Authentication against AD domain controllers fails for non-ascii usernames if security = ads and unix charset = iso8859-1. Relevant options in smb.conf: security = ads unix charset = iso8859-1 display charset = iso8859-1 Error message from log: [2006/01/30 10:21:46, 1] smbd/sesssetup.c:reply_spnego_kerberos(286) Username DOMAIN\åöä is invalid on this system Please note the incorrectly encoded username (UTF-8 encoding on iso8859-1 setup). wbinfo -u lists the usernames correctly. Changing "security = ads" to "security = domain" makes it work correctly. Also removing the "unix charset" and "display charset" settings from smb.conf makes the authentication work. (Usernames are then output as UTF-8 encoded e.g. with wbinfo.) Additional information: DC OS: Windows 2000 Server SP4 Client OS: Windows 2000 Pro SP4 krb5 1.3.6 Reproduced with samba 3.0.20b and samba 3.0.21a.
Log with higher debug level: [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0010 offset: 00000048 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0014 offsethi: 00000000 [2006/03/22 09:04:37, 6] rpc_parse/parse_prs.c:prs_debug(84) 000018 pac_io_pac_info_hdr pac data [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0018 type: 0000000a [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 001c size: 00000010 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0020 offset: 000001e8 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0024 offsethi: 00000000 [2006/03/22 09:04:37, 6] rpc_parse/parse_prs.c:prs_debug(84) 000028 pac_io_pac_info_hdr pac data [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0028 type: 00000006 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 002c size: 00000014 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0030 offset: 000001f8 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0034 offsethi: 00000000 [2006/03/22 09:04:37, 6] rpc_parse/parse_prs.c:prs_debug(84) 000038 pac_io_pac_info_hdr pac data [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0038 type: 00000007 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 003c size: 00000014 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0040 offset: 00000210 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0044 offsethi: 00000000 [2006/03/22 09:04:37, 6] rpc_parse/parse_prs.c:prs_debug(84) 000048 pac_io_pac_info_hdr_ctr pac data [2006/03/22 09:04:37, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(503) PAC_TYPE_LOGON_INFO [2006/03/22 09:04:37, 7] rpc_parse/parse_prs.c:prs_debug(84) 000048 pac_io_pac_logon_info pac data [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0048 unknown: 00081001 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 004c unknown: cccccccc [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0050 bufferlen: 00000190 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0054 bufferlenhi: 00000000 [2006/03/22 09:04:37, 8] rpc_parse/parse_prs.c:prs_debug(84) 000058 net_io_user_info3 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0058 ptr_user_info : 02adf704 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 00005c smb_io_time logon time [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 005c low : 21494e30 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0060 high: 01c64d7e [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 000064 smb_io_time logoff time [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0064 low : ffffffff [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0068 high: 7fffffff [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 00006c smb_io_time kickoff time [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 006c low : ffffffff [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0070 high: 7fffffff [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 000074 smb_io_time last set time [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0074 low : ca0f8740 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0078 high: 01c64d7d [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 00007c smb_io_time can change time [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 007c low : ca0f8740 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0080 high: 01c64d7d [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 000084 smb_io_time must change time [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0084 low : 17478740 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0088 high: 01c666a3 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 00008c smb_io_unihdr hdr_user_name [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 008c uni_str_len: 0006 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 008e uni_max_len: 0006 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0090 buffer : 001614c0 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 000094 smb_io_unihdr hdr_full_name [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 0094 uni_str_len: 000e [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 0096 uni_max_len: 000e [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0098 buffer : 001614c8 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 00009c smb_io_unihdr hdr_logon_script [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 009c uni_str_len: 0000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 009e uni_max_len: 0000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00a0 buffer : 001614d8 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000a4 smb_io_unihdr hdr_profile_path [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00a4 uni_str_len: 0000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00a6 uni_max_len: 0000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00a8 buffer : 001614d8 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000ac smb_io_unihdr hdr_home_dir [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00ac uni_str_len: 0000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00ae uni_max_len: 0000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00b0 buffer : 001614d8 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000b4 smb_io_unihdr hdr_dir_drive [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00b4 uni_str_len: 0000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00b6 uni_max_len: 0000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00b8 buffer : 001614d8 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00bc logon_count : 0001 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00be bad_pw_count : 0000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00c0 user_rid : 00000a89 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00c4 group_rid : 00000201 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00c8 num_groups : 00000001 