Bug 6272 - Unable to browse a windows XP share from a Windows2k8 server in a samba4 domain
Summary: Unable to browse a windows XP share from a Windows2k8 server in a samba4 domain
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Andrew Bartlett
URL:
Keywords:
Depends on:
Blocks: 6600
  Show dependency treegraph
 
Reported: 2009-04-18 07:33 UTC by Matthieu Patou
Modified: 2009-08-06 02:31 UTC (History)
1 user (show)

See Also:
mat: review? (abartlet)

Attachments
Tcpdump capture of the exhange (12.91 KB, application/octet-stream)
2009-05-22 17:00 UTC, Matthieu Patou 		no flags Details
Patch proposal in order to fix the pb (1.52 KB, patch)
2009-07-15 11:01 UTC, Matthieu Patou 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-04-18 07:33:42 UTC 
I tried to open the c$ share of workstation from a windows 2k8 server both are member of the same samba4 domain.
I keep having the dialog both as if the password or the user supplied is invalid.
I tried several form for the username:

SAMBA4\administrator
administrator
administrator@smb4.tst 

but all fails.
Nevertheless I'm able to browse samba server share from the w2k8 server
Comment 1 Matthias Dieter Wallnöfer 2009-05-12 04:03:45 UTC 
I think that feature has been deactivated on SAMBA 4 due to security concerns. But for sure we can try to change that.
Comment 2 Matthias Dieter Wallnöfer 2009-05-12 04:05:08 UTC 
Ah moment, I disunderstood. You mean to open the "c$" share from a workstation and not SAMBA 4 itself.
Comment 3 Matthieu Patou 2009-05-22 16:57:15 UTC 
I did further tests.
When the target is specified in form of an ip address I have the following message in the log: 

[Sat May 23 00:48:27 2009 MSD, 3 auth/ntlm/auth.c:264:auth_check_password_send()]
auth_check_password_send:  Checking password for unmapped user [SAMBA4]\[user_adm]@[SMBTSTVZ01]
[Sat May 23 00:48:27 2009 MSD, 5 auth/ntlm/auth_util.c:55:map_user_info()]
map_user_info: Mapping user [SAMBA4]\[user_adm] from workstation [SMBTSTVZ01]
auth_check_password_send:  mapped user is: [SAMBA4]\[user_adm]@[SMBTSTVZ01]

And I am able to open the share (ie. \\10.6.1.62\c$).
But trying \\smb400001.smb4.tst\c$ fails, I attach a capture of the dialog  between samba4, w2k8 (the requester) and xp (the target).
Comment 4 Matthieu Patou 2009-05-22 16:58:08 UTC 
I did further tests.
When the target is specified in form of an ip address I have the following message in the log: 

[Sat May 23 00:48:27 2009 MSD, 3 auth/ntlm/auth.c:264:auth_check_password_send()]
auth_check_password_send:  Checking password for unmapped user [SAMBA4]\[user_adm]@[SMBTSTVZ01]
[Sat May 23 00:48:27 2009 MSD, 5 auth/ntlm/auth_util.c:55:map_user_info()]
map_user_info: Mapping user [SAMBA4]\[user_adm] from workstation [SMBTSTVZ01]
auth_check_password_send:  mapped user is: [SAMBA4]\[user_adm]@[SMBTSTVZ01]

And I am able to open the share (ie. \\10.6.1.62\c$).
But trying \\smb400001.smb4.tst\c$ fails, I attach a capture of the dialog  between samba4, w2k8 (the requester) and xp (the target).
Comment 5 Matthieu Patou 2009-05-22 17:00:37 UTC 
Created attachment 4187 [details]
Tcpdump capture of the exhange

Capture of the exchange between the w2K8 server (192.168.99.3) the target (10.6.1.62) and the server (192.168.99.2)
Comment 6 Matthieu Patou 2009-07-09 09:57:11 UTC 
I retested lately on a clean installation it's OK with changeset 46167c1d1b2ee4d77338214494decd9326b7ab93.

I'll keep this bug open and will update soon to a new version. If it keeps working then I'll close the bug.
Comment 7 Matthieu Patou 2009-07-14 09:15:44 UTC 
It turns out that when using kerberos authentification it's still broken between xp and windows 2008 server in a Samba4 domain
Comment 8 Matthieu Patou 2009-07-15 09:22:47 UTC 
After quite a lot of tests (cf. http://lists.samba.org/archive/samba-technical/2009-July/065789.html)
I came to the conclusion that the problem is related to the relevant option 141 and maybe its interaction with relevant 142.
Comment 9 Matthieu Patou 2009-07-15 11:01:48 UTC 
Created attachment 4425 [details]
Patch proposal in order to fix the pb
Comment 10 Matthieu Patou 2009-07-15 11:04:58 UTC 
According to me the problem in just comes from that XP (and others ?) are expecting the PAC ad-if-revelant to be the first is the AuthorizationData.

The attached patch propose a fairly clean way to do it: first attach the PAC and then attach every element of authorization-data then add signature.
Comment 11 Andrew Bartlett 2009-07-15 17:48:51 UTC 
This is *great* work.  This will also fix up interop issues with older Samba3 releases, which also hard-code the first IF-RELEVANT position.

My hearty apologies for discouraging you in this line of inquiry!
Comment 12 Matthias Dieter Wallnöfer 2009-08-06 02:30:53 UTC 
Comment on attachment 4425 [details]
Patch proposal in order to fix the pb

Has been applied
Comment 13 Matthias Dieter Wallnöfer 2009-08-06 02:31:31 UTC 
Should be fixed! On problems (you know) please reopen!