A user's Kerberos security token grows with group membership, as described in http://support.microsoft.com/kb/327825 .
When authenticating with a large security token, the token is split across multiple Session Setup AndX requests, to which the server initially responds to with STATUS_MORE_PROCESSING_REQUIRED.
In Samba 3.6 the STATUS_MORE_PROCESSING_REQUIRED Session Setup AndX response does not include the NativeOS, NativeLanMan and PrimaryDomain fields. With these fields missing, some Windows clients (Windows Server 2012 and Windows 7 SMB1 clients) resend the same Kerberos security token in the second request as the sent in the first, rather than the continuation. Authentication fails as a result.
Note, this bug does not affect Samba 4.0.x releases, which use the gensec layer.
Created attachment 8546 [details]
proposed SMB1 fix
Created attachment 8547 [details]
network capture showing strange security token resend client behaviour
Can you upload a wireshark capture trace showing the same logon against a Win2k server so I can see the STATUS_MORE_PROCESSING_REQUIRED Session Setup AndX response from a Windows server ?
Comment on attachment 8546 [details]
proposed SMB1 fix
I'm pretty sure this is correct. I want to see the Windows reply for my own peace of mind :-).
Re-assigning to Karolin for inclusion in 3.6.next.
(In reply to comment #3)
> Can you upload a wireshark capture trace showing the same logon against a Win2k
> server so I can see the STATUS_MORE_PROCESSING_REQUIRED Session Setup AndX
> response from a Windows server ?
I don't have a Windows Server 2k host in my test environment, but will attach a capture of a Windows Server 2k12 client attempting Krb authentication with a Windows XP server.
Created attachment 8551 [details]
oversize pac authentication attempt, 2k12 client vs XP server
Authentication fails in this case with STATUS_TOO_MANY_CONTEXT_IDS, but the client can still be seen correctly responding to the STATUS_MORE_PROCESSING_REQUIRED responses (which include the NativeOS and NativeLanMan fields) with security token continuation data.
One final note, the Samba 3.6 SMB2 session setup code path does not currently include any support for multi-request authentication with a large security token.
Ok, I'm satisfied (except for the SMB2 issue, but let's leave that for another bug :-).
Once Karolin commits the fix we can close it out !
Pushed to v3-6-test.
Closing out bug report.