[Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

Tris Mabbs TM-Samba201302 at Firstgrade.Co.UK
Fri Mar 8 10:20:50 MST 2013


Hello again everyone,

On 08 March 2013 13:10, Michael Wood wrote:
>> ...
>> <-------Cut here.
>
> Sorry, I forgot a step.  You would have needed a "git fetch gd" in there
before the checkout.

Ah ha!  That would explain it then.
Well, forgotten command or not, the help was much appreciated and I now have
a version built and running from Günther's branch.
So many thanks for the assistance, and I now know slightly more about "git"
than I did before :-)

So, back to the original problem ...

Compiled up against Günther's branch, installed, tested.
The results are interesting:

1) User access:
	From my perspective, it's cured the issue.  My problematic user can
once again access resources.
	This is very good news; many, many thanks to everyone who has
assisted getting to this stage.
2) Core dumps:
	The code has now been running for a few hours, with some reasonably
intensive access requests going on (lots of sessions being established and
closed).
	By now, I'd normally have expected an "smbd" core-dump, but haven't
had a single one.
	So this might have been the cause of that as well.  However I'll
leave things for a few days before considering that to be fixed.
3) PAC dumps.
	I put my patch code back into "kerberos_pac.c"
("kerberos_decode_pac()") to see whether I now got PAC dumps named by
Kerberos principal name.
	Previously, all other users were causing PAC dumps named by their
Kerberos principal name, but there were none for the problematic user.  As
Andrew had indicated he considered that unusual, I thought I see what
happened with Günther's changes.
	On the plus side, all the PAC dumps are now consistently named, all
(currently) ~110 of them; on the minus side, not a single one is named with
the Kerberos principal name.
	So it seems that with these changes, "kerberos_decode_pac()" is
never entered with "client_principal" anything other than a NULL pointer.

So I'm (very) happy that these changes fix my problem.  However it does seem
a little curious that "client_principal" now never appears to be set - I
don't know whether that's expected behaviour?
I'll leave my patch in for a few more days and see whether that changes
(with sessions being established after Kerberos tickets have been renewed or
re-acquired, for example), but previously I'd have had quite a few PAC dumps
named by Kerberos principal by now, and I have nary a one (and while I've
typed this, I'm up to ~160 PAC dumps and they're still all named by PID
rather than by Kerberos principal).
For both this, in case it's significant, and the core-dumps, I'll send an
update in a few days.

Very much appreciated everyone - thank you!

Cheers,

Tris.



More information about the samba mailing list