Bug 6272 - Unable to browse a windows XP share from a Windows2k8 server in a samba4 domain
Unable to browse a windows XP share from a Windows2k8 server in a samba4 domain
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
Other Linux
: P3 normal
: ---
Assigned To: Andrew Bartlett
Andrew Bartlett
:
Depends on:
Blocks: 6600
  Show dependency treegraph
 
Reported: 2009-04-18 07:33 UTC by Matthieu Patou
Modified: 2009-08-06 02:31 UTC (History)
1 user (show)

See Also:
mat: review? (abartlet)


Attachments
Tcpdump capture of the exhange (12.91 KB, application/octet-stream)
2009-05-22 17:00 UTC, Matthieu Patou
no flags Details
Patch proposal in order to fix the pb (1.52 KB, patch)
2009-07-15 11:01 UTC, Matthieu Patou
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-04-18 07:33:42 UTC
I tried to open the c$ share of workstation from a windows 2k8 server both are member of the same samba4 domain.
I keep having the dialog both as if the password or the user supplied is invalid.
I tried several form for the username:

SAMBA4\administrator
administrator
administrator@smb4.tst 

but all fails.
Nevertheless I'm able to browse samba server share from the w2k8 server
Comment 1 Matthias Dieter Wallnöfer 2009-05-12 04:03:45 UTC
I think that feature has been deactivated on SAMBA 4 due to security concerns. But for sure we can try to change that.
Comment 2 Matthias Dieter Wallnöfer 2009-05-12 04:05:08 UTC
Ah moment, I disunderstood. You mean to open the "c$" share from a workstation and not SAMBA 4 itself.
Comment 3 Matthieu Patou 2009-05-22 16:57:15 UTC
I did further tests.
When the target is specified in form of an ip address I have the following message in the log: 

[Sat May 23 00:48:27 2009 MSD, 3 auth/ntlm/auth.c:264:auth_check_password_send()]
auth_check_password_send:  Checking password for unmapped user [SAMBA4]\[user_adm]@[SMBTSTVZ01]
[Sat May 23 00:48:27 2009 MSD, 5 auth/ntlm/auth_util.c:55:map_user_info()]
map_user_info: Mapping user [SAMBA4]\[user_adm] from workstation [SMBTSTVZ01]
auth_check_password_send:  mapped user is: [SAMBA4]\[user_adm]@[SMBTSTVZ01]

And I am able to open the share (ie. \\10.6.1.62\c$).
But trying \\smb400001.smb4.tst\c$ fails, I attach a capture of the dialog  between samba4, w2k8 (the requester) and xp (the target).
Comment 4 Matthieu Patou 2009-05-22 16:58:08 UTC
I did further tests.
When the target is specified in form of an ip address I have the following message in the log: 

[Sat May 23 00:48:27 2009 MSD, 3 auth/ntlm/auth.c:264:auth_check_password_send()]
auth_check_password_send:  Checking password for unmapped user [SAMBA4]\[user_adm]@[SMBTSTVZ01]
[Sat May 23 00:48:27 2009 MSD, 5 auth/ntlm/auth_util.c:55:map_user_info()]
map_user_info: Mapping user [SAMBA4]\[user_adm] from workstation [SMBTSTVZ01]
auth_check_password_send:  mapped user is: [SAMBA4]\[user_adm]@[SMBTSTVZ01]

And I am able to open the share (ie. \\10.6.1.62\c$).
But trying \\smb400001.smb4.tst\c$ fails, I attach a capture of the dialog  between samba4, w2k8 (the requester) and xp (the target).
Comment 5 Matthieu Patou 2009-05-22 17:00:37 UTC
Created attachment 4187 [details]
Tcpdump capture of the exhange

Capture of the exchange between the w2K8 server (192.168.99.3) the target (10.6.1.62) and the server (192.168.99.2)
Comment 6 Matthieu Patou 2009-07-09 09:57:11 UTC
I retested lately on a clean installation it's OK with changeset 46167c1d1b2ee4d77338214494decd9326b7ab93.

I'll keep this bug open and will update soon to a new version. If it keeps working then I'll close the bug.
Comment 7 Matthieu Patou 2009-07-14 09:15:44 UTC
It turns out that when using kerberos authentification it's still broken between xp and windows 2008 server in a Samba4 domain
Comment 8 Matthieu Patou 2009-07-15 09:22:47 UTC
After quite a lot of tests (cf. http://lists.samba.org/archive/samba-technical/2009-July/065789.html)
I came to the conclusion that the problem is related to the relevant option 141 and maybe its interaction with relevant 142.


Comment 9 Matthieu Patou 2009-07-15 11:01:48 UTC
Created attachment 4425 [details]
Patch proposal in order to fix the pb
Comment 10 Matthieu Patou 2009-07-15 11:04:58 UTC
According to me the problem in just comes from that XP (and others ?) are expecting the PAC ad-if-revelant to be the first is the AuthorizationData.

The attached patch propose a fairly clean way to do it: first attach the PAC and then attach every element of authorization-data then add signature.
Comment 11 Andrew Bartlett 2009-07-15 17:48:51 UTC
This is *great* work.  This will also fix up interop issues with older Samba3 releases, which also hard-code the first IF-RELEVANT position.

My hearty apologies for discouraging you in this line of inquiry!
Comment 12 Matthias Dieter Wallnöfer 2009-08-06 02:30:53 UTC
Comment on attachment 4425 [details]
Patch proposal in order to fix the pb

Has been applied
Comment 13 Matthias Dieter Wallnöfer 2009-08-06 02:31:31 UTC
Should be fixed! On problems (you know) please reopen!