[Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

Andrew Bartlett abartlet at samba.org
Tue Feb 26 04:05:16 MST 2013

On Mon, 2013-02-25 at 11:51 +0000, Tris Mabbs wrote:
> Hello,
> We're having a problem with "Samba 4" joined to a "Server 2008 R2" domain
> (at "Server 2008" functional level across the forest).
> The interesting thing is that this only affects a single user - all other
> accounts work without problems.
> When accessing our main server using that account, "smbd" always reports
> "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL".  This has come from
> "../auth/kerberos/kerberos_pac.c:149(kerberos_decode_pac)", trying to use
> NDR to pull a blob from the Kerberos ticket (that's reported as
> "ndr_pull_error(11): Pull bytes 34  (../librpc/ndr/ndr_string.c:591)").
> So can anyone suggest any way forward to resolve this please?  It would
> appear that something is incorrectly being decoded somewhere, so it's
> probably to everyone's advantage to get this sorted out - I know it would
> certainly be to mine :-)

'Clearly' (as in, clear as mud, but the general direction to look at) either the IDL in librpc/idl/krb5pac.idl is incorrect, or the parsing code in Heimdal in unpacking this particular user's PAC incorrectly.

It is interesting that this user causes the issue regardless of being
re-created.  Is this triggered on their full or user name?

Does this happen if you set up a new testing domain?  If so, what would
be really, really helpful would be a network capture including the
server keytab.  (Or if you don't mind, and change the server password
after, on your live domain to me personally).

The procedure you or I will need to follow is to extract the decrypted
'PAC'.  You could do this either from wireshark (export selected packet
bytes, after running wireshark -k /tmp/server.keytab, or by patching the
code to call:

_PUBLIC_ bool file_save(const char *fname, const void *packet, size_t

somewhere near auth3_generate_session_info_pac()

Then, using that file, run 

bin/ndrdump krb5pac decode_pac in /tmp/pac

Then essentially we keep changing the idl in librpc/idl/krb5pac.idl and
the C helpers in librpc/ndr/ndr_krb5pac.c until this works.

See also http://msdn.microsoft.com/en-us/library/cc237917.aspx

Good luck!

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list