[Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

> What I was getting at about the full name is that if this was a odd character encoding issue, knowing that this was a user with non-ascii full name would be an important data point.  

Yes, I see what you mean.
No, neither the full username, nor the login name, contain anything other than Good 'Ole ASCII.

> See, the PAC is much more than just SIDs, it is a lot of different bits of information that a user needs to log in to a desktop, or (less so) to operate against a file server.

I can see I'm going to have to look into the contents of the PAC in a bit more detail.  Although I have some familiarity with Kerberos, I've not had to dig into a PAC before; so far as I was aware it was mainly supplemental group membership, and similar information - obviously there's more in there than I was aware of.
Still, a day where something is learned is never a day wasted - it will be interesting to have a dig!

> The key password in this case isn't the user's password (it isn't involved), but the machine account password of the server.  

Sorry, yes - I meant that I had no problem sending you any data which might be contained in any WireShark capture; as you pointed out, any password can easily be changed (including the Samba machine account password on the AD server).  Apologies for not being clearer.

> Andrew Bartlett

Once again, many thanks - I'll update you when I have anything useful.

Tris Mabbs.