On Wed, 2015-03-11 at 20:48 +0000, Obaid Farooqi wrote: > Hi Andrew: > Using Samba DC (version 4.1.6-Ubuntu) and Windows 8.1 client I was > able to reproduced the situation where windows client sends a S4U2Self > TGS request to Samba and Samba responds with KRB5KDC_ERR_POLICY. > It happens when I check the effective access for a user, same as > logged in or another does not matter. But error in the windows > explorer is > "You don't have permission to evaluate effective access rights for the > remote resource. Contact the administrator of the target server" > I also see the S4U2Self TGS request for that user, as mentioned > above. > > If I logged in as Administrator and query the effective access for > "Administrators" group, then I get the error in the explorer that you > reported, i.e. > "Code 0x80070057 The parameter is incorrect" > > When using a windows domain I do not see the S4U2Self message go out > from client although I see other network traffic that could be due to > the policy since I used a coprnet share to test this. I'll do it on my > internal Windows domain to see if I get the same error and/or S4U2Self > goes out.
Thanks. I wasn't able to spot that in my tests either. > Looking at the code, the use of S4U2Self is expected. I need to dig > more on Windows-to-Windows scenario. > So, it bowl down to what do we want to get out of this protocol wise. > The bug about "Code 0x80070057 The parameter is incorrect" is already > in place and platform people are working on it. > As I understand, you want to know if Samba should be returning an > error or should it return the authorization info in response to > S4U2Self TGS request. Right? Yes. My tests indicate we should return ERR_S_PRINCIPAL_UNKNOWN, but I don't know 'why' (see other threads on mappings). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
