[Samba] Vista SP1-rc1 appears to break against Samba-3.0.27a

Jason Haar Jason.Haar at trimble.co.nz
Wed Dec 12 00:49:43 GMT 2007 

We've got nicely ADS integrated Samba-3.0.27a servers that are working
fine with Win2000 through to standard Vista.

However, we are starting to test RC1 of Vista SP1 and discovered that
once applied, that workstation cannot connect to Samba server shares -
unless the share is open - i.e. no "valid user" style settings. The
moment one is defined, Vista fails to connect and pops up an
authentication dialog - which still doesn't work.

    workgroup = AD
        realm = AD.DOMAIN.NAME
        security = ADS
        auth methods = winbind
        encrypt passwords = Yes
        update encrypted = No
        client schannel = Auto
        server schannel = Auto
        allow trusted domains = Yes
        lanman auth = Yes
        ntlm auth = Yes
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        server signing = auto


I have tried altering "server signing = no" to "auto", and "client
NTLMv2 auth = No " to "yes" - no difference. I saw MS07-063 refers to
Vista having being patched to do with a signing bug - so I took a punt
it was related - no such luck.

If a share is configured as

[test]
 path = /tmp

...then Vista-SP1rc1 works fine, but if it's...

[test]
 path = /tmp
 valid users = @"AD\Some Group"

...then it doesn't. WinXP and Win2K3 server both work against both share
options of course.


Setting "log level = 10" shows Win2K3 working with

[2007/12/12 00:25:16, 5] smbd/password.c:user_in_netgroup(466)
  looking for user ad\myaccount of domain (ANY) in netgroup ad\some group
[2007/12/12 00:25:16, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: ad\some group => ad (domain), some group (name)
[2007/12/12 00:25:16, 10] smbd/share_access.c:user_ok_token(232)
  user_ok_token: share test is ok for unix user AD\myaccount


..whereas Vista-SP1rc1 shows

[2007/12/12 00:20:42, 10]
libsmb/clikrb5.c:get_krb5_smb_session_key(735)          Got KRB5 session
key of length 16
[2007/12/12 00:20:42, 10] libsmb/clikrb5.c:unwrap_pac(292) authorization
data is not a Windows PAC (type: 141)
....
[2007/12/12 00:25:16, 5] smbd/password.c:user_in_netgroup(466)
  looking for user ad\myaccount of domain (ANY) in netgroup ad\some group
[2007/12/12 00:25:16, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: ad\some group => ad (domain), some group (name)
[2007/12/12 00:21:14, 10] smbd/share_access.c:user_ok_token(211)
  User AD\myaccount not in 'valid users'
[2007/12/12 00:21:14, 2] smbd/service.c:make_connection_snum(616)
  user 'AD\myaccount' (from session setup) not permitted to access this
share (test)

Any ideas? I can send the entire log (even a packet trace) to someone if
they need it.


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba mailing list