I have a w2k8 server member of a samba domain, when I try to access from a windows XP workstation a share on the server I have the message that windows could not find the server ... On linux a simple kinit user + smbclient give this result: smbclient -k \\\\192.168.99.3\\c\$ session setup failed: NT_STATUS_LOGON_FAILURE klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: user_adm@SMB4.TST Valid starting Expires Service principal 04/18/09 16:42:55 04/18/09 23:22:51 krbtgt/SMB4.TST@SMB4.TST [Sat Apr 18 16:45:07 2009 MSD, 2 auth/ntlm/auth.c:371:auth_check_password_recv()] auth_check_password_recv: sam_ignoredomain authentication for user [WORKGROUP\mat] FAILED with error NT_STATUS_NO_SUCH_USER After noticing that after accessing another share on a XP workstation add a ticket of the following form : workstation$@SMB4.TST I did the following test: kinit -S smbw2k8\$@SMB4.TST Administrator Password for Administrator@SMB4.TST: mat@ares:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: Administrator@SMB4.TST Valid starting Expires Service principal 04/18/09 17:08:13 04/18/09 23:48:07 smbw2k8$@SMB4.TST smbclient -k \\\\smbw2k8\\c\$ cli_session_setup_blob: receive failed (NT_STATUS_REQUEST_NOT_ACCEPTED) session setup failed: NT_STATUS_REQUEST_NOT_ACCEPTED And at the same moment I got the following entry in the samba.log: Kerberos: TGS-REQ sambaw2k8$@SMB4.TST from 192.168.99.3 for sambaw2k8$\@SMB4.TST@SMB4.TST [canonicalize, renewable, forwardable] [Sat Apr 18 17:10:03 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()] Kerberos: Server not found in database: sambaw2k8$\@SMB4.TST@SMB4.TST: No such entry in the database I tried to add sambaw2k8$\@SMB4.TST and sambaw2k8$@SMB4.TST as userPrincipal and as servicePrincipal. But I still have the error messages.
It might be related to https://bugzilla.samba.org/show_bug.cgi?id=6272
Any news on this ? I have the impression that the form computeraccount\@REALM@REALM should be cannonized into computeraccount@REAL
Created attachment 4368 [details] Patch to allow NT enterprise names in all requests Let me know if this patch fixes it.
With your patch I have the same situation as I had with my small hack it now complains about the delegation. Kerberos: TGS-REQ smbtstvz01$@SMB4.TST from 192.168.99.3 for smbtstvz01$\@SMB4.TST@SMB4.TST [canonicalize, renewable, forwardable] [Tue Jun 30 11:07:38 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()] Kerberos: TGS-REQ authtime: 2009-06-30T11:07:35 starttime: 2009-06-30T11:07:38 endtime: 2037-09-13T06:48:05 renew till: unset [Tue Jun 30 11:07:38 2009 MSD, 2 smbd/process_single.c:100:single_terminate()] single_terminate: reason[NT_STATUS_END_OF_FILE] [Tue Jun 30 11:07:38 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()] Kerberos: TGS-REQ smbtstvz01$@SMB4.TST from 192.168.99.3 for smbtstvz01$\@SMB4.TST@SMB4.TST [canonicalize, request-anonymous, renewable, forwardable] [Tue Jun 30 11:07:38 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()] Kerberos: Bad request for constrained delegation [Tue Jun 30 11:07:38 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()] Kerberos: constrained delegation from smbtstvz01$\@SMB4.TST@SMB4.TST to smbtstvz01$@SMB4.TST not allowed [Tue Jun 30 11:07:38 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()] Kerberos: Failed building TGS-REP to 192.168.99.3
To hack around this (and to create a large security hole), edit heimdal/kdc/krb5tgs.c:check_constrained_delegation() to always return 0 Let me know if this helps (it will help me know if that is the right place to fix it)
Well it helps a little bit because doing \\smbtstvz01\c$ on the windows 2008 server (which has the name smbtstvz01) works now ( before it wasn't ...). But I'm still not able from S4 and XP.
The problem seems to be located in the LogonSamLogonEx call where windows 2008 do not seems to appriciate the answer provided by Samba4. Comparing samba4 and Windows 2003 (as a DC) answer we can see the following differences: Array of groups contains also the primary group RID for windows 2003. User flags have the value 0x520 for windows 2003. One flag is strange: extra sid populated as the Extra Sid structure is empty in fact (so it seems that windows 2003 always set this flag), a flag is undocumented (3rd bit of 3rd byte) and flag domain controler understand ntlmv2 is set. Windows 2003 also set two reserved long that should be null to the following values: *Long 1: 0x7300b2c7 *Long 2: 0xb27dfbb4
Is this relevant? http://dustintravis.blogspot.com/2007/10/filesharing- woes-statusrequestnotaccept.html What is the current error shown with smbclient for this failure? Do you have a current network sniff?
Any news?
After a great party of where's waldo, I found that the problem is the returned Logoff Time in the sam_info4 structure of LogonSamLogonEx which is causing problems. It seems that windows 2008 do not like to have a Logoff time of 0. I'm currently writting a patch for this problem.
Created attachment 4497 [details] Patch for fixing the problem This patch changed the last_logoff as pulled from the sam.ldb from 0 to 0x7FFFFFFF... which corresponds to unfinite time.
Should also be fixed.