Jason Haar
2007-Dec-12 00:50 UTC
[Samba] Vista SP1-rc1 appears to break against Samba-3.0.27a
We've got nicely ADS integrated Samba-3.0.27a servers that are working fine with Win2000 through to standard Vista. However, we are starting to test RC1 of Vista SP1 and discovered that once applied, that workstation cannot connect to Samba server shares - unless the share is open - i.e. no "valid user" style settings. The moment one is defined, Vista fails to connect and pops up an authentication dialog - which still doesn't work. workgroup = AD realm = AD.DOMAIN.NAME security = ADS auth methods = winbind encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes lanman auth = Yes ntlm auth = Yes client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No server signing = auto I have tried altering "server signing = no" to "auto", and "client NTLMv2 auth = No " to "yes" - no difference. I saw MS07-063 refers to Vista having being patched to do with a signing bug - so I took a punt it was related - no such luck. If a share is configured as [test] path = /tmp ...then Vista-SP1rc1 works fine, but if it's... [test] path = /tmp valid users = @"AD\Some Group" ...then it doesn't. WinXP and Win2K3 server both work against both share options of course. Setting "log level = 10" shows Win2K3 working with [2007/12/12 00:25:16, 5] smbd/password.c:user_in_netgroup(466) looking for user ad\myaccount of domain (ANY) in netgroup ad\some group [2007/12/12 00:25:16, 10] passdb/lookup_sid.c:lookup_name(64) lookup_name: ad\some group => ad (domain), some group (name) [2007/12/12 00:25:16, 10] smbd/share_access.c:user_ok_token(232) user_ok_token: share test is ok for unix user AD\myaccount ..whereas Vista-SP1rc1 shows [2007/12/12 00:20:42, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(735) Got KRB5 session key of length 16 [2007/12/12 00:20:42, 10] libsmb/clikrb5.c:unwrap_pac(292) authorization data is not a Windows PAC (type: 141) .... [2007/12/12 00:25:16, 5] smbd/password.c:user_in_netgroup(466) looking for user ad\myaccount of domain (ANY) in netgroup ad\some group [2007/12/12 00:25:16, 10] passdb/lookup_sid.c:lookup_name(64) lookup_name: ad\some group => ad (domain), some group (name) [2007/12/12 00:21:14, 10] smbd/share_access.c:user_ok_token(211) User AD\myaccount not in 'valid users' [2007/12/12 00:21:14, 2] smbd/service.c:make_connection_snum(616) user 'AD\myaccount' (from session setup) not permitted to access this share (test) Any ideas? I can send the entire log (even a packet trace) to someone if they need it. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Jeremy Allison
2007-Dec-12 02:37 UTC
[Samba] Vista SP1-rc1 appears to break against Samba-3.0.27a
On Wed, Dec 12, 2007 at 01:49:43PM +1300, Jason Haar wrote:> We've got nicely ADS integrated Samba-3.0.27a servers that are working > fine with Win2000 through to standard Vista. > > However, we are starting to test RC1 of Vista SP1 and discovered that > once applied, that workstation cannot connect to Samba server shares - > unless the share is open - i.e. no "valid user" style settings. The > moment one is defined, Vista fails to connect and pops up an > authentication dialog - which still doesn't work. > > workgroup = AD > realm = AD.DOMAIN.NAME > security = ADS > auth methods = winbind > encrypt passwords = Yes > update encrypted = No > client schannel = Auto > server schannel = Auto > allow trusted domains = Yes > lanman auth = Yes > ntlm auth = Yes > client NTLMv2 auth = Yes > client lanman auth = No > client plaintext auth = No > server signing = auto > > > I have tried altering "server signing = no" to "auto", and "client > NTLMv2 auth = No " to "yes" - no difference. I saw MS07-063 refers to > Vista having being patched to do with a signing bug - so I took a punt > it was related - no such luck. > > If a share is configured as > > [test] > path = /tmp > > ...then Vista-SP1rc1 works fine, but if it's... > > [test] > path = /tmp > valid users = @"AD\Some Group" > > ...then it doesn't. WinXP and Win2K3 server both work against both share > options of course.Can you get a debug level 10 plus a wireshark trace please. If they're both using kerberos it might be that Samba is not parsing out the group info from the krb5 token passed on sessionsetup. A debug level 10 should help. I can give you patches with extra debug info if needed. Looks like Microsoft aren't doing interop testing again :-). Jeremy.
Jeremy Allison
2007-Dec-12 02:39 UTC
[Samba] Vista SP1-rc1 appears to break against Samba-3.0.27a
On Wed, Dec 12, 2007 at 01:49:43PM +1300, Jason Haar wrote:> ..whereas Vista-SP1rc1 shows > > [2007/12/12 00:20:42, 10] > libsmb/clikrb5.c:get_krb5_smb_session_key(735) Got KRB5 session > key of length 16 > [2007/12/12 00:20:42, 10] libsmb/clikrb5.c:unwrap_pac(292) authorization > data is not a Windows PAC (type: 141) > ....Ah yes. That's the key. Samba isn't getting the pac info correctly so no group info. We need to see a the data blob "auth_data" being passed to this function in libsmb/clikrb5.c : bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data) Jeremy.