org
jmcd at themcdonoughs dot org

More information about the samba-technical mailing list