Fix for winbindd schannel issue with win2003 sp1
Andrew Bartlett
abartlet at samba.org
Wed Sep 21 06:23:33 GMT 2005
On Tue, 2005-09-20 at 21:40 -0700, Jeremy Allison wrote:
> Hi all,
>
> I think I've found a work around to allow winbindd to
> keep working correctly just using a machine account in a domain
> running w2k3 sp1 as a domain controller. Microsoft added a "security"
> feature that caused schannel queries to fail on the lsa and samr
> pipes if they are bootstrapped from an anonymous sessionsetup
> connection. In addition this fix should also remove the problem
> of having to have an account used purely for winbindd queries.
>
> The fix is to cause an extended security sessionsetup to
> the DC using the machine account and password, followed by
> an spnego ntlmssp authenticated bind to the relevent lsa
> and samr pipes.
Is that an anonymous bind? Or does that use the 'account purely for
winbindd queries'?
> We might was well use sign & seal at that
> point as we've set it all up and it keeps things more
> secure :-).
This is always a good thing. It would be nice to enforce SMB signing on
that connection too, but I can't hope for too much :-)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050921/cb95c33f/attachment.bin
More information about the samba-technical
mailing list