Bug 6273 - Accessing a w2k8 server share from Windows or Linux is impossible
Accessing a w2k8 server share from Windows or Linux is impossible
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
Other Linux
: P3 major
: ---
Assigned To: Andrew Bartlett
Andrew Bartlett
:
Depends on:
Blocks: 6600
  Show dependency treegraph
 
Reported: 2009-04-18 08:14 UTC by Matthieu Patou
Modified: 2009-08-06 02:54 UTC (History)
1 user (show)

See Also:


Attachments
Patch to allow NT enterprise names in all requests (5.94 KB, patch)
2009-06-29 21:16 UTC, Andrew Bartlett
no flags Details
Patch for fixing the problem (2.48 KB, patch)
2009-08-01 05:07 UTC, Matthieu Patou
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-04-18 08:14:12 UTC
I have a w2k8 server member of a samba domain, when I try to access from a windows XP workstation a share on the server I have the message that windows could not find the server ...
On linux a simple kinit user + smbclient give this result:

smbclient -k \\\\192.168.99.3\\c\$
session setup failed: NT_STATUS_LOGON_FAILURE

klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user_adm@SMB4.TST

Valid starting     Expires            Service principal
04/18/09 16:42:55  04/18/09 23:22:51  krbtgt/SMB4.TST@SMB4.TST


[Sat Apr 18 16:45:07 2009 MSD, 2 auth/ntlm/auth.c:371:auth_check_password_recv()]
auth_check_password_recv: sam_ignoredomain authentication for user [WORKGROUP\mat] FAILED with error NT_STATUS_NO_SUCH_USER

After noticing that after accessing another share on a XP workstation add a ticket of the following form :
workstation$@SMB4.TST

I did the following test:

kinit -S smbw2k8\$@SMB4.TST Administrator
Password for Administrator@SMB4.TST:
mat@ares:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator@SMB4.TST

Valid starting     Expires            Service principal
04/18/09 17:08:13  04/18/09 23:48:07  smbw2k8$@SMB4.TST


smbclient -k \\\\smbw2k8\\c\$
cli_session_setup_blob: receive failed (NT_STATUS_REQUEST_NOT_ACCEPTED)
session setup failed: NT_STATUS_REQUEST_NOT_ACCEPTED

And at the same moment I got the following entry in the samba.log:

Kerberos: TGS-REQ sambaw2k8$@SMB4.TST from 192.168.99.3 for 
sambaw2k8$\@SMB4.TST@SMB4.TST [canonicalize, renewable, forwardable]
[Sat Apr 18 17:10:03 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()]
Kerberos: Server not found in database: sambaw2k8$\@SMB4.TST@SMB4.TST: No such entry in the database

I tried to add sambaw2k8$\@SMB4.TST and sambaw2k8$@SMB4.TST  as userPrincipal and as servicePrincipal.

But I still have the error messages.
Comment 1 Matthieu Patou 2009-04-18 08:14:52 UTC
It might be related to 
https://bugzilla.samba.org/show_bug.cgi?id=6272
Comment 2 Matthieu Patou 2009-06-27 15:45:54 UTC
Any news on this ?
I have the impression that the form computeraccount\@REALM@REALM should be cannonized into computeraccount@REAL

Comment 3 Andrew Bartlett 2009-06-29 21:16:46 UTC
Created attachment 4368 [details]
Patch to allow NT enterprise names in all requests

Let me know if this patch fixes it.
Comment 4 Matthieu Patou 2009-06-30 02:25:11 UTC
With your patch I have the same situation as I had with my small hack it now complains about the delegation.

Kerberos: TGS-REQ smbtstvz01$@SMB4.TST from 192.168.99.3 for smbtstvz01$\@SMB4.TST@SMB4.TST [canonicalize, renewable, forwardable]
[Tue Jun 30 11:07:38 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()]
Kerberos: TGS-REQ authtime: 2009-06-30T11:07:35 starttime: 2009-06-30T11:07:38 endtime: 2037-09-13T06:48:05 renew till: unset
[Tue Jun 30 11:07:38 2009 MSD, 2 smbd/process_single.c:100:single_terminate()]
single_terminate: reason[NT_STATUS_END_OF_FILE]
[Tue Jun 30 11:07:38 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()]
Kerberos: TGS-REQ smbtstvz01$@SMB4.TST from 192.168.99.3 for smbtstvz01$\@SMB4.TST@SMB4.TST [canonicalize, request-anonymous, renewable, forwardable]
[Tue Jun 30 11:07:38 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()]
Kerberos: Bad request for constrained delegation
[Tue Jun 30 11:07:38 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()]
Kerberos: constrained delegation from smbtstvz01$\@SMB4.TST@SMB4.TST to smbtstvz01$@SMB4.TST not allowed
[Tue Jun 30 11:07:38 2009 MSD, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()]
Kerberos: Failed building TGS-REP to 192.168.99.3
Comment 5 Andrew Bartlett 2009-07-01 00:19:13 UTC
To hack around this (and to create a large security hole), edit heimdal/kdc/krb5tgs.c:check_constrained_delegation() to always return 0

Let me know if this helps (it will help me know if that is the right place to fix it)
Comment 6 Matthieu Patou 2009-07-02 00:57:23 UTC
Well it helps a little bit because doing \\smbtstvz01\c$ on the windows 2008 server (which has the name smbtstvz01) works now ( before it wasn't ...).

But I'm still not able from S4 and XP.
Comment 7 Matthieu Patou 2009-07-14 09:22:36 UTC
The problem seems to be located in the LogonSamLogonEx call where windows 2008 do not seems to appriciate the answer provided by Samba4.

Comparing samba4 and Windows 2003 (as a DC) answer we can see the following differences:

Array of groups contains also the primary group RID for windows 2003.


User flags have the value 0x520 for windows 2003. One flag is strange: extra sid populated as the Extra Sid structure is empty in fact (so it seems that windows 2003 always set this flag), a flag is undocumented (3rd bit of 3rd byte) and flag  domain controler understand ntlmv2 is set.

Windows 2003 also set two reserved long that should be null to the following values:
*Long 1: 0x7300b2c7
*Long 2: 0xb27dfbb4
Comment 8 Andrew Bartlett 2009-07-23 03:46:57 UTC
Is this relevant?

http://dustintravis.blogspot.com/2007/10/filesharing-
woes-statusrequestnotaccept.html

What is the current error shown with smbclient for this failure?  Do you have a current network sniff?
Comment 9 Maciek Hofstede 2009-07-23 04:40:51 UTC
Any news?
Comment 10 Matthieu Patou 2009-08-01 04:43:26 UTC
After a great party of where's waldo, I found that the problem is the returned Logoff Time in the sam_info4 structure of LogonSamLogonEx which is causing problems.

It seems that windows 2008 do not like to have a Logoff time of 0.
I'm currently writting a patch for this problem.
Comment 11 Matthieu Patou 2009-08-01 05:07:18 UTC
Created attachment 4497 [details]
Patch for fixing the problem

This patch changed the last_logoff as pulled from the sam.ldb from 0 to 0x7FFFFFFF... which corresponds to unfinite time.
Comment 12 Matthias Dieter Wallnöfer 2009-08-06 02:54:30 UTC
Should also be fixed.