I tried to open the c$ share of workstation from a windows 2k8 server both are member of the same samba4 domain. I keep having the dialog both as if the password or the user supplied is invalid. I tried several form for the username: SAMBA4\administrator administrator administrator@smb4.tst but all fails. Nevertheless I'm able to browse samba server share from the w2k8 server
I think that feature has been deactivated on SAMBA 4 due to security concerns. But for sure we can try to change that.
Ah moment, I disunderstood. You mean to open the "c$" share from a workstation and not SAMBA 4 itself.
I did further tests. When the target is specified in form of an ip address I have the following message in the log: [Sat May 23 00:48:27 2009 MSD, 3 auth/ntlm/auth.c:264:auth_check_password_send()] auth_check_password_send: Checking password for unmapped user [SAMBA4]\[user_adm]@[SMBTSTVZ01] [Sat May 23 00:48:27 2009 MSD, 5 auth/ntlm/auth_util.c:55:map_user_info()] map_user_info: Mapping user [SAMBA4]\[user_adm] from workstation [SMBTSTVZ01] auth_check_password_send: mapped user is: [SAMBA4]\[user_adm]@[SMBTSTVZ01] And I am able to open the share (ie. \\10.6.1.62\c$). But trying \\smb400001.smb4.tst\c$ fails, I attach a capture of the dialog between samba4, w2k8 (the requester) and xp (the target).
Created attachment 4187 [details] Tcpdump capture of the exhange Capture of the exchange between the w2K8 server (192.168.99.3) the target (10.6.1.62) and the server (192.168.99.2)
I retested lately on a clean installation it's OK with changeset 46167c1d1b2ee4d77338214494decd9326b7ab93. I'll keep this bug open and will update soon to a new version. If it keeps working then I'll close the bug.
It turns out that when using kerberos authentification it's still broken between xp and windows 2008 server in a Samba4 domain
After quite a lot of tests (cf. http://lists.samba.org/archive/samba-technical/2009-July/065789.html) I came to the conclusion that the problem is related to the relevant option 141 and maybe its interaction with relevant 142.
Created attachment 4425 [details] Patch proposal in order to fix the pb
According to me the problem in just comes from that XP (and others ?) are expecting the PAC ad-if-revelant to be the first is the AuthorizationData. The attached patch propose a fairly clean way to do it: first attach the PAC and then attach every element of authorization-data then add signature.
This is *great* work. This will also fix up interop issues with older Samba3 releases, which also hard-code the first IF-RELEVANT position. My hearty apologies for discouraging you in this line of inquiry!
Comment on attachment 4425 [details] Patch proposal in order to fix the pb Has been applied
Should be fixed! On problems (you know) please reopen!