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00cc buffer_groups : 001614d8 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00d0 user_flgs : 00000020 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8s(790) 00d4 user_sess_key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000e4 smb_io_unihdr hdr_logon_srv [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00e4 uni_str_len: 000a [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00e6 uni_max_len: 000c [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00e8 buffer : 001614e0 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000ec smb_io_unihdr hdr_logon_dom [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00ec uni_str_len: 0008 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 00ee uni_max_len: 000a [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00f0 buffer : 001614ec [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 00f4 buffer_dom_id : 001614f8 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8s(790) 00f8 lm_sess_key: 00 00 00 00 00 00 00 00 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0100 acct_flags : 00000010 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0104 unkown: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0108 unkown: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 010c unkown: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0110 unkown: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0114 unkown: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0118 unkown: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 011c unkown: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0120 num_other_sids: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0124 buffer_other_sids: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0128 ptr_res_group_dom_sid: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 012c res_group_count: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0130 ptr_res_groups: 00000000 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 000134 smb_io_unistr2 uni_user_name [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0134 uni_max_len: 00000003 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0138 offset : 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 013c uni_str_len: 00000003 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:dbg_rw_punival(875) 0140 buffer : ...... [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 000146 smb_io_unistr2 uni_full_name [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0148 uni_max_len: 00000007 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 014c offset : 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0150 uni_str_len: 00000007 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:dbg_rw_punival(875) 0154 buffer : t.s.t. .t.s.t. [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 000162 smb_io_unistr2 uni_logon_script [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0164 uni_max_len: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0168 offset : 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 016c uni_str_len: 00000000 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 000170 smb_io_unistr2 uni_profile_path [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0170 uni_max_len: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0174 offset : 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0178 uni_str_len: 00000000 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 00017c smb_io_unistr2 uni_home_dir [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 017c uni_max_len: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0180 offset : 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0184 uni_str_len: 00000000 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 000188 smb_io_unistr2 uni_dir_drive [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0188 uni_max_len: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 018c offset : 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0190 uni_str_len: 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0194 num_groups2 : 00000001 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 000198 smb_io_gid [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0198 g_rid: 00000201 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 019c attr : 00000007 [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 0001a0 smb_io_unistr2 uni_logon_srv [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 01a0 uni_max_len: 00000006 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 01a4 offset : 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 01a8 uni_str_len: 00000005 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:dbg_rw_punival(875) 01ac buffer : E.N.T.E.E. [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 0001b6 smb_io_unistr2 uni_logon_dom [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 01b8 uni_max_len: 00000005 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 01bc offset : 00000000 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 01c0 uni_str_len: 00000004 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:dbg_rw_punival(875) 01c4 buffer : T.U.S.S. [2006/03/22 09:04:37, 9] rpc_parse/parse_prs.c:prs_debug(84) 0001cc smb_io_dom_sid2 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 01cc num_auths: 00000004 [2006/03/22 09:04:37, 10] rpc_parse/parse_prs.c:prs_debug(84) 0001d0 smb_io_dom_sid sid [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8(614) 01d0 sid_rev_num: 01 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8(614) 01d1 num_auths : 04 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8(614) 01d2 id_auth[0] : 00 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8(614) 01d3 id_auth[1] : 00 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8(614) 01d4 id_auth[2] : 00 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8(614) 01d5 id_auth[3] : 00 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8(614) 01d6 id_auth[4] : 00 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8(614) 01d7 id_auth[5] : 05 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32s(930) 01d8 sub_auths : 00000015 6b635f23 09101613 32eac016 [2006/03/22 09:04:37, 6] rpc_parse/parse_prs.c:prs_debug(84) 0001e8 pac_io_pac_info_hdr_ctr pac data [2006/03/22 09:04:37, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(543) PAC_TYPE_LOGON_NAME [2006/03/22 09:04:37, 7] rpc_parse/parse_prs.c:prs_debug(84) 0001e8 pac_io_logon_name pac data [2006/03/22 09:04:37, 8] rpc_parse/parse_prs.c:prs_debug(84) 0001e8 smb_io_time logon_time [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 01e8 low : 34947380 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 01ec high: 01c64d7e [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16(674) 01f0 len: 0006 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint16s(833) 01f2 name: ...... [2006/03/22 09:04:37, 6] rpc_parse/parse_prs.c:prs_debug(84) 0001f8 pac_io_pac_info_hdr_ctr pac data [2006/03/22 09:04:37, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(516) PAC_TYPE_SERVER_CHECKSUM [2006/03/22 09:04:37, 7] rpc_parse/parse_prs.c:prs_debug(84) 0001f8 pac_io_pac_signature_data pac data [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 01f8 type: ffffff76 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8s(790) 01fc signature: e3 09 b6 93 59 33 12 b1 4a 66 15 7c 9f 78 ad 4c [2006/03/22 09:04:37, 6] rpc_parse/parse_prs.c:prs_debug(84) 00020c pac_io_pac_info_hdr_ctr pac data [2006/03/22 09:04:37, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(489) offset in header(x210) and data(x20c) do not match, correcting [2006/03/22 09:04:37, 5] libads/authdata.c:pac_io_pac_info_hdr_ctr(529) PAC_TYPE_PRIVSVR_CHECKSUM [2006/03/22 09:04:37, 7] rpc_parse/parse_prs.c:prs_debug(84) 000210 pac_io_pac_signature_data pac data [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint32(703) 0210 type: ffffff76 [2006/03/22 09:04:37, 5] rpc_parse/parse_prs.c:prs_uint8s(790) 0214 signature: e6 37 0f c2 f9 ca f7 59 6c 52 58 d6 51 22 32 f1 [2006/03/22 09:04:37, 2] libads/authdata.c:decode_pac_data(906) decode_pac_data: Name in PAC [åöä] does not match principal name in ticket ^^^ NOTE: Here the username is correctly (and differently) encoded! [2006/03/22 09:04:37, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED [2006/03/22 09:04:37, 3] smbd/sesssetup.c:reply_spnego_kerberos(185) Ticket name is [åöä@DOMAIN.LOCAL] [2006/03/22 09:04:37, 10] smbd/sesssetup.c:reply_spnego_kerberos(244) Mapping [DOMAIN.LOCAL] to short name [2006/03/22 09:04:37, 10] smbd/sesssetup.c:reply_spnego_kerberos(257) Mapped to [DOMAIN] (using Winbind) [2006/03/22 09:04:37, 5] lib/username.c:Get_Pwnam_alloc(313) Finding user DOMAIN\åöä [2006/03/22 09:04:37, 5] lib/username.c:Get_Pwnam_internals(262) Trying _Get_Pwnam(), username as lowercase is tuss\ã¥ã¶ã¤ [2006/03/22 09:04:37, 5] lib/username.c:Get_Pwnam_internals(269) Trying _Get_Pwnam(), username as given is DOMAIN\åöä [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_internals(286) Checking combinations of 0 uppercase letters in tuss\ã¥ã¶ã¤ [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_internals(290) Get_Pwnam_internals didn't find user [DOMAIN\åöä]! [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_alloc(313) Finding user åöä [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_internals(262) Trying _Get_Pwnam(), username as lowercase is ã¥ã¶ã¤ [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_internals(269) Trying _Get_Pwnam(), username as given is åöä [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_internals(286) Checking combinations of 0 uppercase letters in ã¥ã¶ã¤ [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_internals(290) Get_Pwnam_internals didn't find user [åöä]! [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_alloc(313) Finding user åöä [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_internals(262) Trying _Get_Pwnam(), username as lowercase is ã¥ã¶ã¤ [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_internals(269) Trying _Get_Pwnam(), username as given is åöä [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_internals(286) Checking combinations of 0 uppercase letters in ã¥ã¶ã¤ [2006/03/22 09:04:38, 5] lib/username.c:Get_Pwnam_internals(290) Get_Pwnam_internals didn't find user [åöä]! [2006/03/22 09:04:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(286) Username DOMAIN\åöä is invalid on this system [2006/03/22 09:04:38, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(291) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2006/03/22 09:04:38, 0] smbd/process.c:smb_dump(947) created /tmp/SMBsesssetupX.8.resp len 39 [2006/03/22 09:04:38, 5] lib/util.c:show_msg(476) [2006/03/22 09:04:38, 5] lib/util.c:show_msg(486) size=35 smb_com=0x73 smb_rcls=109 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=65279 smb_uid=101 smb_mid=128 smt_wct=0 smb_bcc=0 [2006/03/22 09:04:38, 10] smbd/process.c:setup_select_timeout(1372) change_notify_timeout: -1 [2006/03/22 09:04:38, 10] smbd/process.c:run_events(299) run_events: No events [2006/03/22 09:04:38, 10] lib/util_sock.c:read_data(517) read_data: read of 4 returned 0. Error = Success [2006/03/22 09:04:38, 10] lib/util_sock.c:receive_smb_raw(666) receive_smb_raw: length < 0! [2006/03/22 09:04:38, 3] smbd/process.c:timeout_processing(1447) timeout_processing: End of file from client (client has disconnected). [2006/03/22 09:04:38, 5] lib/gencache.c:gencache_shutdown(88) Closing cache file [2006/03/22 09:04:38, 5] libsmb/namecache.c:namecache_shutdown(79) namecache_shutdown: netbios namecache closed successfully. [2006/03/22 09:04:38, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/22 09:04:38, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/22 09:04:38, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/22 09:04:38, 5] smbd/uid.c:change_to_root_user(319) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/22 09:04:38, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/22 09:04:38, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/22 09:04:38, 3] smbd/server.c:exit_server(655) Server exit (normal exit)
Created attachment 1818 [details] This ad hoc patch makes the authentication work on my setup.
Ah, I see. There's a missing conversion to unix charset on pulling the utf8 data from the kerberos tickets. I'll look into this. Jeremy.
Created attachment 1823 [details] also convert from ucs2 to utf8 when validating the PAC Jeremy, we also need to fix the PAC validation: The logon-name in the PAC is ucs2, the client principal in the ticket will (according to Love) always be utf8 from a Windows KDC. As we first compose a principal with the name from the PAC to do a principal compare then with the principal from the ticket afterwards, we need an additional ucs2->utf8 conversion.
Do we know what the KDC's expect as principal names in krb5 packets ? Do they expect any encoding, or assume always utf8 ? If so we need to push/pull on every principal names sent/received from the krb5 code. We need to go through and add this layer to all the krb5 code as we do in the LDAP code (or as I *think* we do without having looked at the code yet :-) As for the patch I'd prefer to leave pull_ucs2 alone and just add another conversion from unix charset -> utf8 afterwards rather than adding another flag to pull_ucs2. Jeremy.
Samba converts krb5 principals to unix strings since b68b05854ff5a7e75953462eba74f97753428ef1 in Samba 3.4