Re: [cifs-protocol] Clarify reserved bytes that are in fact used in LogonSamLogonEx response

Thu, 23 Jul 2009 23:37:32 -0700 

On Mon, 2009-07-20 at 22:00 +1000, Andrew Bartlett wrote:
> G'day,
> 
> My friend in Samba development Matthieu has been chasing down small but
> possibly significant differences between Samba4 and Windows.  He is
> puzzled by the following, and we wondered if you might be able to shed
> some light on the matter.

I've reproduced the problem locally, and attach the sniffs of the
network behaviour.

This is being tracked in Samba bug:

https://bugzilla.samba.org/show_bug.cgi?id=6273


The traces include:

samba4-to-win2008-failure:
 an NTLM login attempt, an attempt to use Samba's own SPNEGO libraries
(which are faulty)

samba4-to-win2008-failure-gensec_spnego:
 a Kerberos login attempt using Heimdal's SPENGO code

This shows that the problem is not just in NTLM logins, but perhaps in
the PAC/info3 reply.  Is some kind of per-user licensing thing tied up
here?  I've tried to up the number of users permitted to access the
share, without success.

If you need any assistance setting up Samba4 to reproduce this, I am
more than willing to assist.

The commands I used were:
bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kno
bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes
bin/smbclient //win2008-2/test -Uadministrator%samba2 -d1 -kyes
--option=gensec:spnego=no --option=gensec:gssapi_spnego=yes

Also see the attached patch to Samba4 rev
d005e4dabb396607d959ece8da3c649797d59d44 to make the last command work. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

Attachment: samba4-to-win2008-failure.cap
Description: Binary data

Attachment: samba4-to-win2008-failure-gssapi_spengo.cap
Description: Binary data

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 7129db7..bef0ae2 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -460,7 +460,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 							gensec_gssapi_state->want_flags, 
 							0, 
 							gensec_gssapi_state->input_chan_bindings,
-							&input_token, 
+							gensec_gssapi_state->gss_exchange_count == 0 ? NULL : &input_token, 
 							&gss_oid_p,
 							&output_token, 
 							&gensec_gssapi_state->got_flags, /* ret flags */

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to