[Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

Andrew Bartlett abartlet at samba.org
Tue Feb 26 04:43:37 MST 2013

On Tue, 2013-02-26 at 11:22 +0000, Tris Mabbs wrote:
> Wow.
> Hiya Andrew,
> OK, this sounds like a very promising approach, and potentially saves me working through a large number of "git bisect"s (as also most helpfully suggested by Michael Wood) - so far, I'm right back into the beta code and there have been a lot of commits since then...
> I'm not easily in a position to set up a test domain for this, but I have no problem with your suggestion of capturing on the live domain and sending to you (especially since changing the password doesn't affect the issue).  Or of dumping the information and decoding the PAC using "ndrdump" (wasn't aware of that).
> I'll work through your suggestions and see if I can get anywhere; when I reach a stage where I can't figure it out any further I'll send you what I've got.  Any useful conclusions that don't contain sensitive information, I'll put back onto this thread in case they're of use to anyone else as well.
> It will probably take me a few days to get anywhere useful, as I can only really poke this out of normal working hours.  So if there's no update for a few days, please don't think that means I've stopped.
> BTW, to answer your question, access is based on the username not the full name (haven't tried that, which in itself is an interesting point - not sure whether that would affect it as presumably that just forms an alternative mapping back to the underlying internal AD entity, but ...).
> Many thanks, I'll update as soon as I can.

What I was getting at about the full name is that if this was a odd
character encoding issue, knowing that this was a user with non-ascii
full name would be an important data point.  

See, the PAC is much more than just SIDs, it is a lot of different bits
of information that a user needs to log in to a desktop, or (less so) to
operate against a file server.

The key password in this case isn't the user's password (it isn't
involved), but the machine account password of the server.  

Once you get this PAC isolated, you won't have to work on your
production server BTW, just on a development box. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list