On Wed, Dec 12, 2007 at 01:49:43PM +1300, Jason Haar wrote: > We've got nicely ADS integrated Samba-3.0.27a servers that are working > fine with Win2000 through to standard Vista. > > However, we are starting to test RC1 of Vista SP1 and discovered that > once applied, that workstation cannot connect to Samba server shares - > unless the share is open - i.e. no "valid user" style settings. The > moment one is defined, Vista fails to connect and pops up an > authentication dialog - which still doesn't work. > > workgroup = AD > realm = AD.DOMAIN.NAME > security = ADS > auth methods = winbind > encrypt passwords = Yes > update encrypted = No > client schannel = Auto > server schannel = Auto > allow trusted domains = Yes > lanman auth = Yes > ntlm auth = Yes > client NTLMv2 auth = Yes > client lanman auth = No > client plaintext auth = No > server signing = auto > > > I have tried altering "server signing = no" to "auto", and "client > NTLMv2 auth = No " to "yes" - no difference. I saw MS07-063 refers to > Vista having being patched to do with a signing bug - so I took a punt > it was related - no such luck. > > If a share is configured as > > [test] > path = /tmp > > ...then Vista-SP1rc1 works fine, but if it's... > > [test] > path = /tmp > valid users = @"AD\Some Group" > > ...then it doesn't. WinXP and Win2K3 server both work against both share > options of course.
Can you get a debug level 10 plus a wireshark trace please. If they're both using kerberos it might be that Samba is not parsing out the group info from the krb5 token passed on sessionsetup. A debug level 10 should help. I can give you patches with extra debug info if needed. Looks like Microsoft aren't doing interop testing again :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
