[Samba] Leopard Macs using Kerberos: Failed to parse negTokenTarg

Jeremy Allison jra at samba.org
Tue Aug 5 20:36:27 GMT 2008

On Tue, Aug 05, 2008 at 01:02:49PM -0700, Kai Lanz wrote:
> I think I've found out why MacOS 10.5.x (Leopard) clients are unable to
> connect to Samba shares when authenticating with Kerberos. Basically,  
> the
> Leopard Macs insert a few extra bytes (Padding and reqFlags, according to
> wireshark) into the security blob within the Session Setup AndX Request
> packet, bytes whose start tag is 0xa1, in a spot where Samba's parser
> expects 0xa2. The critical error is "Failed to parse negTokenTarg at  
> offset
> 54", which looks like it's being caused by the call
>     asn1_start_tag(&data, ASN1_CONTEXT(2));
> in parse_negTokenTarg().

In Samba 3.2.0 and 3.2.1 this is fixed by the following
code in parse_negTokenTarg().

        /* Skip any optional req_flags that are sent per RFC 4178 */
        if (asn1_check_tag(&data, ASN1_CONTEXT(1))) {
                uint8 flags;

                asn1_start_tag(&data, ASN1_CONTEXT(1));
                asn1_start_tag(&data, ASN1_BITFIELD);
                while (asn1_tag_remaining(&data) > 0)
                        asn1_read_uint8(&data, &flags);

I'd try an upgrade :-).


More information about the samba mailing list