On Wed, 2015-04-29 at 22:35 +0000, Obaid Farooqi wrote: > Hi Andrew: > What I thought was a difference between the behaviors of windows > client when Samba is DC and when Windows is DC seems to be wrong. I > can no longer reproduced the scenario. If I try to calculate the > effective access of a different user (than the logged in user) in my > private, Windows DC environment, windows client does not send s4u2self > request. It instead uses MS-RAA. If I try to repro in my work domain, > I get an unauthorized error when I try to calculate the effective > access (for a different user) on a directory under sysvol. > > As for as why windows client sends [email protected], the > request in your scenario is sent by file explorer and the file > explorer runs under logged in users security token. The lsass just > gets the asking process's token (impersonate) and used the UPN of that > security descriptor in s4u2self TGS request. > > In cases where I saw that computer account UPN is used for sname, the > request was sent by a service and since services in Windows run under > computer account, the security token had computer account name and the > behavior is consistent with what I described above. > > If you can repro this scenario in private environment and windows does > not use logged in user's UPN, please let me. > I have already answer the reason for an error response and have also > filed a TDI to include that in MS-SFU. I consider this issue resolved. > If you can repro the situation where Windows client in case of a > Windows DC uses computer account instead of logged in user UPN, please > let me know and I'll be happy to investigate.
That all sounds fine. Thanks for looking into it. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
