On Tue, 2013-05-14 at 11:04 +0300, Pekka L.J. Jalkanen wrote: > On 14.5.2013 8:04, Andrew Bartlett wrote: > > On Mon, 2013-05-13 at 14:24 +0300, Pekka L.J. Jalkanen wrote: > > > >>> Any ideas how to resolve this problem? > >> > >> No comments, it seems. > >> > >> I can see that even if this is a bug in Samba it would be really hard to > >> reproduce. But it's really frustrating too, because if the > >> authentication isn't reliable I sort of have to keep the Windows DC around. > >> > >> So if somebody would have an enlightened suggestion what to do, I'd be > >> grateful. > >> > >> The only idea I'm having myself would be to recreate the machine > >> accounts of the computers in question, but that'd be just a shot in the > >> dark, and if the problem lies within the user accounts instead, that > >> wouldn't help. > > > > G'Day, > > > > I'm sorry I haven't been able to get back to you. > > Please don't. I've had all too many questions for you already. Thank you > for your patience with me! > > > The issue is the same > > for all of these accounts. We simply have a password encoded in a > > format that we do not correctly parse. The 00 20 stuff is literally > > some unicode space (ie the spacebar, yes!) padding that is in this > > structure. > > Huh?! Now I'm surprised, both about that there is such a parsing problem > and that the problem is _that_ trivial. > > Shouldn't this mean that I can most likely work the problem away by > simply changing the passwords of these users? Now that would be great > news indeed!
Yes, if I'm understanding it correctly. > > I need to get both and encrypted copy of the data and some time to work > > over it, so we can correct this issue in our IDL. > > You already have a complete copy of our Samba DC's DB due to that > exportkeytab issue. I can send you nonsanitised logs separately so that > you can see the relevant account names. Is that enough, or do you need > me to try to make an actual packet capture of this problem? The exportkeytab issue is the same issue. You are just seeing the same failure to read the password for a particular account in multiple ways. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
