[Samba] Vista SP1-rc1 appears to break against Samba-3.0.27a
Jeremy Allison
jra at samba.org
Wed Dec 12 02:26:42 GMT 2007
On Wed, Dec 12, 2007 at 01:49:43PM +1300, Jason Haar wrote:
> We've got nicely ADS integrated Samba-3.0.27a servers that are working
> fine with Win2000 through to standard Vista.
>
> However, we are starting to test RC1 of Vista SP1 and discovered that
> once applied, that workstation cannot connect to Samba server shares -
> unless the share is open - i.e. no "valid user" style settings. The
> moment one is defined, Vista fails to connect and pops up an
> authentication dialog - which still doesn't work.
>
> workgroup = AD
> realm = AD.DOMAIN.NAME
> security = ADS
> auth methods = winbind
> encrypt passwords = Yes
> update encrypted = No
> client schannel = Auto
> server schannel = Auto
> allow trusted domains = Yes
> lanman auth = Yes
> ntlm auth = Yes
> client NTLMv2 auth = Yes
> client lanman auth = No
> client plaintext auth = No
> server signing = auto
>
>
> I have tried altering "server signing = no" to "auto", and "client
> NTLMv2 auth = No " to "yes" - no difference. I saw MS07-063 refers to
> Vista having being patched to do with a signing bug - so I took a punt
> it was related - no such luck.
>
> If a share is configured as
>
> [test]
> path = /tmp
>
> ...then Vista-SP1rc1 works fine, but if it's...
>
> [test]
> path = /tmp
> valid users = @"AD\Some Group"
>
> ...then it doesn't. WinXP and Win2K3 server both work against both share
> options of course.
Can you get a debug level 10 plus a wireshark trace please.
If they're both using kerberos it might be that Samba is
not parsing out the group info from the krb5 token passed
on sessionsetup. A debug level 10 should help. I can give
you patches with extra debug info if needed.
Looks like Microsoft aren't doing interop testing again :-).
Jeremy.
More information about the samba
mailing list