[Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).
Andrew Bartlett
abartlet at samba.org
Tue Feb 26 04:05:16 MST 2013
On Mon, 2013-02-25 at 11:51 +0000, Tris Mabbs wrote:
> Hello,
>
>
>
> We're having a problem with "Samba 4" joined to a "Server 2008 R2" domain
> (at "Server 2008" functional level across the forest).
>
> The interesting thing is that this only affects a single user - all other
> accounts work without problems.
>
>
>
> When accessing our main server using that account, "smbd" always reports
> "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL". This has come from
> "../auth/kerberos/kerberos_pac.c:149(kerberos_decode_pac)", trying to use
> NDR to pull a blob from the Kerberos ticket (that's reported as
> "ndr_pull_error(11): Pull bytes 34 (../librpc/ndr/ndr_string.c:591)").
>
>
> So can anyone suggest any way forward to resolve this please? It would
> appear that something is incorrectly being decoded somewhere, so it's
> probably to everyone's advantage to get this sorted out - I know it would
> certainly be to mine :-)
'Clearly' (as in, clear as mud, but the general direction to look at) either the IDL in librpc/idl/krb5pac.idl is incorrect, or the parsing code in Heimdal in unpacking this particular user's PAC incorrectly.
It is interesting that this user causes the issue regardless of being
re-created. Is this triggered on their full or user name?
Does this happen if you set up a new testing domain? If so, what would
be really, really helpful would be a network capture including the
server keytab. (Or if you don't mind, and change the server password
after, on your live domain to me personally).
The procedure you or I will need to follow is to extract the decrypted
'PAC'. You could do this either from wireshark (export selected packet
bytes, after running wireshark -k /tmp/server.keytab, or by patching the
code to call:
_PUBLIC_ bool file_save(const char *fname, const void *packet, size_t
length)
somewhere near auth3_generate_session_info_pac()
Then, using that file, run
bin/ndrdump krb5pac decode_pac in /tmp/pac
Then essentially we keep changing the idl in librpc/idl/krb5pac.idl and
the C helpers in librpc/ndr/ndr_krb5pac.c until this works.
See also http://msdn.microsoft.com/en-us/library/cc237917.aspx
Good luck!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list