[Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).
Andrew Bartlett
abartlet at samba.org
Thu Mar 14 21:40:28 MDT 2013
On Fri, 2013-03-08 at 17:20 +0000, Tris Mabbs wrote:
> Hello again everyone,
>
> On 08 March 2013 13:10, Michael Wood wrote:
> >> ...
> >> <-------Cut here.
> >
> > Sorry, I forgot a step. You would have needed a "git fetch gd" in there
> before the checkout.
>
> Ah ha! That would explain it then.
> Well, forgotten command or not, the help was much appreciated and I now have
> a version built and running from Günther's branch.
> So many thanks for the assistance, and I now know slightly more about "git"
> than I did before :-)
>
> So, back to the original problem ...
>
> Compiled up against Günther's branch, installed, tested.
> The results are interesting:
>
> 1) User access:
> From my perspective, it's cured the issue. My problematic user can
> once again access resources.
> This is very good news; many, many thanks to everyone who has
> assisted getting to this stage.
> 2) Core dumps:
> The code has now been running for a few hours, with some reasonably
> intensive access requests going on (lots of sessions being established and
> closed).
> By now, I'd normally have expected an "smbd" core-dump, but haven't
> had a single one.
> So this might have been the cause of that as well. However I'll
> leave things for a few days before considering that to be fixed.
> 3) PAC dumps.
> I put my patch code back into "kerberos_pac.c"
> ("kerberos_decode_pac()") to see whether I now got PAC dumps named by
> Kerberos principal name.
> Previously, all other users were causing PAC dumps named by their
> Kerberos principal name, but there were none for the problematic user. As
> Andrew had indicated he considered that unusual, I thought I see what
> happened with Günther's changes.
> On the plus side, all the PAC dumps are now consistently named, all
> (currently) ~110 of them; on the minus side, not a single one is named with
> the Kerberos principal name.
> So it seems that with these changes, "kerberos_decode_pac()" is
> never entered with "client_principal" anything other than a NULL pointer.
>
> So I'm (very) happy that these changes fix my problem. However it does seem
> a little curious that "client_principal" now never appears to be set - I
> don't know whether that's expected behaviour?
It isn't, we need to look into that some more.
> I'll leave my patch in for a few more days and see whether that changes
> (with sessions being established after Kerberos tickets have been renewed or
> re-acquired, for example), but previously I'd have had quite a few PAC dumps
> named by Kerberos principal by now, and I have nary a one (and while I've
> typed this, I'm up to ~160 PAC dumps and they're still all named by PID
> rather than by Kerberos principal).
> For both this, in case it's significant, and the core-dumps, I'll send an
> update in a few days.
>
> Very much appreciated everyone - thank you!
Does the ndrdump run you did before now pass fine?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list