On Mon, 2009-07-20 at 22:00 +1000, Andrew Bartlett wrote: > G'day, > > My friend in Samba development Matthieu has been chasing down small but > possibly significant differences between Samba4 and Windows. He is > puzzled by the following, and we wondered if you might be able to shed > some light on the matter.
I've reproduced the problem locally, and attach the sniffs of the network behaviour. This is being tracked in Samba bug: https://bugzilla.samba.org/show_bug.cgi?id=6273 The traces include: samba4-to-win2008-failure: an NTLM login attempt, an attempt to use Samba's own SPNEGO libraries (which are faulty) samba4-to-win2008-failure-gensec_spnego: a Kerberos login attempt using Heimdal's SPENGO code This shows that the problem is not just in NTLM logins, but perhaps in the PAC/info3 reply. Is some kind of per-user licensing thing tied up here? I've tried to up the number of users permitted to access the share, without success. If you need any assistance setting up Samba4 to reproduce this, I am more than willing to assist. The commands I used were: bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kno bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes --option=gensec:spnego=no --option=gensec:gssapi_spnego=yes Also see the attached patch to Samba4 rev d005e4dabb396607d959ece8da3c649797d59d44 to make the last command work. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
samba4-to-win2008-failure.cap
Description: Binary data
samba4-to-win2008-failure-gssapi_spengo.cap
Description: Binary data
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 7129db7..bef0ae2 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -460,7 +460,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, gensec_gssapi_state->want_flags, 0, gensec_gssapi_state->input_chan_bindings, - &input_token, + gensec_gssapi_state->gss_exchange_count == 0 ? NULL : &input_token, &gss_oid_p, &output_token, &gensec_gssapi_state->got_flags, /* ret flags */
signature.asc
Description: This is a digitally signed message part
_______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol