On Mon, 2013-02-25 at 11:51 +0000, Tris Mabbs wrote: > Hello, > > > > We're having a problem with "Samba 4" joined to a "Server 2008 R2" domain > (at "Server 2008" functional level across the forest). > > The interesting thing is that this only affects a single user - all other > accounts work without problems. > > > > When accessing our main server using that account, "smbd" always reports > "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL". This has come from > "../auth/kerberos/kerberos_pac.c:149(kerberos_decode_pac)", trying to use > NDR to pull a blob from the Kerberos ticket (that's reported as > "ndr_pull_error(11): Pull bytes 34 (../librpc/ndr/ndr_string.c:591)"). > > > So can anyone suggest any way forward to resolve this please? It would > appear that something is incorrectly being decoded somewhere, so it's > probably to everyone's advantage to get this sorted out - I know it would > certainly be to mine :-)
'Clearly' (as in, clear as mud, but the general direction to look at) either the IDL in librpc/idl/krb5pac.idl is incorrect, or the parsing code in Heimdal in unpacking this particular user's PAC incorrectly. It is interesting that this user causes the issue regardless of being re-created. Is this triggered on their full or user name? Does this happen if you set up a new testing domain? If so, what would be really, really helpful would be a network capture including the server keytab. (Or if you don't mind, and change the server password after, on your live domain to me personally). The procedure you or I will need to follow is to extract the decrypted 'PAC'. You could do this either from wireshark (export selected packet bytes, after running wireshark -k /tmp/server.keytab, or by patching the code to call: _PUBLIC_ bool file_save(const char *fname, const void *packet, size_t length) somewhere near auth3_generate_session_info_pac() Then, using that file, run bin/ndrdump krb5pac decode_pac in /tmp/pac Then essentially we keep changing the idl in librpc/idl/krb5pac.idl and the C helpers in librpc/ndr/ndr_krb5pac.c until this works. See also http://msdn.microsoft.com/en-us/library/cc237917.aspx Good luck! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
