Hi Andrew: What I thought was a difference between the behaviors of windows client when Samba is DC and when Windows is DC seems to be wrong. I can no longer reproduced the scenario. If I try to calculate the effective access of a different user (than the logged in user) in my private, Windows DC environment, windows client does not send s4u2self request. It instead uses MS-RAA. If I try to repro in my work domain, I get an unauthorized error when I try to calculate the effective access (for a different user) on a directory under sysvol.
As for as why windows client sends [email protected], the request in your scenario is sent by file explorer and the file explorer runs under logged in users security token. The lsass just gets the asking process's token (impersonate) and used the UPN of that security descriptor in s4u2self TGS request. In cases where I saw that computer account UPN is used for sname, the request was sent by a service and since services in Windows run under computer account, the security token had computer account name and the behavior is consistent with what I described above. If you can repro this scenario in private environment and windows does not use logged in user's UPN, please let me. I have already answer the reason for an error response and have also filed a TDI to include that in MS-SFU. I consider this issue resolved. If you can repro the situation where Windows client in case of a Windows DC uses computer account instead of logged in user UPN, please let me know and I'll be happy to investigate. Regards, Obaid Farooqi Escalation Engineer | Microsoft Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com -----Original Message----- From: Obaid Farooqi Sent: Monday, April 13, 2015 12:27 PM To: 'Andrew Bartlett' Cc: [email protected]; MSSolve Case Email Subject: RE: [REG:115030312463847] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self) Hi Andrew, I have filed a TDI to document the SPN requirement. I'll continue to explore the difference between behaviors when DC is Samba and will update you. Regards, Obaid Farooqi Escalation Engineer | Microsoft Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Sunday, April 12, 2015 5:31 PM To: Obaid Farooqi Cc: [email protected]; MSSolve Case Email Subject: Re: [REG:115030312463847] Re: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self) On Wed, 2015-04-08 at 22:32 +0000, Obaid Farooqi wrote: > Hi Andrew: > Does my answer resolve your issue? > I am asking since I answered your basic question. Thanks, it is great to see the SPN requirement in writing. Can we get at added to the WSPP docs? > I am working on figuring out why Windows client sends different sname based > on the type of DC but this is a side issue, not the question you asked. Can I > mark the case solution provided? Thanks. That would be interesting to understand. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
