samba - Dec 2007 - Vista SP1-rc1 appears to break against Samba-3.0.27a

We've got nicely ADS integrated Samba-3.0.27a servers that are working
fine with Win2000 through to standard Vista.

However, we are starting to test RC1 of Vista SP1 and discovered that
once applied, that workstation cannot connect to Samba server shares -
unless the share is open - i.e. no "valid user" style settings. The
moment one is defined, Vista fails to connect and pops up an
authentication dialog - which still doesn't work.

    workgroup = AD
        realm = AD.DOMAIN.NAME
        security = ADS
        auth methods = winbind
        encrypt passwords = Yes
        update encrypted = No
        client schannel = Auto
        server schannel = Auto
        allow trusted domains = Yes
        lanman auth = Yes
        ntlm auth = Yes
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        server signing = auto


I have tried altering "server signing = no" to "auto", and
"client
NTLMv2 auth = No " to "yes" - no difference. I saw MS07-063
refers to
Vista having being patched to do with a signing bug - so I took a punt
it was related - no such luck.

If a share is configured as

[test]
 path = /tmp

...then Vista-SP1rc1 works fine, but if it's...

[test]
 path = /tmp
 valid users = @"AD\Some Group"

...then it doesn't. WinXP and Win2K3 server both work against both share
options of course.


Setting "log level = 10" shows Win2K3 working with

[2007/12/12 00:25:16, 5] smbd/password.c:user_in_netgroup(466)
  looking for user ad\myaccount of domain (ANY) in netgroup ad\some group
[2007/12/12 00:25:16, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: ad\some group => ad (domain), some group (name)
[2007/12/12 00:25:16, 10] smbd/share_access.c:user_ok_token(232)
  user_ok_token: share test is ok for unix user AD\myaccount


..whereas Vista-SP1rc1 shows

[2007/12/12 00:20:42, 10]
libsmb/clikrb5.c:get_krb5_smb_session_key(735)          Got KRB5 session
key of length 16
[2007/12/12 00:20:42, 10] libsmb/clikrb5.c:unwrap_pac(292) authorization
data is not a Windows PAC (type: 141)
....
[2007/12/12 00:25:16, 5] smbd/password.c:user_in_netgroup(466)
  looking for user ad\myaccount of domain (ANY) in netgroup ad\some group
[2007/12/12 00:25:16, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: ad\some group => ad (domain), some group (name)
[2007/12/12 00:21:14, 10] smbd/share_access.c:user_ok_token(211)
  User AD\myaccount not in 'valid users'
[2007/12/12 00:21:14, 2] smbd/service.c:make_connection_snum(616)
  user 'AD\myaccount' (from session setup) not permitted to access this
share (test)

Any ideas? I can send the entire log (even a packet trace) to someone if
they need it.


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

On Wed, Dec 12, 2007 at 01:49:43PM +1300, Jason Haar
wrote:
> We've got nicely ADS integrated Samba-3.0.27a servers that are working
> fine with Win2000 through to standard Vista.
> 
> However, we are starting to test RC1 of Vista SP1 and discovered that
> once applied, that workstation cannot connect to Samba server shares -
> unless the share is open - i.e. no "valid user" style settings.
The
> moment one is defined, Vista fails to connect and pops up an
> authentication dialog - which still doesn't work.
> 
>     workgroup = AD
>         realm = AD.DOMAIN.NAME
>         security = ADS
>         auth methods = winbind
>         encrypt passwords = Yes
>         update encrypted = No
>         client schannel = Auto
>         server schannel = Auto
>         allow trusted domains = Yes
>         lanman auth = Yes
>         ntlm auth = Yes
>         client NTLMv2 auth = Yes
>         client lanman auth = No
>         client plaintext auth = No
>         server signing = auto
> 
> 
> I have tried altering "server signing = no" to "auto",
and "client
> NTLMv2 auth = No " to "yes" - no difference. I saw MS07-063
refers to
> Vista having being patched to do with a signing bug - so I took a punt
> it was related - no such luck.
> 
> If a share is configured as
> 
> [test]
>  path = /tmp
> 
> ...then Vista-SP1rc1 works fine, but if it's...
> 
> [test]
>  path = /tmp
>  valid users = @"AD\Some Group"
> 
> ...then it doesn't. WinXP and Win2K3 server both work against both
share
> options of course.
Can you get a debug level 10 plus a wireshark trace please.

If they're both using kerberos it might be that Samba is
not parsing out the group info from the krb5 token passed
on sessionsetup. A debug level 10 should help. I can give
you patches with extra debug info if needed.

Looks like Microsoft aren't doing interop testing again :-).

Jeremy.

On Wed, Dec 12, 2007 at 01:49:43PM +1300, Jason Haar
wrote:
> ..whereas Vista-SP1rc1 shows
> 
> [2007/12/12 00:20:42, 10]
> libsmb/clikrb5.c:get_krb5_smb_session_key(735)          Got KRB5 session
> key of length 16
> [2007/12/12 00:20:42, 10] libsmb/clikrb5.c:unwrap_pac(292) authorization
> data is not a Windows PAC (type: 141)
> ....
Ah yes. That's the key. Samba isn't getting the pac info
correctly so no group info. We need to see a the data
blob "auth_data" being passed to this function in libsmb/clikrb5.c :

bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB
*unwrapped_pac_data)

Jeremy.