6470 – ADUC: Impossible to access as local administrator

Bug 6470 - ADUC: Impossible to access as local administrator

Summary: ADUC: Impossible to access as local administrator

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.0
Classification:	Unclassified
Component:	Tools (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Andrew Bartlett

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-06-13 12:45 UTC by Matthias Dieter Wallnöfer
Modified:	2009-07-08 08:22 UTC (History)
CC List:	0 users

See Also:

Attachments
Here a wireshark log (13.27 KB, application/octet-stream) 2009-06-19 02:07 UTC, Matthias Dieter Wallnöfer	no flags	Details
A logfile of samba at debug level 10 (229.40 KB, application/octet-stream) 2009-06-19 14:41 UTC, Matthias Dieter Wallnöfer	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Dieter Wallnöfer 2009-06-13 12:45:13 UTC

Earlier it has been possible, to access ADUC as local administrator if the machine joined the domain and the password was the same as the domain administrator. Now I get an error message saying "Directory service not available". When controlling with Wireshark I notice malformed SASL packages. Could it be that the new Lorikeet Heimdal Kerberos broke something?
The access as domain administrator works painless as before.

Comment 1 Matthieu Patou 2009-06-13 16:55:22 UTC

Have you tested it on a w2k3/w2k8  domain ?

Comment 2 Matthias Dieter Wallnöfer 2009-06-14 13:46:43 UTC

No, since I don't have them available.
But I imagine that SAMBA 4 's behaviour is wrong due a problem with the SASL negotiation (malformed SASL packages).

Comment 3 Andrew Bartlett 2009-06-14 17:41:52 UTC

Access to the wrong domain by the happy coincidence of passwords is not a mode of operation I particularly care to support, unless it is clear we now mis-match windows.

Comment 4 Matthias Dieter Wallnöfer 2009-06-19 02:07:46 UTC

Created attachment 4319 [details]
Here a wireshark log

Comment 5 Matthias Dieter Wallnöfer 2009-06-19 14:41:10 UTC

Created attachment 4331 [details]
A logfile of samba at debug level 10

Comment 6 Matthias Dieter Wallnöfer 2009-06-23 13:53:49 UTC

The behaviour (same username, same password, but only local administrator) is also the same on Windows Server. SAMBA 4 did it right until the latest KERBEROS update and we've to restore it.

Comment 7 Matthias Dieter Wallnöfer 2009-07-08 08:22:12 UTC

The bug has been fixed by commit 57afa1edebe38ea48be5fc074a8284c762e35e17.