[Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

Andrew Bartlett abartlet at samba.org
Thu Mar 14 21:40:28 MDT 2013

On Fri, 2013-03-08 at 17:20 +0000, Tris Mabbs wrote:
> Hello again everyone,
> On 08 March 2013 13:10, Michael Wood wrote:
> >> ...
> >> <-------Cut here.
> >
> > Sorry, I forgot a step.  You would have needed a "git fetch gd" in there
> before the checkout.
> Ah ha!  That would explain it then.
> Well, forgotten command or not, the help was much appreciated and I now have
> a version built and running from Günther's branch.
> So many thanks for the assistance, and I now know slightly more about "git"
> than I did before :-)
> So, back to the original problem ...
> Compiled up against Günther's branch, installed, tested.
> The results are interesting:
> 1) User access:
> 	From my perspective, it's cured the issue.  My problematic user can
> once again access resources.
> 	This is very good news; many, many thanks to everyone who has
> assisted getting to this stage.
> 2) Core dumps:
> 	The code has now been running for a few hours, with some reasonably
> intensive access requests going on (lots of sessions being established and
> closed).
> 	By now, I'd normally have expected an "smbd" core-dump, but haven't
> had a single one.
> 	So this might have been the cause of that as well.  However I'll
> leave things for a few days before considering that to be fixed.
> 3) PAC dumps.
> 	I put my patch code back into "kerberos_pac.c"
> ("kerberos_decode_pac()") to see whether I now got PAC dumps named by
> Kerberos principal name.
> 	Previously, all other users were causing PAC dumps named by their
> Kerberos principal name, but there were none for the problematic user.  As
> Andrew had indicated he considered that unusual, I thought I see what
> happened with Günther's changes.
> 	On the plus side, all the PAC dumps are now consistently named, all
> (currently) ~110 of them; on the minus side, not a single one is named with
> the Kerberos principal name.
> 	So it seems that with these changes, "kerberos_decode_pac()" is
> never entered with "client_principal" anything other than a NULL pointer.
> So I'm (very) happy that these changes fix my problem.  However it does seem
> a little curious that "client_principal" now never appears to be set - I
> don't know whether that's expected behaviour?

It isn't, we need to look into that some more. 

> I'll leave my patch in for a few more days and see whether that changes
> (with sessions being established after Kerberos tickets have been renewed or
> re-acquired, for example), but previously I'd have had quite a few PAC dumps
> named by Kerberos principal by now, and I have nary a one (and while I've
> typed this, I'm up to ~160 PAC dumps and they're still all named by PID
> rather than by Kerberos principal).
> For both this, in case it's significant, and the core-dumps, I'll send an
> update in a few days.
> Very much appreciated everyone - thank you!

Does the ndrdump run you did before now pass fine?

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list